Bug 59383

Summary:	net-misc/putty: server can execute arbitrary code on connecting putty clients
Product:	Gentoo Security	Reporter:	Carsten Lohrke (RETIRED) <carlo>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	taviso
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---

Description Carsten Lohrke (RETIRED) gentoo-dev

2004-08-04 04:53:52 UTC

PuTTY 0.55, released today, fixes a serious security hole which may allow a server to execute code of its choice on a PuTTY client connecting to it. In SSH2, the attack can be performed before host key verification, meaning that even if you trust the server you think you are connecting to, a different machine could be impersonating it and could launch the attack before you could tell the difference. We recommend everybody upgrade to 0.55 as soon as possible.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2004-08-04 08:08:59 UTC

Travis : please bump putty to version 0.55

Comment 2 Tavis Ormandy (RETIRED) gentoo-dev

2004-08-04 09:20:15 UTC

bumped as requested, old ebuilds removed.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2004-08-04 10:20:10 UTC

Ready for a GLSA

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-05 02:03:45 UTC

GLSA drafted : security please review.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-05 05:12:56 UTC

GLSA-200408-04