Summary: | <net-misc/putty-0.71: multiple vulnerabilities (CVE-2019-{6109,6110}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | jer, moonlapse81 |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
=net-misc/putty-0.71-r2
|
Runtime testing required: | --- |
Bug Depends on: | 680818, 680862 | ||
Bug Blocks: | 675526 |
Description
GLSAMaker/CVETool Bot
2019-01-15 17:53:55 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9f1f0773d84491b9b51c86d1b9e45a8b970bffd commit c9f1f0773d84491b9b51c86d1b9e45a8b970bffd Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-03-17 23:33:27 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-03-17 23:35:40 +0000 net-misc/putty: Version 0.71 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-misc/putty/Manifest | 1 + net-misc/putty/putty-0.71.ebuild | 90 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+) Just for completeness, there seem to be many more vuln fixes in this version: https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html Security fixes found by an EU-funded bug bounty programme: a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification potential recycling of random numbers used in cryptography on Windows, hijacking by a malicious help file in the same directory as the executable on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding multiple denial-of-service attacks that can be triggered by writing to the terminal Particularly the first one sounds severe @jer if it is fine to stabilize, please CC arches. Thanks The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7b0fab72e164d096b3f5e01dd6a5c4b2affa139 commit f7b0fab72e164d096b3f5e01dd6a5c4b2affa139 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-03-26 07:52:57 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-03-26 07:54:37 +0000 net-misc/putty: Replace no-gssapi patch after upstream review Package-Manager: Portage-2.3.62, Repoman-2.3.12 Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524 Bug: https://bugs.gentoo.org/show_bug.cgi?id=680818 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-misc/putty/files/putty-0.71-no-gssapi.patch | 190 ++++++++++++--------- .../{putty-0.71-r1.ebuild => putty-0.71-r2.ebuild} | 0 2 files changed, 108 insertions(+), 82 deletions(-) 0.71-r2 should be fine. @arches, please stabilize. x86 stable amd64 stable sparc stable hppa stable ppc64 stable ppc stable alpha stable @maintainer, please drop vulnerable. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=87550bf16cbadc85e630077e93a72e23e862b911 commit 87550bf16cbadc85e630077e93a72e23e862b911 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-04-08 16:02:05 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-04-08 16:02:30 +0000 net-misc/putty: Old Package-Manager: Portage-2.3.62, Repoman-2.3.12 Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-misc/putty/Manifest | 1 - net-misc/putty/putty-0.68.ebuild | 90 ---------------------------------------- 2 files changed, 91 deletions(-) (In reply to Larry the Git Cow from comment #15) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=87550bf16cbadc85e630077e93a72e23e862b911 > > commit 87550bf16cbadc85e630077e93a72e23e862b911 > Author: Jeroen Roovers <jer@gentoo.org> > AuthorDate: 2019-04-08 16:02:05 +0000 > Commit: Jeroen Roovers <jer@gentoo.org> > CommitDate: 2019-04-08 16:02:30 +0000 > > net-misc/putty: Old > > Package-Manager: Portage-2.3.62, Repoman-2.3.12 > Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524 > Signed-off-by: Jeroen Roovers <jer@gentoo.org> > > net-misc/putty/Manifest | 1 - > net-misc/putty/putty-0.68.ebuild | 90 > ---------------------------------------- > 2 files changed, 91 deletions(-) Thanks! |