CVE-2019-6109 (https://nvd.nist.gov/vuln/detail/CVE-2019-6109): scp client spoofing via object name CVE-2019-6110 (https://nvd.nist.gov/vuln/detail/CVE-2019-6110): scp client spoofing via stderr
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9f1f0773d84491b9b51c86d1b9e45a8b970bffd commit c9f1f0773d84491b9b51c86d1b9e45a8b970bffd Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-03-17 23:33:27 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-03-17 23:35:40 +0000 net-misc/putty: Version 0.71 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-misc/putty/Manifest | 1 + net-misc/putty/putty-0.71.ebuild | 90 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+)
Just for completeness, there seem to be many more vuln fixes in this version: https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html Security fixes found by an EU-funded bug bounty programme: a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification potential recycling of random numbers used in cryptography on Windows, hijacking by a malicious help file in the same directory as the executable on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding multiple denial-of-service attacks that can be triggered by writing to the terminal Particularly the first one sounds severe
@jer if it is fine to stabilize, please CC arches. Thanks
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7b0fab72e164d096b3f5e01dd6a5c4b2affa139 commit f7b0fab72e164d096b3f5e01dd6a5c4b2affa139 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-03-26 07:52:57 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-03-26 07:54:37 +0000 net-misc/putty: Replace no-gssapi patch after upstream review Package-Manager: Portage-2.3.62, Repoman-2.3.12 Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524 Bug: https://bugs.gentoo.org/show_bug.cgi?id=680818 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-misc/putty/files/putty-0.71-no-gssapi.patch | 190 ++++++++++++--------- .../{putty-0.71-r1.ebuild => putty-0.71-r2.ebuild} | 0 2 files changed, 108 insertions(+), 82 deletions(-)
0.71-r2 should be fine.
@arches, please stabilize.
x86 stable
amd64 stable
sparc stable
hppa stable
ppc64 stable
ppc stable
alpha stable
@maintainer, please drop vulnerable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=87550bf16cbadc85e630077e93a72e23e862b911 commit 87550bf16cbadc85e630077e93a72e23e862b911 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-04-08 16:02:05 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-04-08 16:02:30 +0000 net-misc/putty: Old Package-Manager: Portage-2.3.62, Repoman-2.3.12 Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-misc/putty/Manifest | 1 - net-misc/putty/putty-0.68.ebuild | 90 ---------------------------------------- 2 files changed, 91 deletions(-)
(In reply to Larry the Git Cow from comment #15) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=87550bf16cbadc85e630077e93a72e23e862b911 > > commit 87550bf16cbadc85e630077e93a72e23e862b911 > Author: Jeroen Roovers <jer@gentoo.org> > AuthorDate: 2019-04-08 16:02:05 +0000 > Commit: Jeroen Roovers <jer@gentoo.org> > CommitDate: 2019-04-08 16:02:30 +0000 > > net-misc/putty: Old > > Package-Manager: Portage-2.3.62, Repoman-2.3.12 > Bug: https://bugs.gentoo.org/show_bug.cgi?id=675524 > Signed-off-by: Jeroen Roovers <jer@gentoo.org> > > net-misc/putty/Manifest | 1 - > net-misc/putty/putty-0.68.ebuild | 90 > ---------------------------------------- > 2 files changed, 91 deletions(-) Thanks!