Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 801517 (CVE-2021-36367) - <net-misc/putty-0.76: malicious server prompt spoofing (CVE-2021-36367)
Summary: <net-misc/putty-0.76: malicious server prompt spoofing (CVE-2021-36367)
Status: IN_PROGRESS
Alias: CVE-2021-36367
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://git.tartarus.org/?p=simon/put...
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-11 02:48 UTC by John Helmert III
Modified: 2021-07-26 07:26 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/putty-0.76
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-07-11 02:48:55 UTC
CVE-2021-36367:

PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response. This makes it easier for an attacker-controlled SSH server to present a later spoofed authentication prompt (that the attacker can use to capture credential data, and use that data for purposes that are undesired by the client user).
Comment 1 Larry the Git Cow gentoo-dev 2021-07-17 18:25:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc1ef8f35eaf642458b997fe736f7a02dc7659c1

commit fc1ef8f35eaf642458b997fe736f7a02dc7659c1
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-07-17 18:23:06 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-07-17 18:25:01 +0000

    net-misc/putty: Security bump to version 0.76
    
    Bug: https://bugs.gentoo.org/801517
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-misc/putty/Manifest          |  1 +
 net-misc/putty/putty-0.76.ebuild | 95 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2021-07-18 06:33:32 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2021-07-18 06:34:32 UTC
sparc stable
Comment 4 Agostino Sarubbo gentoo-dev 2021-07-18 06:36:05 UTC
x86 stable
Comment 5 Sam James archtester gentoo-dev Security 2021-07-26 02:14:11 UTC
ppc done
Comment 6 Sam James archtester gentoo-dev Security 2021-07-26 04:36:50 UTC
ppc64 done

all arches done
Comment 7 Sam James archtester gentoo-dev Security 2021-07-26 06:10:38 UTC
Please cleanup, thanks!
Comment 8 Larry the Git Cow gentoo-dev 2021-07-26 06:59:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c4567e7f8b564ed5da6a6b4da9fb443e4859a49

commit 4c4567e7f8b564ed5da6a6b4da9fb443e4859a49
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-07-26 06:59:12 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-07-26 06:59:32 +0000

    net-misc/putty: Security cleanup
    
    Bug: https://bugs.gentoo.org/801517
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-misc/putty/Manifest          |  1 -
 net-misc/putty/putty-0.75.ebuild | 95 ----------------------------------------
 2 files changed, 96 deletions(-)