1. Forum
  2. Usenet
  3. COMP.SECURITY.SSH

  • PuTTY 0.71 is released

    From Simon Tatham@21:1/5 to All on Sat Mar 16 17:03:31 2019
    PuTTY version 0.71 is released
    ------------------------------

    All the pre-built binaries, and the source code, are now available
    from the PuTTY website at

    https://www.chiark.greenend.org.uk/~sgtatham/putty/

    This is a SECURITY UPDATE. We recommend that _everybody_ upgrade, as
    soon as possible.

    This release fixes multiple security vulnerabilities. Most were found
    by contributors to a HackerOne bug bounty programme funded by the EU.
    Thanks to everybody who reported bugs, to HackerOne for organising it,
    and to the EU for the funding!

    Vulnerabilities fixed in this release include:

    - A malicious server could trigger a buffer overrun by abusing the
    RSA key exchange protocol. This would happen before host key
    verification, so even if you trust the server you *intended* to
    connect to, you would still be at risk.

    - A malicious server could trigger a buffer overflow in Unix PuTTY by
    opening a very large number of port forwardings.

    - A malicious program able to write to the server-side terminal could
    deny service to the rest of the SSH session, by making PuTTY's
    terminal emulation code fail an assertion in at least two different
    ways, or by making it consume large amounts of memory and CPU.

    - Windows builds of PuTTY were vulnerable to hijacking if an attacker
    could arrange to drop a malicious Windows help file (.chm) in the
    same directory. Running PuTTY directly out of your browser's
    download directory, for example, might make this possible.

    Other security-related improvements:

    - The cryptography code has been substantially rewritten to eliminate
    cache and timing side channels.

    - PuTTY has a new system for making legitimate authentication prompts
    distinguishable from fakes sent by the server (e.g. to try to trick
    you into sending information like private key passphrases over the
    wire). This involves displaying 'trust sigils' (in the form of the
    PuTTY icon) on lines of the terminal window that contain data
    originated by PuTTY itself, and a precautionary prompt before
    starting the main login session when using Plink interactively.
    (That prompt can be turned off if it's an inconvenience.)

    - By default, PuTTY now sanitises control characters out of data
    pasted into the terminal data; output sent to standard error by the
    server in Plink, PSCP and PSFTP; and filenames transmitted from the
    server by PSCP and PSFTP.

    Other improvements:

    - We now provide builds of PuTTY for Windows on Arm, as well as for
    x86-64 and x86 Windows.

    - The GTK version of PuTTY now runs on non-X11 displays like Wayland,
    and understands high-DPI configurations.

    - You can now type ahead in a PuTTY window as soon as it opens, and
    your keystrokes will no longer be discarded. Instead, PuTTY will
    buffer them until either the login prompts or the main server
    session can use them.

    - PuTTY implements hardware-accelerated versions of the AES, SHA-256,
    and SHA-1 cryptographic functions, on both x86 and Arm platforms.

    - SSH user authentication prompts and banner messages are now allowed
    to contain printable characters outside US-ASCII.

    - PuTTY now supports Kerberos authentication via GSSAPI key exchange
    as an alternative to the previous GSSAPI user authentication
    system. This allows a Kerberos ticket forwarded to the SSH server
    to be kept up to date during a long-running SSH session.

    - Richer colour support in the terminal emulator: it now supports
    true colour, dim text via the SGR 2 sequence, and a query sequence
    that lets a server find out how many colours the terminal provides.

    - The terminal now supports the REP escape sequence to print the same
    character many times, which up-to-date versions of ncurses expect.

    - The terminal has more flexible clipboard / selection handling. You
    can now configure PuTTY not to automatically copy text to the
    clipboard as soon as you select it (i.e. to behave more like a
    normal Windows program). In the GTK version, you can configure
    which of the system clipboards PuTTY uses, or even configure
    different copy/paste keys to access different clipboards.

    - Pressing Ctrl+Shift+PgUp or Ctrl+Shift+PgDn now takes you straight
    to the top or bottom of the terminal scrollback.

    Enjoy using PuTTY!

    --
    for k in [pow(x,37,0x1a1298d262b49c895d47f) for x in [0x50deb914257022de7fff, 0x213558f2215127d5a2d1, 0x90c99e86d08b91218630, 0x109f3d0cfbf640c0beee7, 0xc83e01379a5fbec5fdd1, 0x19d3d70a8d567e388600e, 0x534e2f6e8a4a33155123]]:
    print("".join([chr(32+3*((k>>x)&1))for x in range(79)])) # <anakin@pobox.com>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)