Re: [Nolug] PuTTY SSH client vulnerability (fwd)

From: Jeremy (mailing list box) <listbox_at_unix-boy.com>
Date: Wed, 27 Oct 2004 23:54:44 -0500
Message-ID: <41807B94.1060108@unix-boy.com>

Brad Bendily wrote:
> FYI: This notice comes from the Bugtraq list.
>
>>From http://www.chiark.greenend.org.uk/~sgtatham/putty/
>
> ======================================================================
>
> 2004-10-26 ANOTHER SECURITY HOLE, fixed in PuTTY 0.56
>
> PuTTY 0.56, released today, fixes a serious security hole which can
> allow a server to execute code of its choice on a PuTTY client
> connecting to it. In SSH2, the attack can be performed before host key
> verification, meaning that even if you trust the server you think you
> are connecting to, a different machine could be impersonating it and
> could launch the attack before you could tell the difference. We
> recommend everybody upgrade to 0.56 as soon as possible.
>
> That's two really bad holes in three months. I'd like to apologise to
> all our users for the inconvenience.
>
> ======================================================================
>

Thanks for the heads up there... I'll need to make sure that rsync on
my PuTTY mirror grabbed the newest version.

Jeremy
___________________
Nolug mailing list
nolug@nolug.org
Received on 10/28/04

This archive was generated by hypermail 2.2.0 : 12/19/08 EST