Putty security updates

From ScientificComputing
Revision as of 10:07, 19 March 2019 by Sfux (talk | contribs)

Jump to: navigation, search

Introduction

We would like to inform cluster users, that are using the PuTTY SSH client that there are is a new release, which fixes a number of security issues that were found in a bug bounty program. Please note that we cannot provide any support for updating PuTTY on your computer as we don't provide desktop support. If you are using PuTTY, then please update to the new release 0.71.

You can download PuTTY 0.71 from the following website.

PuTTY 0.71 changelog

Please find below the changelog of the new PuTTY version from https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

  • Security fixes found by an EU-funded bug bounty programme:
    • a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification
    • potential recycling of random numbers used in cryptography
    • on Windows, hijacking by a malicious help file in the same directory as the executable
    • on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding
    • multiple denial-of-service attacks that can be triggered by writing to the terminal
  • Other security enhancements: major rewrite of the crypto code to remove cache and timing side channels.
  • User interface changes to protect against fake authentication prompts from a malicious server.
  • We now provide pre-built binaries for Windows on Arm.
  • Hardware-accelerated versions of the most common cryptographic primitives: AES, SHA-256, SHA-1.
  • GTK PuTTY now supports non-X11 displays (e.g. Wayland) and high-DPI configurations.
  • Type-ahead now works as soon as a PuTTY window is opened: keystrokes typed before authentication has finished will be buffered instead of being dropped.
  • Support for GSSAPI key exchange: an alternative to the older GSSAPI authentication system which can keep your forwarded Kerberos credentials updated during a long session.
  • More choices of user interface for clipboard handling.
  • New terminal features: support the REP escape sequence (fixing an ncurses screen redraw failure), true colour, and SGR 2 dim text.
  • Pressing Ctrl+Shift+PgUp or Ctrl+Shift+PgDn now takes you straight to the top or bottom of the terminal scrollback.