Wednesday, March 20, 2019

Update your PuTTY to 0.71 (Security Update)

In January an EU-funded bug-bounty was put out to find bugs and security flaws in PuTTY. Based on the findings (i.e. they found major security flaws), they provided an update to PuTTY.

 

Download: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

 

Changes detailed: https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

 

 These features are new in 0.71 (released 2019-03-16): * Security fixes found by an EU-funded bug bounty programme: * a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification * potential recycling of random numbers used in cryptography * on Windows, hijacking by a malicious help file in the same directory as the executable * on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding * multiple denial-of-service attacks that can be triggered by writing to the terminal * Other security enhancements: major rewrite of the crypto code to remove cache and timing side channels. * User interface changes to protect against fake authentication prompts from a malicious server. * We now provide pre-built binaries for Windows on Arm. * Hardware-accelerated versions of the most common cryptographic primitives: AES, SHA-256, SHA-1. * GTK PuTTY now supports non-X11 displays (e.g. Wayland) and high-DPI configurations. * Type-ahead now works as soon as a PuTTY window is opened: keystrokes typed before authentication has finished will be buffered instead of being dropped. * Support for GSSAPI key exchange: an alternative to the older GSSAPI authentication system which can keep your forwarded Kerberos credentials updated during a long session. * More choices of user interface for clipboard handling. * New terminal features: support the REP escape sequence (fixing an ncurses screen redraw failure), true colour, and SGR 2 dim text. * Pressing Ctrl+Shift+PgUp or Ctrl+Shift+PgDn now takes you straight to the top or bottom of the terminal scrollback. 

 

I'd highly recommend you update your version today.



No comments:

Post a Comment