[3.6] putty: Multiple vulnerabilities (CVE-2019-9894, CVE-2019-9895, CVE-2019-9897, CVE-2019-9898)
CVE-2019-9894: A remotely triggerable memory overwrite in RSA key
exchange in
PuTTY before 0.71 can occur before host key verification.
Fixed In Version:
putty 0.71
References:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rsa-kex-integer-overflow.html
https://nvd.nist.gov/vuln/detail/CVE-2019-9894
Patch:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=d82854999516046122501b2e145099740ed0284f
CVE-2019-9895: In PuTTY versions before 0.71 on Unix, a remotely
triggerable
buffer overflow exists in any kind of server-to-client forwarding.
Fixed In Version:
putty 0.71
References:
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
https://nvd.nist.gov/vuln/detail/CVE-2019-9895
Patch:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=5c926d9ea4a9e0a0a2384f06c7583648cdff3ed6
CVE-2019-9897: Multiple denial-of-service attacks that can be
triggered by writing
to the terminal exist in PuTTY versions before 0.71.
Fixed In Version:
putty 0.71
References:
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
https://security-tracker.debian.org/tracker/CVE-2019-9897
Patch:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=da1c8f15b1bc14c855f0027cf06ba7f1a9c36f3c
CVE-2019-9898: Potential recycling of random numbers used in cryptography exists within PuTTY before 0.71.
Fixed In Version:
putty 0.71
References:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rng-reuse.html
Patch:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=320bf8479ff5bcbad239db4f9f4aa63656b0675e
(from redmine: issue id 10197, created on 2019-04-04, closed on 2019-04-15)
- Relations:
- parent #10192 (closed)
- Changesets:
- Revision 5ff69c33 on 2019-04-08T12:40:10Z:
main/putty: security upgrade to 0.71
CVE-2019-9894, CVE-2019-9895, CVE-2019-9897, CVE-2019-9898
Fixes #10197
Update license, disable check