putty: Observable Discrepancy leading to an information leak in the algorithm negotiation (CVE-2020-14002)

PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).

Fixed In Version:

putty 0.74

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2020-14002

Patch:

https://git.tartarus.org/?p=simon/putty.git;a=commit;h=08f1e2a5066ea95559945af339a60ca14560d764

Affected branches:

Edited Oct 19, 2020 by Natanael Copa

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information