| Summary: | PuTTY 0.73 security update (fixes CVE-2019-17068 and CVE-2019-17069) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, geiger.david68210, herman.viaene, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-32-OK MGA7-64-OK | ||
| Source RPM: | putty-0.71-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 25932 | ||
|
Description
David Walser
2019-11-26 20:15:55 CET
Done for putty 0.73! But seems that filezilla has not yet update their bundle putty. https://svn.filezilla-project.org/filezilla/FileZilla3/trunk/src/putty/?view=log CC:
(none) =>
geiger.david68210 Thank you DavidG for jumping in immediately (again!); may I assign this to you as you have already dealt with it? Assignee:
bugsquad =>
geiger.david68210 putty-0.73-1.mga7 is the update that was submitted. I guess we can wait on FZ. openSUSE has issued an advisory on October 7: https://lists.opensuse.org/opensuse-updates/2019-10/msg00047.html This is the PuTTY 0.73 update. Hopefully Filezilla will update theirs soon. Severity:
normal =>
major FileZilla update with bundled PuTTY 0.73 in Bug 25932. QA can test this one too. I still need advisories for both. Assignee:
geiger.david68210 =>
qa-bugs That bug is for filezilla Herman. It has a bundled PuTTY. MGA7-32bit I installed Putty 0.73 on i586-kde VM. $ putty -v gives me a setup screen, click on about and it confirms 0.73 Remoted into a local server $ putty xxx.xxx.xxx.xxx I was able ot get into the remote server and navigate. Working as designed. Whiteboard:
(none) =>
MGA7-32-OK MGA7-64 - Xfce desktop I installed Putty 7.3 It works, but at command prompt when running a screen it throws this message. (putty:3169): Gtk-WARNING **: 11:38:44.898: Theme parsing error: gtk.css:5957:26: 'text-shadow' is not a valid color name The tool itself works so I don't really care about the messages, but it could annoy some people. Up to the team if they fix this or not. Giving it an it works. Whiteboard:
MGA7-32-OK =>
MGA7-32-OK MGA7-64-OK Validating. Keywords:
(none) =>
validated_update Advisory: ======================== Updated putty package fixes security vulnerabilities: Two separate vulnerabilities affecting the obsolete SSH-1 protocol, both available before host key checking. Vulnerability in all the SSH client tools (PuTTY, Plink, PSFTP, and PSCP) if a malicious program can impersonate Pageant. Crash in GSSAPI / Kerberos key exchange triggered if the server provided an ordinary SSH host key as part of the exchange. Insufficient handling of terminal escape sequences, that should delimit the pasted data in bracketed paste mode (CVE-2019-17068). Possible information leak caused by SSH-1 disconnection messages (CVE-2019-17069). The putty package has been updated to version 0.73, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17068 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17069 https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html https://lists.opensuse.org/opensuse-updates/2019-08/msg00170.html https://lists.opensuse.org/opensuse-updates/2019-10/msg00047.html
Thomas Backlund
2020-01-05 12:35:41 CET
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0003.html Resolution:
(none) =>
FIXED |