Two security issues have been fixed upstream in PuTTY 0.64: http://openwall.com/lists/oss-security/2015/02/27/4 http://openwall.com/lists/oss-security/2015/02/28/4 CVE-2015-2157 has been assigned for the second issue: http://openwall.com/lists/oss-security/2015/02/28/5 Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
submitted for mga4 and committed for cauldron.
CC: (none) => oe
Thanks Oden. I sent a freeze push request.
Note. putty is also in filezilla. looking at that now.
Indeed. Thanks Oden.
FileZilla_3.10.2 has putty 0.64 FYI. The devs at #filezilla said you can verify that in the src/putty/MERGEREVISION file in the repository. I have no idea how CVE-2015-2157 may or may not affect filezilla. Anyways, I bumped to FileZilla_3.10.2 for mg4 and cauldron. Cheers.
Argh. On mga4 I get: checking for wxWidgets version >= 3.0.2 (--unicode=yes --universal=no)... no (version 2.8.12 is not new enough)
Used plan B. and took putty 0.64 from FileZilla_3.10.2 to replace the one in FileZilla_3.7.3.
filezilla-3.7.3-2.1.mga4 built fine.
Filezilla 3.10.2 also didn't build in Cauldron because we don't have wxgtk 3.0.2 there yet (we have 3.0.1). 3.0.2 is a bugfix release, so we could update it, or you could update the bundled PuTTY in the existing Filezilla version like you did for the Mageia 4 update.
Filezilla 3.10.2 now builds for mga4 and cauldron. Someone has to submit filezilla for cauldron.
Tested filezilla-3.7.3-2.1 on Mageia 4 64-bits. I do not know whether I am supposed to test something specific. If not, up to now, everything works fine.
CC: (none) => olivier.delaune
(In reply to Olivier Delaune from comment #11) > Tested filezilla-3.7.3-2.1 on Mageia 4 64-bits. I do not know whether I am > supposed to test something specific. If not, up to now, everything works > fine. One of the filezilla developers said I could not do as I did in filezilla-3.7.3-2.1, so I fixed so that filezilla-3.10.2 builds for mga4. Please test that version instead.
wxgtk 3.0.2 update for Cauldron committed in SVN. Freeze push requests sent for wxgtk and filezilla.
I installed and tested filezilla-3.10.2-1. Everything works fine up to now.
Oops, forgot to mention that I tested on Mageia 4 64-bits.
Updates pushed for Cauldron. Oliver, have you tested the putty update in Mageia 4 updates_testing?
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
Updated packages to test are: putty-0.64-1.mga4 filezilla-3.10.2-1.mga4 Advisory to come...
CC: (none) => mageiaAssignee: mageia => qa-bugs
(In reply to David Walser from comment #16) > Updates pushed for Cauldron. > > Oliver, have you tested the putty update in Mageia 4 updates_testing? No I did not. I do not putty so I do not know how to test it. I only tested filezilla.
Upstream has argued that MATTA-2015-002 isn't a security issue, but they fixed it anyway: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/diffie-hellman-range-check.html Advisory: ======================== Updated putty and filezilla packages fix security vulnerability: PuTTY suite versions 0.51 to 0.63 fail to clear SSH-2 private key information from memory when loading and saving key files to disk, leading to potential disclosure. The issue affects keys stored on disk in encrypted and unencrypted form, and is present in PuTTY, Plink, PSCP, PSFTP, Pageant and PuTTYgen (CVE-2015-2157). The putty package has been updated to version 0.64, fixing this and other issues. The filezilla package, which contains a bundled version of PuTTY, has also been updated, to version 3.10.2. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2157 http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html http://openwall.com/lists/oss-security/2015/02/28/4 https://filezilla-project.org/newsfeed.php
(In reply to Olivier Delaune from comment #18) > (In reply to David Walser from comment #16) > > Updates pushed for Cauldron. > > > > Oliver, have you tested the putty update in Mageia 4 updates_testing? > > No I did not. I do not putty so I do not know how to test it. I only tested > filezilla. PuTTY is just a graphical SSH client, it's easy to test if you're willing to give it a go...
Tested mga4_64, Testing complete for putty-0.64-1.mga4 and filezilla-3.10.2-1.mga4, all seems to work properly. No regression found.
CC: (none) => geiger.david68210
Whiteboard: (none) => MGA4-64-OK
Tested mga4_32, Testing complete for putty-0.64-1.mga4 and filezilla-3.10.2-1.mga4, all seems to work properly. No regression found.
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded from comment 19 with srpms from comment 17 Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0098.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/635992/