Upstream has issued an advisory on November 7: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html The issue is fixed upstream in version 0.66. Götz updated it in Cauldron. Reproducible: Steps to Reproduce:
PuTTY 0.66 build uploaded for Mageia 5. I'm reminded that FileZilla also embeds a PuTTY, so that needs to be updated to a version that has PuTTY 0.66 as well. It doesn't look like one has been released yet. I'll clone this bug for filezilla. Advisory: ======================== Updated putty package fixes security vulnerability: Versions of PuTTY 0.54 and 0.65 inclusive have a potentially memory-corrupting integer overflow in the handling of the ECH (erase characters) control sequence in the terminal emulator (CVE-2015-5309). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5309 http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html ======================== Updated packages in core/updates_testing: ======================== putty-0.66-1.mga5 from putty-0.66-1.mga5.src.rpm
CC: (none) => geiger.david68210, goetz.waschkAssignee: goetz.waschk => qa-bugs
In VirtualBox, M5, KDE, 32-bit Package(s) under test: putty default install of putty [root@localhost wilcal]# urpmi putty Package putty-0.64-1.mga5.i586 is already installed I can use putty to get into my server at 192.168.1.2 I can use putty to get into my Rasberry Pi at 192.168.1.18 install putty from updates_testing [root@localhost wilcal]# urpmi putty Package putty-0.66-1.mga5.i586 is already installed I can use putty to get into my server at 192.168.1.2 I can use putty to get into my Rasberry Pi at 192.168.1.18
CC: (none) => wilcal.int
Whiteboard: (none) => MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: putty default install of putty [root@localhost wilcal]# urpmi putty Package putty-0.64-1.mga5.x86_64 is already installed I can use putty to get into my server at 192.168.1.2 I can use putty to get into my Raspberry Pi at 192.168.1.18 install putty from updates_testing [root@localhost wilcal]# urpmi putty Package putty-0.66-1.mga5.x86_64 is already installed I can use putty to get into my server at 192.168.1.2 I can use putty to get into my Raspberry Pi at 192.168.1.18
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0442.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/664043/