Upstream has issued an advisory on March 5: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html The issue is fixed upstream in version 0.67. Götz updated it in Cauldron. Updated package checked into Mageia 5 SVN. It is having a strange build error right now, so we'll have to assign it to QA later when we can get it to build. Assigning to Götz for now. Advisory for the update is below. There will need to be a filezilla update (it bundles putty), but upstream hasn't made an update for this yet. Advisory: ======================== Updated putty package fixes security vulnerability: Many versions of PSCP in PuTTY prior to 0.67 have a stack corruption vulnerability in their treatment of the 'sink' direction (i.e. downloading from server to client) of the old-style SCP protocol. In order for this vulnerability to be exploited, the user must connect to a malicious server and attempt to download any file (CVE-2016-2563). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2563 http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html ======================== Updated packages in core/updates_testing: ======================== putty-0.67-1.mga5 from putty-0.67-1.mga5.src.rpm
It triggers a bug in halibut, so we can either backport halibut 1.1 with this update or don't build the docs in the mga5 update.
Thanks! Updating halibut is fine, I'll do that.
Advisory: ======================== Updated putty package fixes security vulnerability: Many versions of PSCP in PuTTY prior to 0.67 have a stack corruption vulnerability in their treatment of the 'sink' direction (i.e. downloading from server to client) of the old-style SCP protocol. In order for this vulnerability to be exploited, the user must connect to a malicious server and attempt to download any file (CVE-2016-2563). The putty package has been updated to version 0.67 to fix this issue and a few other bugs. The halibut package has been updated to version 1.1 to build the documentation. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2563 http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html ======================== Updated packages in core/updates_testing: ======================== halibut-1.1-2.mga5 vim-halibut-1.1-2.mga5 putty-0.67-1.mga5 from SRPMS: halibut-1.1-2.mga5.src.rpm putty-0.67-1.mga5.src.rpm
Assignee: goetz.waschk => qa-bugs
In VirtualBox, M5, KDE, 32-bit Package(s) under test: putty default install of putty [root@localhost wilcal]# urpmi putty Package putty-0.66-1.mga5.i586 is already installed I can use putty to get into my server at 192.168.1.2 I can use putty to get into my Rasberry Pi at 192.168.1.18 install putty from updates_testing [root@localhost wilcal]# urpmi putty Package putty-0.67-1.mga5.i586 is already installed I can use putty to get into my server at 192.168.1.2 I can use putty to get into my Rasberry Pi at 192.168.1.18
CC: (none) => wilcal.intWhiteboard: (none) => MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: putty default install of putty [root@localhost wilcal]# urpmi putty Package putty-0.66-1.mga5.x86_64 is already installed I can use putty to get into my server at 192.168.1.2 I can use putty to get into my Raspberry Pi at 192.168.1.18 install putty from updates_testing [root@localhost wilcal]# urpmi putty Package putty-0.67-1.mga5.x86_64 is already installed I can use putty to get into my server at 192.168.1.2 I can use putty to get into my Raspberry Pi at 192.168.1.18
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Well done Bill. Advisory uploaded.
Whiteboard: MGA5-32-OK MGA5-64-OK => advisory MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0112.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/680462/