Hi, putty 0.71 contains fixes for several security issues. Mageia 6 is also affected. References: https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html Best regards, Nico.
Whiteboard: (none) => MGA6TOOSource RPM: (none) => putty-0.70-3.mga7.src.rpm
Assigning to our registered putty maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
putty-0.71-1.mga6 uploaded by Shlomi.
Assignee: shlomif => qa-bugsCC: (none) => shlomifWhiteboard: MGA6TOO => (none)Version: Cauldron => 6
Fedora reminded me that FileZilla needs to be updated for this as well, because of its embedded PuTTY. https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TBPZ6RAMBOJAKKPJ54MPIPJTXNB2T6FW/
Assignee: qa-bugs => pkg-bugsWhiteboard: (none) => MGA6TOOCC: (none) => geiger.david68210, qa-bugsVersion: 6 => Cauldron
Status comment: (none) => filezilla also needs to be updated
Fedora advisory for PuTTY itself: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LDO3F267P347E6U2IILFCYW7JPTLCCES/
Severity: normal => majorSummary: putty security update 0.71 => putty security update 0.71 (CVE-2019-989[4578])
Hmmmm Ouchhh! for new filezilla 3.41.2, it needs: checking for wxWidgets version >= 3.0.4 (--unicode=yes --universal=no)... no (version 3.0.3 is not new enough)
Now I needs a sysadmin to remove libfilezilla from 6/Core/Updates_testing repo! After that I can update filezilla to the latest 3.31.0 release who support wxWidgets <= 3.0.3 and backport the security fix from PuTTY 0.71.
So fixed for mga6 updating filezilla to 3.31.0 and libfilezilla to 0.12.1 and also sync the putty part with 3.41.2 source.
putty-0.71-1.mga6 libfilezilla0-0.12.1-1.mga6 libfilezilla-devel-0.12.1-1.mga6 filezilla-3.31.0-1.mga6 from SRPMS: putty-0.71-1.mga6.src.rpm libfilezilla-0.12.1-1.mga6.src.rpm filezilla-3.31.0-1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)Status comment: filezilla also needs to be updated => (none)
Advisory: ======================== Updated putty and filezilla packages fix security vulnerabilities: A remotely triggerable memory overwrite in RSA key exchange in PuTTY before 0.71 can occur before host key verification (CVE-2019-9894). In PuTTY versions before 0.71 on Unix, a remotely triggerable buffer overflow exists in any kind of server-to-client forwarding (CVE-2019-9895). Multiple denial-of-service attacks that can be triggered by writing to the terminal exist in PuTTY versions before 0.71 (CVE-2019-9897). Potential recycling of random numbers used in cryptography exists within PuTTY before 0.71 (CVE-2019-9898). The putty package has been updated to version 0.71 and the filezilla package has been updated and patched to fix these issues. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9894 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9895 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9897 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9898 https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LDO3F267P347E6U2IILFCYW7JPTLCCES/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TBPZ6RAMBOJAKKPJ54MPIPJTXNB2T6FW/
Okay installed Putty 0.71. I used to use this tool regularly for work. On my VM I followed this link for setting up an SSH server on Mageia https://doc.mageia.org/mcc/6/en/content/drakwizard_sshd.html Which means I needed to install drakwizard. So, I did. After configuration I started the ssh server with # systemctl start sshd In another terminal on the same VM I typed in: $ putty 127.0.0.1 I was able to accept a key, connect and get to the command prompt. Putty is working as designed. ----- FileZilla is mentioned in this grouping. I have not tested that.
CC: (none) => brtians1Whiteboard: (none) => MGA6-64-OK
FILEZILLA $ uname -a Linux localhost 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux - filezilla-3.31.0-1.mga6.x86_64 - gcc-5.5.0-2.mga6.x86_64 - gcc-cpp-5.5.0-2.mga6.x86_64 - glibc-devel-2.22-29.mga6.x86_64 - isl-0.16.1-1.mga6.x86_64 - kernel-userspace-headers-4.14.110-1.mga6.x86_64 - lib64filezilla-devel-0.12.1-1.mga6.x86_64 - lib64filezilla0-0.12.1-1.mga6.x86_64 - lib64isl15-0.16.1-1.mga6.x86_64 - lib64mpc3-1.0.3-1.mga6.x86_64 - lib64pugixml1-1.7-1.mga6.x86_64 - lib64wxgtku3.0_0-3.0.3.1-1.mga6.x86_64 - libstdc++-devel-5.5.0-2.mga6.x86_64 - libstdc++6-5.5.0-2.mga6.x86_64 - wxgtk-3.0.3.1-1.mga6.x86_64 I was able to connect to ftp server without issue. Transferred 98 files. All went as designed.
$ uname -a Linux localhost 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 19:13:32 UTC 2019 i686 i686 i686 GNU/Linux The following 4 packages are going to be installed: - filezilla-3.31.0-1.mga6.i586 - libfilezilla0-0.12.1-1.mga6.i586 - meta-task-6-3.3.mga6.noarch - putty-0.71-1.mga6.i586 6.4MB of additional disk space will be used. 5.2MB of packages will be retrieved. Is it ok to continue? - set up local sshd server - then tested putty. Works fine. connected to ftp server with filezilla - that is working fine.
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
When starting filezilla 3.31.0, it immediately throws: ASSERT INFO: ./src/gtk/toplevel.cpp(988): assert "m_widget" failed in Show(): invalid frame BACKTRACE: [1] wxTopLevelWindowGTK::Show(bool) [2] wxTopLevelWindowBase::Destroy() [3] wxAppConsoleBase::CallEventHandler(wxEvtHandler*, wxEventFunctor&, wxEvent&) const [4] wxEvtHandler::ProcessEventIfMatchesId(wxEventTableEntryBase const&, wxEvtHandler*, wxEvent&) [5] wxEventHashTable::HandleEvent(wxEvent&, wxEvtHandler*) [6] wxEvtHandler::TryHereOnly(wxEvent&) [7] wxEvtHandler::ProcessEventLocally(wxEvent&) [8] wxEvtHandler::ProcessEvent(wxEvent&) [9] wxEvtHandler::SafelyProcessEvent(wxEvent&) [10] wxTimerImpl::SendEvent() [11] g_main_context_dispatch [12] g_main_loop_run [13] gtk_main [14] wxGUIEventLoop::DoRun() [15] wxEventLoopBase::Run() [16] wxAppConsoleBase::MainLoop() [17] wxEntry(int&, wchar_t**) [18] main [19] __libc_start_main [20] _start
CC: (none) => LpSolit
An upstream patch added in wxgtk-3.0.3.1-1.1.mga6 should fix this popup issue! Please test it! For reference: https://trac.wxwidgets.org/ticket/17942 new packages: wxgtk-3.0.3.1-1.1.mga6.i586.rpm libwxgtku3.0_0-3.0.3.1-1.1.mga6.i586.rpm libwxgtku3.0-devel-3.0.3.1-1.1.mga6.i586.rpm libwxgtkugl3.0_0-3.0.3.1-1.1.mga6.i586.rpm wxgtk-3.0.3.1-1.1.mga6.x86_64.rpm lib64wxgtku3.0_0-3.0.3.1-1.1.mga6.x86_64.rpm lib64wxgtku3.0-devel-3.0.3.1-1.1.mga6.x86_64.rpm lib64wxgtkugl3.0_0-3.0.3.1-1.1.mga6.x86_64.rpm from SRPMS: wxgtk-3.0.3.1-1.1.mga6.src.rpm
Whiteboard: MGA6-64-OK MGA6-32-OK => (none)
The following 7 packages are going to be installed: - filezilla-3.31.0-1.mga6.x86_64 - lib64filezilla0-0.12.1-1.mga6.x86_64 - lib64pugixml1-1.7-1.mga6.x86_64 - lib64wxgtku3.0_0-3.0.3.1-1.1.mga6.x86_64 - lib64wxgtkugl3.0_0-3.0.3.1-1.1.mga6.x86_64 - meta-task-6-3.3.mga6.noarch - wxgtk-3.0.3.1-1.1.mga6.x86_64 $ filezilla Reading locale option from /home/brian/.config/filezilla/filezilla.xml wxD-Bus: Signal from /org/freedesktop/DBus, member NameAcquired wxD-Bus: Reply with serial 2 wxD-Bus: Signal: Error: The name org.gnome.SessionManager was not provided by any .service files wxD-Bus: CPowerManagementInhibitor: Requesting busy wxD-Bus: Reply with serial 3 wxD-Bus: Reply: Error: The name org.freedesktop.PowerManagement was not provided by any .service files wxD-Bus: Falling back to org.gnome.SessionManager wxD-Bus: CPowerManagementInhibitor: Requesting busy wxD-Bus: Reply with serial 4 wxD-Bus: Reply: Error: The name org.gnome.SessionManager was not provided by any .service files wxD-Bus: Reply with serial 5 I was able to transfer files from host to client without issue. $ filezilla Reading locale option from /home/brian/.config/filezilla/filezilla.xml wxD-Bus: Signal from /org/freedesktop/DBus, member NameAcquired wxD-Bus: Reply with serial 2 wxD-Bus: Signal: Error: The name org.gnome.SessionManager was not provided by any .service files wxD-Bus: CPowerManagementInhibitor: Requesting busy wxD-Bus: Reply with serial 3 wxD-Bus: Reply: Error: The name org.freedesktop.PowerManagement was not provided by any .service files wxD-Bus: Falling back to org.gnome.SessionManager wxD-Bus: CPowerManagementInhibitor: Requesting busy wxD-Bus: Reply with serial 4 wxD-Bus: Reply: Error: The name org.gnome.SessionManager was not provided by any .service files wxD-Bus: Reply with serial 5 wxD-Bus: Reply with serial 6 wxD-Bus: Reply with serial 7 Uploaded files from client to server. Putty worked before and these files were for filezilla.
Whiteboard: (none) => MGA6-64-OK
Validating. Advisory information in Comment 9 and Comment 14.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0153.html
Status: NEW => RESOLVEDResolution: (none) => FIXED