openSUSE has issued an advisory on August 21: https://lists.opensuse.org/opensuse-updates/2019-08/msg00170.html I see we have 0.73 in Cauldron, so we should update to that. Also, Filezilla has bundled PuTTY, so it should be updated too.
Done for putty 0.73! But seems that filezilla has not yet update their bundle putty. https://svn.filezilla-project.org/filezilla/FileZilla3/trunk/src/putty/?view=log
CC: (none) => geiger.david68210
Thank you DavidG for jumping in immediately (again!); may I assign this to you as you have already dealt with it?
Assignee: bugsquad => geiger.david68210
putty-0.73-1.mga7 is the update that was submitted. I guess we can wait on FZ.
openSUSE has issued an advisory on October 7: https://lists.opensuse.org/opensuse-updates/2019-10/msg00047.html This is the PuTTY 0.73 update. Hopefully Filezilla will update theirs soon.
Severity: normal => majorSummary: PuTTY 0.72 security update => PuTTY 0.73 security update (fixes CVE-2019-17068 and CVE-2019-17069)
FileZilla update with bundled PuTTY 0.73 in Bug 25932. QA can test this one too. I still need advisories for both.
Assignee: geiger.david68210 => qa-bugsBlocks: (none) => 25932
No ref to a putty update package in Bug 25932 ?????
CC: (none) => herman.viaene
That bug is for filezilla Herman. It has a bundled PuTTY.
MGA7-32bit I installed Putty 0.73 on i586-kde VM. $ putty -v gives me a setup screen, click on about and it confirms 0.73 Remoted into a local server $ putty xxx.xxx.xxx.xxx I was able ot get into the remote server and navigate. Working as designed.
Whiteboard: (none) => MGA7-32-OKCC: (none) => brtians1
MGA7-64 - Xfce desktop I installed Putty 7.3 It works, but at command prompt when running a screen it throws this message. (putty:3169): Gtk-WARNING **: 11:38:44.898: Theme parsing error: gtk.css:5957:26: 'text-shadow' is not a valid color name The tool itself works so I don't really care about the messages, but it could annoy some people. Up to the team if they fix this or not. Giving it an it works.
Whiteboard: MGA7-32-OK => MGA7-32-OK MGA7-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory: ======================== Updated putty package fixes security vulnerabilities: Two separate vulnerabilities affecting the obsolete SSH-1 protocol, both available before host key checking. Vulnerability in all the SSH client tools (PuTTY, Plink, PSFTP, and PSCP) if a malicious program can impersonate Pageant. Crash in GSSAPI / Kerberos key exchange triggered if the server provided an ordinary SSH host key as part of the exchange. Insufficient handling of terminal escape sequences, that should delimit the pasted data in bracketed paste mode (CVE-2019-17068). Possible information leak caused by SSH-1 disconnection messages (CVE-2019-17069). The putty package has been updated to version 0.73, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17068 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17069 https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html https://lists.opensuse.org/opensuse-updates/2019-08/msg00170.html https://lists.opensuse.org/opensuse-updates/2019-10/msg00047.html
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0003.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED