Bug 26875 - putty 0.74 update fixes security issue (CVE-2020-14002)
Summary: putty 0.74 update fixes security issue (CVE-2020-14002)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 27231
  Show dependency treegraph
 
Reported: 2020-06-30 20:24 CEST by David Walser
Modified: 2020-09-02 10:02 CEST (History)
2 users (show)

See Also:
Source RPM: putty-0.73-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-06-30 20:24:13 CEST
PuTTY 0.74 has been released on June 27:
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

As usual, it contains a security fix.  Filezilla will also have to be fixed, but it doesn't look like they have done so upstream yet.
Comment 1 David GEIGER 2020-06-30 21:25:45 CEST
putty updated for mga7, waiting for Filezilla upstream fixes!
Comment 2 David Walser 2020-06-30 21:29:34 CEST
putty-0.74-1.mga7 was uploaded.  There's probably a CVE, which upstream doesn't like to list, so hopefully I'll see something from another distro soon.
Comment 3 David Walser 2020-07-08 00:15:51 CEST
Fedora has issued advisories for filezilla and libfilezilla on July 4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRKUHQP6O6TGN64SI7PYCKHJT24Y2EY2/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRAC73KPNR4HKTRKJNLIZXCYIP6STUZN/

They updated to filezilla 3.48.1 and libfilezilla 0.22.0.

I'm guessing that's related to this.
Comment 4 David GEIGER 2020-07-08 07:18:41 CEST
Nop upstream filezilla haven't yet ported bundled putty to latest 0.74 release.
Comment 5 David Walser 2020-07-10 20:48:02 CEST
This is CVE-2020-14002.

Fedora has issued an advisory for this on July 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/

Summary: putty 0.74 update fixes security issue => putty 0.74 update fixes security issue (CVE-2020-14002)

Comment 6 David Walser 2020-08-31 01:09:28 CEST
David, is there an updated filezilla available now?
Comment 7 David GEIGER 2020-08-31 06:16:19 CEST
There is a new release 3.50.0 but without putty security fixes for now:

https://svn.filezilla-project.org/filezilla/FileZilla3/trunk/src/putty/
David Walser 2020-08-31 14:42:30 CEST

Blocks: (none) => 27231

Comment 8 David Walser 2020-08-31 14:45:10 CEST
Split filezilla to Bug 27231 to push the PuTTY update.

Advisory:
========================

Updated putty package fixes security vulnerability:

PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information
leak in the algorithm negotiation. This allows man-in-the-middle attackers to
target initial connection attempts (where no host key for the server has been
cached by the client) (CVE-2020-14002).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14002
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/
========================

Updated packages in core/updates_testing:
========================
putty-0.74-1.mga7

from putty-0.74-1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs

Comment 9 Len Lawrence 2020-09-01 02:50:42 CEST
mga7, x86_64

Updated putty and tried the SSH connection only.
Connected to login on another node of the LAN with user agent and authorized keys.
Commandline worked fine.  Logged out OK.
Tried 
$ putty -X -l lcl
Connected to the other LAN node - terminal window appeared, user already logged in when the machine name was specified.  Executed a small ruby script which posted a window on the local machine which responded to the exit button.  Tried something a little more complicated, another gui with images and popup windows.  These could be closed down but not moved.  putty closed down when exit or logout was typed.
 
Seems to work fine with SSH.  "Connection refused" for telnet port 23.
Adding the OK.

CC: (none) => tarazed25

Len Lawrence 2020-09-01 03:01:08 CEST

Whiteboard: (none) => MGA7-64-OK

David Walser 2020-09-01 03:38:53 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Aurelien Oudelet 2020-09-01 15:47:57 CEST

Keywords: (none) => advisory

Comment 10 Mageia Robot 2020-09-02 10:02:40 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0358.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.