Your message dated Sat, 10 Jul 2021 23:48:31 +0000
with message-id <[email protected]>
and subject line Bug#990901: fixed in putty 0.75-3
has caused the Debian Bug report #990901,
regarding putty: CVE-2021-36367
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
990901: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990901
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: putty
Version: 0.75-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for putty.
CVE-2021-36367[0]:
| PuTTY through 0.75 proceeds with establishing an SSH session even if
| it has never sent a substantive authentication response. This makes it
| easier for an attacker-controlled SSH server to present a later
| spoofed authentication prompt (that the attacker can use to capture
| credential data, and use that data for purposes that are undesired by
| the client user).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-36367
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36367
[1]
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=1dc5659aa62848f0aeb5de7bd3839fecc7debefa
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: putty
Source-Version: 0.75-3
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
putty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated putty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 11 Jul 2021 00:35:09 +0100
Source: putty
Architecture: source
Version: 0.75-3
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 990901
Changes:
putty (0.75-3) unstable; urgency=medium
.
* Cherry-pick from upstream:
- CVE-2021-36367: New option to reject 'trivial' success of userauth
(closes: #990901).
Checksums-Sha1:
f1638199ce9866b49ab56cd60c5e1fd8567fbcda 2422 putty_0.75-3.dsc
6f2f8370788cabed499e367d9f3fa7583e4702b4 22884 putty_0.75-3.debian.tar.xz
Checksums-Sha256:
411b84e7d6c909f0f44f7a0bf33e91f3aa0b1f171d752175f0d3e7620237b058 2422
putty_0.75-3.dsc
cc45763bdfe661c76659b481cc44a6074449bb3af295ea2ed44161c09d837a60 22884
putty_0.75-3.debian.tar.xz
Files:
2fadebbf218a2e269427cc52ef46d4f6 2422 net optional putty_0.75-3.dsc
0964c6854a188b7117fc87ae40d762b3 22884 net optional putty_0.75-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmDqLs0ACgkQOTWH2X2G
UAvX2g/9EpQpWCNWaf26NmMqDZSR9BkodQIhwkBeviuIr4NSo/Br6nxhm6eo1rXj
4H1VKc4k8GV74H6bbyrRVXwNzN6/SehTqpGJblZEjd7xnwFHTrD/RGHRkNC2dJJV
+UFmHQLxPqEL7Nuwdy0lB7cu/BsU5j8vte5hQGPTU8xKjd8R2iKP1DpKMcXlBXtx
nceVGWv2xy1sMHDQdjU5CZxeC2Ixqbb4MW3dtHuHk0MS1IYYW/Jnvd67KOjlK4wm
5C9YIgTZIaQx14MS8XojT8IOdN8KFN0LhfpONLeYOPtOqcPrXORpSJOnvgeSZRf8
A4lvaXzrDZzqNey47fuKpGWDHU82DjAC74oJU76QmZqo2p+5cCGXuJW+xi3oDsGX
LPCquo9Q+30hl6dcjRijeIKmbE1DiAteLccqMOh8NfSfewIINxbwI285BCSZspx7
cp23SfUAYta3rsSyo0g+BuZsq4SVQJd9jDbmviseWLOgc4dqWBzw5T4Loc2JcgOB
b88yN9JK83O+NYid64dVDY+cwEUYTcjaZT3JxrI10Q2Tf94L1I4QioovJ0SuUi0k
8uUwTV2yD8rRKNoSoXvEDqBqMt9Ad16cRVwcsBPzWABgf222CMZJ97heryC7kXCh
XDiHKroMErVAq7Tqj2oNpc+r5vsiMPoN3ytT/sb2CeeP1TYuJv8=
=u0id
-----END PGP SIGNATURE-----
--- End Message ---
