Lee wrote: > On 4/10/19, Peter Wiersig <pe...@friesenpeter.de> wrote: > > Lee <ler...@gmail.com> writes: > > > > Package: putty (0.67-3+deb9u1) > > Telnet/SSH client for X > > > > https://packages.debian.org/stretch/putty > > Now there's a blast from the past! I used to love putty but $WORK > decided using it was a no-no. In any case, > https://www.chiark.greenend.org.uk/~sgtatham/putty/ > 2019-03-16 PuTTY 0.71 released > PuTTY 0.71, released today, includes a large number of security fixes, > many of which were found by the recent EU-funded HackerOne bug bounty. > > How does one tell if putty (0.67-3+deb9u1) has all the security fixes > that are in 0.71?
Excellent question. https://packages.debian.org/search?suite=all&searchon=names&keywords=putty can send you to https://metadata.ftp-master.debian.org/changelogs//main/p/putty/putty_0.67-3+deb9u1_changelog which has this as the most recent entry: putty (0.67-3+deb9u1) stretch-security; urgency=high * Backport security fixes from 0.71: - In random_add_noise, put the hashed noise into the pool, not the raw noise. - New facility for removing pending toplevel callbacks. - CVE-2019-9898: Fix one-byte buffer overrun in random_add_noise(). - uxnet: clean up callbacks when closing a NetSocket. - sk_tcp_close: fix memory leak of output bufchain. - Fix handling of bad RSA key with n=p=q=0. - Sanity-check the 'Public-Lines' field in ppk files. - Introduce an enum of the uxsel / select_result flags. - CVE-2019-9895: Switch to using poll(2) in place of select(2). - CVE-2019-9894: RSA kex: enforce the minimum key length. - CVE-2019-9897: Fix crash on ESC#6 + combining chars + GTK + odd-width terminal. - CVE-2019-9897: Limit the number of combining chars per terminal cell. - minibidi: fix read past end of line in rule W5. - CVE-2019-9897: Fix crash printing a width-2 char in a width-1 terminal. -- Colin Watson <cjwat...@debian.org> Tue, 02 Apr 2019 19:32:53 +0100