CVSROOT: /cvs
Module name: ports
Changes by: st...@cvs.openbsd.org 2013/08/07 05:47:51
Modified files:
net/putty : Makefile distinfo
Removed files:
net/putty/patches: patch-unix_configure_ac patch-unix_uxpty_c
Log message:
SECURITY update to PuTTY 0.63 - ok brad@
- Vulnerability: non-coprime values in DSA signatures can cause buffer
overflow in modular inverse
- Vulnerability: buffer underrun in modmul can corrupt the heap
- Vulnerability: negative string length in public-key signatures can
cause integer overflow and overwrite all of memory
- Private keys left in memory after being used by PuTTY tools
N.B. some of these vulnerabilities where an SSH-2 server can make PuTTY
overrun or underrun buffers can be triggered *before* host key verification
so there is a risk from a spoofed server. For more info see the 0.63
section of http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/
