FreeBSD: VID-46E1ECE5-48BD-11E9-9C40-080027AC955C: PuTTY -- security fixes in new release
Description
The PuTTY team reports:
New in 0.71:
Security fixes found by an EU-funded bug bounty programme:
+ a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification
+ potential recycling of random numbers used in cryptography
+ on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding
+ multiple denial-of-service attacks that can be triggered by writing to the terminal
Other security enhancements: major rewrite of the crypto code to remove cache and timing side channels.
User interface changes to protect against fake authentication prompts from a malicious server.
Solution(s)
- freebsd-upgrade-package-putty
- freebsd-upgrade-package-putty-gtk2
- freebsd-upgrade-package-putty-nogtk
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center