Security vulnerabilities in Putty prior to 0.71
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
putty (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Putty 0.71 was released, patching major security vulnerabilities present in previous versions. Vulnerabilities are laid out in the following CVE reports, ranging in severity from High to Critical:
CVE-2019-9898 Potential recycling of random numbers used in cryptography exists within PuTTY before 0.71.
CVE-2019-9897 Multiple denial-of-service attacks that can be triggered by writing to the terminal exist in PuTTY versions before 0.71.
CVE-2019-9895 In PuTTY versions before 0.71 on Unix, a remotely triggerable buffer overflow exists in any kind of server-to-client forwarding.
CVE-2019-9894 A remotely triggerable memory overwrite in RSA key exchange in PuTTY before 0.71 can occur before host key verification.
Threats can be mitigated by providing Putty 0.71 to Ubuntu via Apt on Disco, Cosmic, Bionic, and Xenial, if not others.
information type: | Private Security → Public Security |
Tried to link CVEs to the bug report but the database hasn't been pulled recently enough. Will try again later today or tomorrow.