CVE-2015-2157 - SSH2 Private Keys Not Properly Wiped from Memory
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
putty (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Precise |
Won't Fix
|
Low
|
Unassigned | ||
Trusty |
Fix Released
|
Low
|
Unassigned | ||
Utopic |
Fix Released
|
Low
|
Unassigned |
Bug Description
It was found that:
The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.
(This information is from the Ubuntu CVE Tracker at http://
------
This CVE has been fixed with Upstream 0.64.
This issue does not affect Vivid or Wily.
This issue affects Precise, Trusty, and Utopic.
------
This bug is being created in order to track fix status in Ubuntu packages. "Low" severity was set based on the CVE severity. "Confirmed" status was set because this is a publicly confirmed bug thanks to the CVE.
CVE References
description: | updated |
Changed in putty (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in putty (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in putty (Ubuntu Utopic): | |
status: | New → Confirmed |
Changed in putty (Ubuntu Precise): | |
importance: | Undecided → Low |
Changed in putty (Ubuntu Utopic): | |
importance: | Undecided → Low |
Changed in putty (Ubuntu Trusty): | |
importance: | Undecided → Low |
This is a DebDiff for Ubuntu Trusty. This contains the patch that was included in Debian (http:// anonscm. debian. org/cgit/ pkg-ssh/ putty.git/ tree/debian/ patches/ private- key-not- wiped-2. patch?id= 5137922dc35f49f 0b8573995420b24 c1fe6ff826) which was included in Vivid.