Debian Bug report logs - #718779
putty: CVE-2013-4852

version graph

Package: putty; Maintainer for putty is Colin Watson <cjwatson@debian.org>; Source for putty is src:putty.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Mon, 5 Aug 2013 11:03:02 UTC

Severity: grave

Tags: security

Fixed in versions putty/0.63-1, putty/0.62-9+deb7u1, putty/0.60+2010-02-20-1+squeeze2

Done: Colin Watson <cjwatson@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#718779; Package putty. (Mon, 05 Aug 2013 11:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Colin Watson <cjwatson@debian.org>. (Mon, 05 Aug 2013 11:03:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: putty: CVE-2013-4852
Date: Mon, 05 Aug 2013 12:56:09 +0200
Package: putty
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see http://www.search-lab.hu/advisories/secadv-20130722
for details.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#718779; Package putty. (Tue, 06 Aug 2013 18:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. (Tue, 06 Aug 2013 18:51:04 GMT) Full text and rfc822 format available.

Message #10 received at 718779@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 718779@bugs.debian.org
Cc: putty@projects.tartarus.org
Subject: Re: Bug#718779: putty: CVE-2013-4852
Date: Tue, 6 Aug 2013 19:48:05 +0100
On Mon, Aug 05, 2013 at 12:56:09PM +0200, Moritz Muehlenhoff wrote:
> Hi,
> please see http://www.search-lab.hu/advisories/secadv-20130722
> for details.

Yep, Simon gave me a heads-up on this on Thursday and I'll be packaging
0.63 very shortly now that it's released.  Simon, you said you might be
able to identify some svn revisions for me for the purposes of
backporting to stable releases; have you had a chance to look at that?

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]



Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#718779; Package putty. (Tue, 06 Aug 2013 19:27:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>. (Tue, 06 Aug 2013 19:27:07 GMT) Full text and rfc822 format available.

Message #15 received at 718779@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Colin Watson <cjwatson@debian.org>, 718779@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, putty@projects.tartarus.org
Subject: Re: Bug#718779: putty: CVE-2013-4852
Date: Tue, 6 Aug 2013 21:25:17 +0200
Hi Colin

On Tue, Aug 06, 2013 at 07:48:05PM +0100, Colin Watson wrote:
> On Mon, Aug 05, 2013 at 12:56:09PM +0200, Moritz Muehlenhoff wrote:
> > Hi,
> > please see http://www.search-lab.hu/advisories/secadv-20130722
> > for details.
> 
> Yep, Simon gave me a heads-up on this on Thursday and I'll be packaging
> 0.63 very shortly now that it's released.  Simon, you said you might be
> able to identify some svn revisions for me for the purposes of
> backporting to stable releases; have you had a chance to look at that?

Thanks for already working on this. The relevant commit should be the
following[1], revision 9896 for putty.

 [1] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896

Hope that helps so far,

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#718779; Package putty. (Tue, 06 Aug 2013 20:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>. (Tue, 06 Aug 2013 20:24:04 GMT) Full text and rfc822 format available.

Message #20 received at 718779@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 718779@bugs.debian.org
Cc: Colin Watson <cjwatson@debian.org>, Moritz Muehlenhoff <jmm@inutil.org>, putty@projects.tartarus.org
Subject: Re: Bug#718779: putty: CVE-2013-4852
Date: Tue, 6 Aug 2013 22:22:33 +0200
Hi Colin,

On Tue, Aug 06, 2013 at 09:25:17PM +0200, Salvatore Bonaccorso wrote:
> Hi Colin
> 
> On Tue, Aug 06, 2013 at 07:48:05PM +0100, Colin Watson wrote:
> > On Mon, Aug 05, 2013 at 12:56:09PM +0200, Moritz Muehlenhoff wrote:
> > > Hi,
> > > please see http://www.search-lab.hu/advisories/secadv-20130722
> > > for details.
> > 
> > Yep, Simon gave me a heads-up on this on Thursday and I'll be packaging
> > 0.63 very shortly now that it's released.  Simon, you said you might be
> > able to identify some svn revisions for me for the purposes of
> > backporting to stable releases; have you had a chance to look at that?
> 
> Thanks for already working on this. The relevant commit should be the
> following[1], revision 9896 for putty.
> 
>  [1] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
> 
> Hope that helps so far,

One additional follow-up: See the post on oss-security list[1].

 [1] http://www.openwall.com/lists/oss-security/2013/08/06/11

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#718779; Package putty. (Wed, 07 Aug 2013 02:51:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. (Wed, 07 Aug 2013 02:51:09 GMT) Full text and rfc822 format available.

Message #25 received at 718779@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 718779@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#718779: putty: CVE-2013-4852
Date: Wed, 7 Aug 2013 03:48:30 +0100
On Tue, Aug 06, 2013 at 09:25:17PM +0200, Salvatore Bonaccorso wrote:
> On Tue, Aug 06, 2013 at 07:48:05PM +0100, Colin Watson wrote:
> > On Mon, Aug 05, 2013 at 12:56:09PM +0200, Moritz Muehlenhoff wrote:
> > > Hi,
> > > please see http://www.search-lab.hu/advisories/secadv-20130722
> > > for details.
> > 
> > Yep, Simon gave me a heads-up on this on Thursday and I'll be packaging
> > 0.63 very shortly now that it's released.  Simon, you said you might be
> > able to identify some svn revisions for me for the purposes of
> > backporting to stable releases; have you had a chance to look at that?
> 
> Thanks for already working on this. The relevant commit should be the
> following[1], revision 9896 for putty.
> 
>  [1] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896

A good deal more than just that is involved.  I have a complete list
from Simon (thanks!).  I'd intended to deal with the stable upload
tonight but fell asleep earlier than planned after getting the children
to bed; I'll get unstable done now and stable in the morning.

-- 
Colin Watson                                       [cjwatson@debian.org]



Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Wed, 07 Aug 2013 03:27:15 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Wed, 07 Aug 2013 03:27:15 GMT) Full text and rfc822 format available.

Message #30 received at 718779-close@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: 718779-close@bugs.debian.org
Subject: Bug#718779: fixed in putty 0.63-1
Date: Wed, 07 Aug 2013 03:24:53 +0000
Source: putty
Source-Version: 0.63-1

We believe that the bug you reported is fixed in the latest version of
putty, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 718779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated putty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 07 Aug 2013 04:00:18 +0100
Source: putty
Binary: pterm putty putty-tools putty-doc
Architecture: source i386 all
Version: 0.63-1
Distribution: unstable
Urgency: low
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 pterm      - PuTTY terminal emulator
 putty      - Telnet/SSH client for X
 putty-doc  - PuTTY HTML documentation
 putty-tools - command-line tools for SSH, SCP, and SFTP
Closes: 193352 308552 718779
Changes: 
 putty (0.63-1) unstable; urgency=low
 .
   * New upstream release.
     - CVE-2013-4206: Buffer underrun in modmul could corrupt the heap.
     - CVE-2013-4852: Negative string length in public-key signatures could
       cause integer overflow and overwrite all of memory (closes: #718779).
     - CVE-2013-4207: Non-coprime values in DSA signatures can cause buffer
       overflow in modular inverse.
     - CVE-2013-4208: Private keys were left in memory after being used by
       PuTTY tools.
     - Allow using a bold colour and a bold font at the same time (closes:
       #193352).
     - Use a monotonic clock (closes: #308552).
   * Switch to the Autotools-based build system.
   * Upgrade to debhelper v9.
Checksums-Sha1: 
 8e356b693f676d47c5f87e7f4d4ab45b9ec5163e 2036 putty_0.63-1.dsc
 195c0603ef61082b91276faa8d4246ea472bba3b 1887913 putty_0.63.orig.tar.gz
 af0d43cceb0933b3a81fb5b96b74d563aa8e5b04 12670 putty_0.63-1.debian.tar.gz
 d4e9065542f26d83f53a9324a6c2a0880d00c9bf 167074 pterm_0.63-1_i386.deb
 e2f6fdcb223bc01773356927b9146de779b638aa 283756 putty_0.63-1_i386.deb
 f40de04d57ec59df5b44290fae3e8f718205dab7 298494 putty-tools_0.63-1_i386.deb
 8b8108b16606ec6f2fffcb7468f8f0f424d7f458 135766 putty-doc_0.63-1_all.deb
Checksums-Sha256: 
 1777c970f765dd78be5179ca6d6ad632d74a9a31d1c32164d3297232c2673a7a 2036 putty_0.63-1.dsc
 81e8eaaf31be7d9a46b4f3fb80d1d9540776f142cd89d0a11f2f8082dc68f8b5 1887913 putty_0.63.orig.tar.gz
 fd586b413fb07f2cf929aa291937442d2938444cd51a5f6548407e51f6cb91b5 12670 putty_0.63-1.debian.tar.gz
 f8f114f26a1f5d6ffdac36a84afa89e80c4a81cafe2f1874c64e005b10809e00 167074 pterm_0.63-1_i386.deb
 9e3d617411936d39fff56f53f310165109a899527f7b5a185e696e2c0bee6e72 283756 putty_0.63-1_i386.deb
 26e66b91f06d9aca6ff323e4b0cbb84a69f6076d398aba0c7f4458e87f046df4 298494 putty-tools_0.63-1_i386.deb
 ce4cf38d088d32fc7fd23fae3bea305429b4df077ae5e2ea1039f9344d8e3717 135766 putty-doc_0.63-1_all.deb
Files: 
 726acf86471c46da86b388c6a3aed5d7 2036 net optional putty_0.63-1.dsc
 567207b590a149656454d6e6ea7af124 1887913 net optional putty_0.63.orig.tar.gz
 3ce5597daa9dc957eef06f88ceffd7f0 12670 net optional putty_0.63-1.debian.tar.gz
 9e56e6ceef7a8b09bb34d5cbf6efc80e 167074 x11 optional pterm_0.63-1_i386.deb
 08d567ca3bd066d8750f1784a35514bc 283756 net optional putty_0.63-1_i386.deb
 7454f5d85df1c4b2302d6cbbdbeac72c 298494 net optional putty-tools_0.63-1_i386.deb
 a460019b4b1b649aae5ce88fac8ef0c9 135766 doc optional putty-doc_0.63-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUgG5Ujk1h9l9hlALAQgSbg//YW1TNDabvXFCEhtOZgHLZq/NRs0RT6tX
2XLhduxkqdDyEwTlMDWR9UhWaBA8srNJ6+TisYVA8gnAqjyGfA41vuGHwZMdVNj5
+xiragBm+s1fPk2g0IQFBjV3dVIKCCyvSMzOLxkkJOtoiRxNcMssWtZ9W6LGnYr1
FwIgEoSHj1i0dRRnYnmmiwF0ZIRingqlkBZJKWjhafYL3iqSTNKXB13VVYuQa1Yj
yQQZ3LcGkS0gmH5P2xGyrtdBlxjIDjhkU1Oqx4T9+q6//6VWcirWAeYlx3NVmdc5
V5farBiYmsUS/BuqA4XKj+ZOmtSgZYKrgCWW7yVNi4+8UrSPIf+b9Da/YMA5qY0N
mJffGJ0RaUsHqvAZ42n+1gr3XwrhO7tBYc9G9qhIaRpJ+c9MiqQKmtVUM0A0YYz4
TAJ9ivDaAvf7cbauAANuD00XnRXA9D2GhYPMOHBxShpKMsJPekoQn7AJ24iC/6wp
9Evx9M1JtEmEY0SckA2y3vHouL5X/VHa1SmlVSZG2mn2eEMLIARjhc3ItT7JU8+z
eoESSOqqcjvfXCcwH060WEQ3+oY7XSL4/w/rn1WcB5Pox1sOMGQPDgviANbInCxn
xzvUaCWrGsYkqPXv+Oj23fGG/4IjtQwrY/Q4cjRF7BfsBzQ1gB5LlcsnN/vzPHhL
tDB+WuHuDHE=
=HK28
-----END PGP SIGNATURE-----




Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Wed, 14 Aug 2013 21:21:22 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Wed, 14 Aug 2013 21:21:22 GMT) Full text and rfc822 format available.

Message #35 received at 718779-close@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: 718779-close@bugs.debian.org
Subject: Bug#718779: fixed in putty 0.62-9+deb7u1
Date: Wed, 14 Aug 2013 21:17:05 +0000
Source: putty
Source-Version: 0.62-9+deb7u1

We believe that the bug you reported is fixed in the latest version of
putty, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 718779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated putty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 07 Aug 2013 10:11:18 +0100
Source: putty
Binary: pterm putty putty-tools putty-doc
Architecture: source i386 all
Version: 0.62-9+deb7u1
Distribution: stable-security
Urgency: high
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 pterm      - PuTTY terminal emulator
 putty      - Telnet/SSH client for X
 putty-doc  - PuTTY HTML documentation
 putty-tools - command-line tools for SSH, SCP, and SFTP
Closes: 718779
Changes: 
 putty (0.62-9+deb7u1) stable-security; urgency=high
 .
   * CVE-2013-4206: Buffer underrun in modmul could corrupt the heap.
   * CVE-2013-4852: Negative string length in public-key signatures could
     cause integer overflow and overwrite all of memory (closes: #718779).
   * CVE-2013-4207: Non-coprime values in DSA signatures can cause buffer
     overflow in modular inverse.
   * CVE-2013-4208: Private keys were left in memory after being used by
     PuTTY tools.
   * Backport some general proactive potentially-security-relevant tightening
     from upstream.
Checksums-Sha1: 
 f27c50df1b835e13ccedca78b1162d4c283659aa 2068 putty_0.62-9+deb7u1.dsc
 5898438614117ee7e3704fc3f30a3c4bf2041380 1783106 putty_0.62.orig.tar.gz
 0f97ae11e0e1c7688fe1be73856b02d56cf75b27 28337 putty_0.62-9+deb7u1.debian.tar.gz
 ef71f8ba97fd9c0a41bfcac876b7755a6e81cf66 201010 pterm_0.62-9+deb7u1_i386.deb
 e05f9707d1f9cf600171d4f3a955bfebd03b3363 343612 putty_0.62-9+deb7u1_i386.deb
 9559f7e964c00407af2aab99ca9664e95759034e 704140 putty-tools_0.62-9+deb7u1_i386.deb
 0d2a709c16b35afee0057aaf48890db3fb0015ab 174634 putty-doc_0.62-9+deb7u1_all.deb
Checksums-Sha256: 
 9762b5a2ff1c734b9aa10132b2acf7f52540a25de7bf1d4d1647e217b6a3ce62 2068 putty_0.62-9+deb7u1.dsc
 8d187e86ee18c839895d263607b61788778564e3720e8d85c5305a04f9da0573 1783106 putty_0.62.orig.tar.gz
 a83dede5d2c02b6e026b6ac264b10ffe4bdbdcd1ca9848918fe503bfdb8e0f42 28337 putty_0.62-9+deb7u1.debian.tar.gz
 84468cc30f4d69603ab8035d1c701af9e55756e88ad2d146017e60be1610509e 201010 pterm_0.62-9+deb7u1_i386.deb
 dd5da5551aaecb8c82b6e42632c362fba4cbe31db01bea45a363919d759def9c 343612 putty_0.62-9+deb7u1_i386.deb
 74ac6037a1b29798831897aa326d3bb1f2042f02207797f5ccfb19996f8aeb82 704140 putty-tools_0.62-9+deb7u1_i386.deb
 a1fb4e0c559e0c2273f291143fea54d3b960a19ac4d4545c5a1536b80c9a9539 174634 putty-doc_0.62-9+deb7u1_all.deb
Files: 
 c6828c5cca977f2c309a32313a5e58b2 2068 net optional putty_0.62-9+deb7u1.dsc
 1344b606a680a9036df0fc3a05e62e71 1783106 net optional putty_0.62.orig.tar.gz
 c46fe76f5116faefb5173398f411ddd2 28337 net optional putty_0.62-9+deb7u1.debian.tar.gz
 2bb36a90bbed7083a8ba39e855a3f633 201010 x11 optional pterm_0.62-9+deb7u1_i386.deb
 50e1a51a16eb3e9b8d6d98c2e6c8ecb2 343612 net optional putty_0.62-9+deb7u1_i386.deb
 556656e5bb0ac3dc2fe3ee6dffe1c286 704140 net optional putty-tools_0.62-9+deb7u1_i386.deb
 25906b907f36d06503eff1723cbb61ee 174634 doc optional putty-doc_0.62-9+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUgInTDk1h9l9hlALAQgv7Q/+LGVxPXG9KK9th+Q82+ArQu/NoA7VqPL8
ugZ2VlqNtoKxekyV/iO+gqg7rmYiRY3gljpBPs8x8sDUvkw0YxjRcwU0Y4l2l61J
E3b1Y0VAm4sMaDK7Wa3rRMuzQtrIaKbCVkz9UOxNi3OAzaRlM+V5yP0vo0mlPdp1
7BdqMWEPolXinZmA3jgQ8+jvf0cLUt0bScq0IevgT7jmQ1bf/BPqHck5IDGcCRzt
Glx4Sw/UEgeTxUwZCuVcHVmGIVLpI9gazdqXOYOCeGX2MnjqroBY4DYUV459DNhf
yF4tITdYnbUFBviQZKf9T31/EDEzwyNX90VFi6dfof24TDqBooF+vUjS3CzAs+1N
7U9AUVmoPsinqg3DK/D2k1KiWQBbGpSsuKFqvVMfvR9hygmN7pjrtN0PihSUOarL
7Gsi/OvM+kX4g2ZXOUgR00Fw2RPEe4hDZ5Kt2hACj87quk8tS2sG1+0lvTI9S3jO
A97tSbS058cVyMBFL3OdSflNFjwHkSrd0eG5NOYOt8wpSxiZXA3KhZtyvfi7DYy9
wsPElUH86s1YsbNYtslJBGb9LPiYCDNcxvHRtrb1fSY3HnNcRIVrM2nro9JwoCBK
UVgZfPQDtaWFSOJetF9vJdMMT4ukvzgjsr9ovuEwn3zdy1WcAtswpVWEKLPNWqsv
msfY8KnLAuE=
=wTTO
-----END PGP SIGNATURE-----




Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Thu, 15 Aug 2013 21:06:12 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Thu, 15 Aug 2013 21:06:12 GMT) Full text and rfc822 format available.

Message #40 received at 718779-close@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: 718779-close@bugs.debian.org
Subject: Bug#718779: fixed in putty 0.60+2010-02-20-1+squeeze2
Date: Thu, 15 Aug 2013 21:02:55 +0000
Source: putty
Source-Version: 0.60+2010-02-20-1+squeeze2

We believe that the bug you reported is fixed in the latest version of
putty, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 718779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated putty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 08 Aug 2013 23:37:19 +0100
Source: putty
Binary: pterm putty putty-tools putty-doc
Architecture: source i386 all
Version: 0.60+2010-02-20-1+squeeze2
Distribution: oldstable-security
Urgency: high
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 pterm      - PuTTY terminal emulator
 putty      - Telnet/SSH client for X
 putty-doc  - PuTTY HTML documentation
 putty-tools - command-line tools for SSH, SCP, and SFTP
Closes: 718779
Changes: 
 putty (0.60+2010-02-20-1+squeeze2) oldstable-security; urgency=high
 .
   * CVE-2011-4607: Passwords were left in memory using SSH
     keyboard-interactive auth.
   * CVE-2013-4206: Buffer underrun in modmul could corrupt the heap.
   * CVE-2013-4852: Negative string length in public-key signatures could
     cause integer overflow and overwrite all of memory (closes: #718779).
   * CVE-2013-4207: Non-coprime values in DSA signatures can cause buffer
     overflow in modular inverse.
   * CVE-2013-4208: Private keys were left in memory after being used by
     PuTTY tools.
   * Backport some general proactive potentially-security-relevant tightening
     from upstream.
Checksums-Sha1: 
 e2ea655cc9934b34cbba66292ab6d7e65b864712 1993 putty_0.60+2010-02-20-1+squeeze2.dsc
 ba8e8fa8b6d100165dc63c1f0be366d923018fe5 21204 putty_0.60+2010-02-20-1+squeeze2.debian.tar.gz
 9c7235fe8054ff27c7894101d72b55c73884edc5 183452 pterm_0.60+2010-02-20-1+squeeze2_i386.deb
 e2cfe493f402822389d26fc24fe536b08ae067ff 307206 putty_0.60+2010-02-20-1+squeeze2_i386.deb
 dfe6dd9b833799cc4e15a34c2a03f1f93f57e016 614074 putty-tools_0.60+2010-02-20-1+squeeze2_i386.deb
 79e2771f7da1d9bbeb5bd0dbf3970f9b584c5b3b 171746 putty-doc_0.60+2010-02-20-1+squeeze2_all.deb
Checksums-Sha256: 
 56f40b3619f58b45647539b8a023f2d40eacd9e9ff80724af103567f7c6fb2ea 1993 putty_0.60+2010-02-20-1+squeeze2.dsc
 4f3ec6d63c4c688609ab1579e9f203e020e536481c9dedfb713899462c480eda 21204 putty_0.60+2010-02-20-1+squeeze2.debian.tar.gz
 1d2c3a05121ef0e14af44479afb3a172f7eff522317bf43088882e6a958e3983 183452 pterm_0.60+2010-02-20-1+squeeze2_i386.deb
 f986d408742afd54a44b3a916912bc8b914215c1337cb40a3f3a15f65c406d08 307206 putty_0.60+2010-02-20-1+squeeze2_i386.deb
 cbbf9cb4eefd3e83591ed2e726835320fe594f0761a1658526726244740604c9 614074 putty-tools_0.60+2010-02-20-1+squeeze2_i386.deb
 736c96ae2e6acdc766e7b5caf8a9378e3bc10b2f5b4be1f21b79d38b27111c6e 171746 putty-doc_0.60+2010-02-20-1+squeeze2_all.deb
Files: 
 bc3182745c5954f9b1a0df1a2536c205 1993 net optional putty_0.60+2010-02-20-1+squeeze2.dsc
 43f9d14342652622fd8e1f02a2e0b7f7 21204 net optional putty_0.60+2010-02-20-1+squeeze2.debian.tar.gz
 2bf426cd1959c12b2ac26628fac7f038 183452 x11 optional pterm_0.60+2010-02-20-1+squeeze2_i386.deb
 70035a635150046aa7bb48fd2c4c0aa2 307206 net optional putty_0.60+2010-02-20-1+squeeze2_i386.deb
 d2eeb55640e3c26ad974eebedceb9c9f 614074 net optional putty-tools_0.60+2010-02-20-1+squeeze2_i386.deb
 1718aaaad8f7b7b52d4db4552739fc77 171746 doc optional putty-doc_0.60+2010-02-20-1+squeeze2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUgdCBDk1h9l9hlALAQjg1g//Q+SS/9sec1J0kHGbbdhg6NeHiVnj19Ki
9GvAIWYBlOZRsdXjUVp8FUHhdjKSvd1NJU7hJiofz4Etgdh0/dynQhetcbXAGSHS
4ifHCLjKBeeriFMVJwzOV68jdDMcPWIyopFOT+JXiN/kX7YlAfUOMPem1Bk0aCQj
j7CY1u5ombU+mQAZNFgovQGlrD32+3bqGnQYH56ybzRuGulaSqyyOIKJqr6g8IXQ
dl8TzXommIEcRwPV7htiplVUF6Tz1rLDjHFpbv//IuAnXweatzFPCJxyJKG762FK
GN2IMaQkLBhanFi5epzfUmoMTZ+TZ/NYT4x0xxmUQ5F5hpKnCCSDAyApQLsp8Qin
iP61tmI620EmnDObuGVlDq5mO3NA3Gi2ix48bVUcaEXQeoaPUbAezJw6xX8qorfe
VZnz4VyPs3K69E8UyrOa9SbZqWYlh8MNJXx8O/xAQuadXNB6fOM6zg2R8IuqDlat
WEtzMNT166vUyVXOSpZ1ItdYkl/f8H5C6zqxH8orSxdclLLYQUSPBnENVNJlEMrr
EA1fwFFbDJDsjI4uFMwW51xiugrTmIfYfBuarF5zadAjuebNuGmdAYlpeG7qBM8Q
eplsY3p6cBf9oMWZ5XLusRD4RhDcABf0cP+ZzeFxgteT/xxIupjQgQqgJd1f2M2i
oLqFbXDpmgY=
=2Z8F
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 Oct 2013 07:36:17 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 13:20:32 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.