- private key format has been udpated and now uses Argon2
- new algorithms; Curve448 kex, Ed448 pub keys, SHA-2 RSA variants
- pageant permits loading an encrypted private key and only giving the
passphrase later when it's used
https://lists.tartarus.org/pipermail/putty-announce/2021/000031.html
- In some situations an SSH server could cause PuTTY to access freed
memory by pretending to accept an SSH key and then refusing the
actual signature. It can only happen if you're using an SSH agent.
- New configuration option to disable PuTTY's default policy of
changing its host key algorithm preferences to prefer keys it
already knows. (There is a theoretical information leak in this
policy.)
"This is a SECURITY UPDATE, fixing minor vulnerabilities affecting port
forwarding on Windows; bracketed paste mode in the terminal; and any
use of SSH-1. We recommend that anyone using those features should
update."
Follow the upstream recommendations for packagers and switch to
multi-packages:
devel/gettext -> devel/gettext,-runtime
devel/gettext-tools -> devel/gettext,-tools
(new) devel/gettext,-textstyle
pollution diff is in.
lang/squeak/vm does not build but it's due to the recent audio changes
games/xbattle: also fixes some conflicting implicit decl
print/hplip: also fixes some conflicting implicit decl
This release fixes a security hole in PSCP, in the old-style SCP
protocol. A server sending a malformed header before the contents of the
file could overrun a buffer exploitably in PSCP. [CVE-2016-2563]
plus "Assorted other fixes for crash-type bugs (but none known to be
exploitable)".
"This release fixes a security hole in the terminal emulation code.
Writing a particular escape sequence to the screen in a PuTTY terminal
session could cause the terminal code to read *and potentially write*
memory outside its own data structures. This might be exploitable, so
everybody should upgrade to a fixed version."
- Vulnerability: non-coprime values in DSA signatures can cause buffer
overflow in modular inverse
- Vulnerability: buffer underrun in modmul can corrupt the heap
- Vulnerability: negative string length in public-key signatures can
cause integer overflow and overwrite all of memory
- Private keys left in memory after being used by PuTTY tools
N.B. some of these vulnerabilities where an SSH-2 server can make PuTTY
overrun or underrun buffers can be triggered *before* host key verification
so there is a risk from a spoofed server. For more info see the 0.63
section of http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/
PuTTY is a SSH and Telnet client implementation. This package
contains the command-line clients and supporting utilities for
key generation.
feedback steven@ mbalmer@; ok mbalmer@
