This has ended up in the CVE list (CVE-2006-7162) and as a Secunia advisory <http://secunia.com/advisories/24381>.
Secunia had incorrectly listed both 0.58 and 0.59 as vulnerable (they've recently corrected this). I suspect that the advisory was derived from this Debian bug report, and I can see that a casual observer might think it was only fixed in 0.60; for some reason, there are two "fixed" emails in this report, and the later one has subject "Bug#400804: fixed in putty 0.60-1". For the avoidance of doubt: this was fixed in 0.59, and only affects the Unix version. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]