Your message dated Sun, 24 Dec 2023 16:48:03 +0000
with message-id <[email protected]>
and subject line Bug#990901: fixed in putty 0.74-1+deb11u1
has caused the Debian Bug report #990901,
regarding putty: CVE-2021-36367
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
990901: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990901
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: putty
Version: 0.75-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for putty.
CVE-2021-36367[0]:
| PuTTY through 0.75 proceeds with establishing an SSH session even if
| it has never sent a substantive authentication response. This makes it
| easier for an attacker-controlled SSH server to present a later
| spoofed authentication prompt (that the attacker can use to capture
| credential data, and use that data for purposes that are undesired by
| the client user).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-36367
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36367
[1]
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=1dc5659aa62848f0aeb5de7bd3839fecc7debefa
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: putty
Source-Version: 0.74-1+deb11u1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
putty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated putty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 22 Dec 2023 17:36:21 +0000
Source: putty
Architecture: source
Version: 0.74-1+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Colin Watson <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 990901
Changes:
putty (0.74-1+deb11u1) bullseye-security; urgency=medium
.
* Cherry-pick from upstream:
- CVE-2021-36367: New option to reject 'trivial' success of userauth
(closes: #990901).
- New macro PTRLEN_DECL_LITERAL.
- Extra utility function add_to_commasep_pl.
- CVE-2023-48795: Support OpenSSH's new strict kex feature (thanks to
Simon Tatham for backporting assistance).
Note that this does _not_ include upstream's added UI warning for
servers vulnerable to Terrapin, which was too difficult to backport to
this version.
Checksums-Sha1:
1da41955a965e2e2c2fda934bb287311b1f1be7f 2344 putty_0.74-1+deb11u1.dsc
17b160e9720f67f9af9399d7d185b913b81f18fe 2476513 putty_0.74.orig.tar.gz
4cfc0b8fdbd3b9dd41d311e5bd484b13a472d87e 659 putty_0.74.orig.tar.gz.asc
ffb3636b20ccf3ddecc189858beccc02bcf4868b 26772
putty_0.74-1+deb11u1.debian.tar.xz
c4ef60ee0c36691e756264e560c970f065b69de3 15883
putty_0.74-1+deb11u1_source.buildinfo
Checksums-Sha256:
ae4c21ad54a045fac53aee90a54b141dc5f381991cfd874ef18291fb3927ec63 2344
putty_0.74-1+deb11u1.dsc
ddd5d388e51dd9e6e294005b30037f6ae802239a44c9dc9808c779e6d11b847d 2476513
putty_0.74.orig.tar.gz
923b0e49df555c07fbfef8f3d673c505f24f31879761c1568018457cb3f725d1 659
putty_0.74.orig.tar.gz.asc
9cbeeac7daf6ebba42369fcd0b1c558fb926fde18cee35a3d56252e8918d9c1b 26772
putty_0.74-1+deb11u1.debian.tar.xz
b5c9d1589bede89acc38b96fd86fea1d6eb4603758a9c603a00d8cdeb7d70efd 15883
putty_0.74-1+deb11u1_source.buildinfo
Files:
60eca0e9d5730b0cd3484cf317fe1310 2344 net optional putty_0.74-1+deb11u1.dsc
dbfa58f22a91b22b7489173e9dd09e30 2476513 net optional putty_0.74.orig.tar.gz
8b441a70d5a1403dd20cf546914ab745 659 net optional putty_0.74.orig.tar.gz.asc
76d9cf87af5c6f4bfbff9a557f99a5f6 26772 net optional
putty_0.74-1+deb11u1.debian.tar.xz
26324ebcebe83c42f413fd7bf83cbf46 15883 net optional
putty_0.74-1+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmWFyYIACgkQOTWH2X2G
UAuwNhAAoZIMkVqtkiELDEd2IftddU2x7nauiBd+Zxr0nTaZ4/ILDjE2/ijMcBlx
qY0dS5Aajs9BGpwFcyIz5WYFFQjJiJE6fXEIDWpE+RJmM2u9JasxMHC3ZfmLIhlT
x3IyeKqmvbiWZPCDJlXgc4PUIc6ukYCzvp6UhfR0r0WrnIxOoodSGELmra14ncyp
KXlD2wyrsknQLAGRgcYY77naQsiJehGKbUOCgdXkdEPF3cVcxxsLsusU0rVPagTh
y4w6++PAJZZ0jBAglFvbrwS+rpGtlK14kB/Yn/YcCrPFACawFgcJYk/A7v1bXgn4
6UsWNdIG7AaQo4bEO+OJvolxQ9lIHG1aJgjtjg7VsI0dyipRQ2E8xmD7KvvolH3O
JNpZjSbbOFLJkG7iicQqrxKKzO+xKWFKnlq2MQSklrk7vUFOi3afZSLp4xHt6Rvg
6EGJxgP/AGEyfPXA2Tm8hhZV5+7ejgTRPDOiE1ZFUy1SkJQuFJojsoREsrIGNq0A
BbYh9+r+X2wJ2wPF2zydS75SATgutwNrQsmB0KkWTdNMqncLtmc7fGs27VUx5cVX
4ecpWO2nIWmNSpSkFLX4rhqjBIsgv/rZwxoXJCzQe96t0V9ZBp30RhPvEg0vqaUt
sPnLdtt0sTNXOln4VaVDvbnaYqolQcvsxfzMLkWQTVyhLQbXfiY=
=GgbH
-----END PGP SIGNATURE-----
--- End Message ---
