Package: putty Version: 0.62-9+deb7u2 Severity: normal Tags: security
-- System Information: Debian Release: jessie/sid APT prefers vivid-updates APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500, 'vivid-proposed'), (500, 'vivid'), (100, 'vivid-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-22-generic (SMP w/4 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) The wheezy security update backport for CVE-2015-2157 replaced calls to smemclr() with memset() in private-key-not-wiped-2.patch. This may result in the security fix being optimized away by the compiler. In addition, it appears there are other cases in the codebase where a memset is being used to clear out sensitive information. The following commit should probably be backported: https://github.com/Yasushi/putty/commit/aa5bae89 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org