Your message dated Sun, 20 Feb 2005 18:17:38 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#296144: fixed in putty 0.57-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 20 Feb 2005 17:21:03 +0000
>From [EMAIL PROTECTED] Sun Feb 20 09:21:03 2005
Return-path: <[EMAIL PROTECTED]>
Received: from chiark.greenend.org.uk [193.201.200.170] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D2ulS-0000MB-00; Sun, 20 Feb 2005 09:21:02 -0800
Received: by chiark.greenend.org.uk (Debian Exim 3.35 #1) with local
(return-path [EMAIL PROTECTED])
id 1D2ulR-0004wh-00
for [EMAIL PROTECTED]; Sun, 20 Feb 2005 17:21:01 +0000
Date: Sun, 20 Feb 2005 17:21:01 +0000
From: Jacob Nevins <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: putty: 0.57 released upstream, fixes pscp/psftp security holes
Message-ID: <[EMAIL PROTECTED]>
Reply-To: Jacob Nevins <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="GZVR6ND4mMseVXL/"
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
Sender: Jacob Nevins <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--GZVR6ND4mMseVXL/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: putty
Version: 0.56-1
Severity: grave
Tags: security
There's a new upstream release of PuTTY, 0.57, which fixes
vulnerabilities in `pscp' and `psftp'.
The changes are minimal, so it should be OK whatever state of
frozenness the package is currently in (provided it builds on all
architectures).
It also fixes a couple of trivial bugs, but I don't think it closes
any open Debian bugs (other than this one).
The release announcement is attached.
--GZVR6ND4mMseVXL/
Content-Type: message/rfc822
Content-Disposition: attachment; filename="putty-0.57-release"
From: [EMAIL PROTECTED] (Simon Tatham)
Date: Sun Feb 20 16:05:41 2005
Subject: SECURITY UPDATE: PuTTY version 0.57 is released
Message-ID: <[EMAIL PROTECTED]>
SECURITY UPDATE: PuTTY version 0.57 is released
-----------------------------------------------
All the pre-built binaries, and the source code, are now available
from the PuTTY website at
http://www.chiark.greenend.org.uk/~sgtatham/putty/
This is a SECURITY UPDATE. We recommend that _everybody_ upgrade, as
soon as possible.
This version fixes a security hole in previous versions of PuTTY,
which can allow a malicious SFTP server to attack your client. If
you use either PSCP or PSFTP, you should upgrade. Users of the main
PuTTY program are not affected. (However, note that the server must
have passed host key verification before this attack can be
launched, so a man-in-the-middle shouldn't be able to attack you if
you're careful.)
This vulnerability was found by iDEFENSE, who we expect to release
an advisory on the subject shortly.
In addition to this security patch, there are also a few very minor
bug fixes which should stop PuTTY from crashing in circumstances
involving port forwarding, or failing to correctly perform X
forwarding. Other than that, though, 0.57 is almost identical to the
previous release 0.56.
I repeat: PuTTY 0.57 fixes a SERIOUS SECURITY HOLE in many previous
versions of PSCP and PSFTP. If you use either of those programs, you
should upgrade now.
Enjoy using PuTTY!
Cheers,
Simon
--
Simon Tatham "The distinction between the enlightened and the
<[EMAIL PROTECTED]> terminally confused is only apparent to the latter."
--GZVR6ND4mMseVXL/--
---------------------------------------
Received: (at 296144-close) by bugs.debian.org; 20 Feb 2005 23:23:02 +0000
>From [EMAIL PROTECTED] Sun Feb 20 15:23:02 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D30Pm-0003RW-00; Sun, 20 Feb 2005 15:23:02 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1D30KY-0005Rz-00; Sun, 20 Feb 2005 18:17:38 -0500
From: Colin Watson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#296144: fixed in putty 0.57-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sun, 20 Feb 2005 18:17:38 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: putty
Source-Version: 0.57-1
We believe that the bug you reported is fixed in the latest version of
putty, which is due to be installed in the Debian FTP archive:
pterm_0.57-1_powerpc.deb
to pool/main/p/putty/pterm_0.57-1_powerpc.deb
putty-tools_0.57-1_powerpc.deb
to pool/main/p/putty/putty-tools_0.57-1_powerpc.deb
putty_0.57-1.diff.gz
to pool/main/p/putty/putty_0.57-1.diff.gz
putty_0.57-1.dsc
to pool/main/p/putty/putty_0.57-1.dsc
putty_0.57-1_powerpc.deb
to pool/main/p/putty/putty_0.57-1_powerpc.deb
putty_0.57.orig.tar.gz
to pool/main/p/putty/putty_0.57.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[EMAIL PROTECTED]> (supplier of updated putty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 20 Feb 2005 22:49:28 +0000
Source: putty
Binary: pterm putty-tools putty
Architecture: source powerpc
Version: 0.57-1
Distribution: unstable
Urgency: high
Maintainer: Colin Watson <[EMAIL PROTECTED]>
Changed-By: Colin Watson <[EMAIL PROTECTED]>
Description:
pterm - PuTTY terminal emulator
putty - Telnet/SSH client for X
putty-tools - command-line tools for SSH, SCP, and SFTP
Closes: 296144
Changes:
putty (0.57-1) unstable; urgency=high
.
* New upstream release, fixing pscp/psftp security holes exploitable by a
malicious server after host key verification (closes: #296144).
- [SECURITY] Fix heap corruption vulnerability in handling of response
to SFTP FXP_READDIR request.
- [SECURITY] Fix heap corruption vulnerability in handling of SFTP
string fields.
Files:
71a137bc7af0a6a11df5fc3e15c8808a 599 net optional putty_0.57-1.dsc
0fc816093980246f6400693fe6146280 1319513 net optional putty_0.57.orig.tar.gz
d7322745e51bbd00774fd8e7fa4bd327 7052 net optional putty_0.57-1.diff.gz
7e08a48ec4bba5a67f5c4aad30b7e6e8 156142 x11 optional pterm_0.57-1_powerpc.deb
63d4c38730b4bbf0f84e9876a3fb03bb 272320 net optional putty_0.57-1_powerpc.deb
89919752c0d2deb5f7327c99637efe13 655428 net optional
putty-tools_0.57-1_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCGRW39t0zAhD6TNERAq7EAJ45lDbjhwWF6DZPfY91PeIwTNE2SACdGfml
U1SeNb+8C75DMIZsjFXPsyc=
=njg+
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
