Your message dated Sun, 20 Feb 2005 18:17:38 -0500 with message-id <[EMAIL PROTECTED]> and subject line Bug#296144: fixed in putty 0.57-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 20 Feb 2005 17:21:03 +0000 >From [EMAIL PROTECTED] Sun Feb 20 09:21:03 2005 Return-path: <[EMAIL PROTECTED]> Received: from chiark.greenend.org.uk [193.201.200.170] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1D2ulS-0000MB-00; Sun, 20 Feb 2005 09:21:02 -0800 Received: by chiark.greenend.org.uk (Debian Exim 3.35 #1) with local (return-path [EMAIL PROTECTED]) id 1D2ulR-0004wh-00 for [EMAIL PROTECTED]; Sun, 20 Feb 2005 17:21:01 +0000 Date: Sun, 20 Feb 2005 17:21:01 +0000 From: Jacob Nevins <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: putty: 0.57 released upstream, fixes pscp/psftp security holes Message-ID: <[EMAIL PROTECTED]> Reply-To: Jacob Nevins <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="GZVR6ND4mMseVXL/" Content-Disposition: inline User-Agent: Mutt/1.3.28i Sender: Jacob Nevins <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: --GZVR6ND4mMseVXL/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Package: putty Version: 0.56-1 Severity: grave Tags: security There's a new upstream release of PuTTY, 0.57, which fixes vulnerabilities in `pscp' and `psftp'. The changes are minimal, so it should be OK whatever state of frozenness the package is currently in (provided it builds on all architectures). It also fixes a couple of trivial bugs, but I don't think it closes any open Debian bugs (other than this one). The release announcement is attached. --GZVR6ND4mMseVXL/ Content-Type: message/rfc822 Content-Disposition: attachment; filename="putty-0.57-release" From: [EMAIL PROTECTED] (Simon Tatham) Date: Sun Feb 20 16:05:41 2005 Subject: SECURITY UPDATE: PuTTY version 0.57 is released Message-ID: <[EMAIL PROTECTED]> SECURITY UPDATE: PuTTY version 0.57 is released ----------------------------------------------- All the pre-built binaries, and the source code, are now available from the PuTTY website at http://www.chiark.greenend.org.uk/~sgtatham/putty/ This is a SECURITY UPDATE. We recommend that _everybody_ upgrade, as soon as possible. This version fixes a security hole in previous versions of PuTTY, which can allow a malicious SFTP server to attack your client. If you use either PSCP or PSFTP, you should upgrade. Users of the main PuTTY program are not affected. (However, note that the server must have passed host key verification before this attack can be launched, so a man-in-the-middle shouldn't be able to attack you if you're careful.) This vulnerability was found by iDEFENSE, who we expect to release an advisory on the subject shortly. In addition to this security patch, there are also a few very minor bug fixes which should stop PuTTY from crashing in circumstances involving port forwarding, or failing to correctly perform X forwarding. Other than that, though, 0.57 is almost identical to the previous release 0.56. I repeat: PuTTY 0.57 fixes a SERIOUS SECURITY HOLE in many previous versions of PSCP and PSFTP. If you use either of those programs, you should upgrade now. Enjoy using PuTTY! Cheers, Simon -- Simon Tatham "The distinction between the enlightened and the <[EMAIL PROTECTED]> terminally confused is only apparent to the latter." --GZVR6ND4mMseVXL/-- --------------------------------------- Received: (at 296144-close) by bugs.debian.org; 20 Feb 2005 23:23:02 +0000 >From [EMAIL PROTECTED] Sun Feb 20 15:23:02 2005 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1D30Pm-0003RW-00; Sun, 20 Feb 2005 15:23:02 -0800 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1D30KY-0005Rz-00; Sun, 20 Feb 2005 18:17:38 -0500 From: Colin Watson <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.55 $ Subject: Bug#296144: fixed in putty 0.57-1 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Sun, 20 Feb 2005 18:17:38 -0500 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Source: putty Source-Version: 0.57-1 We believe that the bug you reported is fixed in the latest version of putty, which is due to be installed in the Debian FTP archive: pterm_0.57-1_powerpc.deb to pool/main/p/putty/pterm_0.57-1_powerpc.deb putty-tools_0.57-1_powerpc.deb to pool/main/p/putty/putty-tools_0.57-1_powerpc.deb putty_0.57-1.diff.gz to pool/main/p/putty/putty_0.57-1.diff.gz putty_0.57-1.dsc to pool/main/p/putty/putty_0.57-1.dsc putty_0.57-1_powerpc.deb to pool/main/p/putty/putty_0.57-1_powerpc.deb putty_0.57.orig.tar.gz to pool/main/p/putty/putty_0.57.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <[EMAIL PROTECTED]> (supplier of updated putty package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 20 Feb 2005 22:49:28 +0000 Source: putty Binary: pterm putty-tools putty Architecture: source powerpc Version: 0.57-1 Distribution: unstable Urgency: high Maintainer: Colin Watson <[EMAIL PROTECTED]> Changed-By: Colin Watson <[EMAIL PROTECTED]> Description: pterm - PuTTY terminal emulator putty - Telnet/SSH client for X putty-tools - command-line tools for SSH, SCP, and SFTP Closes: 296144 Changes: putty (0.57-1) unstable; urgency=high . * New upstream release, fixing pscp/psftp security holes exploitable by a malicious server after host key verification (closes: #296144). - [SECURITY] Fix heap corruption vulnerability in handling of response to SFTP FXP_READDIR request. - [SECURITY] Fix heap corruption vulnerability in handling of SFTP string fields. Files: 71a137bc7af0a6a11df5fc3e15c8808a 599 net optional putty_0.57-1.dsc 0fc816093980246f6400693fe6146280 1319513 net optional putty_0.57.orig.tar.gz d7322745e51bbd00774fd8e7fa4bd327 7052 net optional putty_0.57-1.diff.gz 7e08a48ec4bba5a67f5c4aad30b7e6e8 156142 x11 optional pterm_0.57-1_powerpc.deb 63d4c38730b4bbf0f84e9876a3fb03bb 272320 net optional putty_0.57-1_powerpc.deb 89919752c0d2deb5f7327c99637efe13 655428 net optional putty-tools_0.57-1_powerpc.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCGRW39t0zAhD6TNERAq7EAJ45lDbjhwWF6DZPfY91PeIwTNE2SACdGfml U1SeNb+8C75DMIZsjFXPsyc= =njg+ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]