On Thu, 22 Aug 2013, John McKown wrote:
Workaround
==========
There is no known workaround at this time.
This had a update notice a week or two ago and was patched
back in July. I read the changes then, and by and large, the
author (Simon) was doing a code audit with 'coverity' as well
as from external reports, and found some items needing to be
addressed
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-signature-stringlen.html
There are more cleanups than those cited
It is not at all clear that there is a working exploit. Simon
notes:
We are unaware of any way in which this can lead to remote
code execution, since it will typically overwrite the entire
heap with zeroes and PuTTY is expected to crash almost
immediately.
That part of the prior email extract pulled is simply wrong.
From the primary post
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/putty < 0.63 >= 0.63
There was a formal CVE, which is perhaps less excitable
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4852
CVE's tend to lag an update in their issuance
-- Russ herrold
614 488 6954
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/
