OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
PuTTY SSH client vulnerability

From: Anatole Shaw (anatolenationalsky.com)
Date: Tue Oct 26 2004 - 22:02:22 CDT


From http://www.chiark.greenend.org.uk/~sgtatham/putty/

======================================================================

2004-10-26 ANOTHER SECURITY HOLE, fixed in PuTTY 0.56

PuTTY 0.56, released today, fixes a serious security hole which can
allow a server to execute code of its choice on a PuTTY client
connecting to it. In SSH2, the attack can be performed before host key
verification, meaning that even if you trust the server you think you
are connecting to, a different machine could be impersonating it and
could launch the attack before you could tell the difference. We
recommend everybody upgrade to 0.56 as soon as possible.

That's two really bad holes in three months. I'd like to apologise to
all our users for the inconvenience.

======================================================================