Control: found -1 0.63-10+deb8u1 On Sat, Jul 10, 2021 at 11:25:04PM +0200, Salvatore Bonaccorso wrote: > The following vulnerability was published for putty. > > CVE-2021-36367[0]: > | PuTTY through 0.75 proceeds with establishing an SSH session even if > | it has never sent a substantive authentication response. This makes it > | easier for an attacker-controlled SSH server to present a later > | spoofed authentication prompt (that the attacker can use to capture > | credential data, and use that data for purposes that are undesired by > | the client user).
Thanks for letting me know. I can do an unstable upload shortly, though am a bit too short of time to deal with stable at the moment. > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-36367 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36367 > [1] > https://git.tartarus.org/?p=simon/putty.git;a=commit;h=1dc5659aa62848f0aeb5de7bd3839fecc7debefa Probably also https://git.tartarus.org/?p=simon/putty.git;a=commit;h=413398af85b27cd83134f5618bd82f81758f9603 for some more documentation of the new option. > Please adjust the affected versions in the BTS as needed. I think this has been around essentially forever, so I marked the version in oldoldstable as affected, although that doesn't necessarily mean I expect anyone to bother with fixing it there. -- Colin Watson (he/him) [cjwat...@debian.org]
