Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-173-1 putty

Debian Security Advisory

DLA-173-1 putty -- LTS security update

Date Reported:

15 Mar 2015

Affected Packages:

putty

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 779488.
In Mitre's CVE dictionary: CVE-2015-2157.

More information:

MATTA-2015-002

Florent Daigniere discovered that PuTTY did not enforce an acceptable range for the Diffie-Hellman server value, as required by RFC 4253, potentially allowing an eavesdroppable connection to be established in the event of a server weakness.

#779488, CVE-2015-2157

Patrick Coleman discovered that PuTTY did not clear SSH-2 private key information from memory when loading and saving key files, which could result in disclosure of private key material.

For Debian 6 Squeeze, these issues have been fixed in putty version 0.60+2010-02-20-1+squeeze3