Debian Security Advisory

DLA-173-1 putty -- LTS security update

Date Reported:
15 Mar 2015
Affected Packages:
putty
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 779488.
In Mitre's CVE dictionary: CVE-2015-2157.
More information:

MATTA-2015-002

Florent Daigniere discovered that PuTTY did not enforce an acceptable range for the Diffie-Hellman server value, as required by RFC 4253, potentially allowing an eavesdroppable connection to be established in the event of a server weakness.

#779488, CVE-2015-2157

Patrick Coleman discovered that PuTTY did not clear SSH-2 private key information from memory when loading and saving key files, which could result in disclosure of private key material.

For Debian 6 Squeeze, these issues have been fixed in putty version 0.60+2010-02-20-1+squeeze3