Debian Security Advisory
DLA-173-1 putty -- LTS security update
- Date Reported:
- 15 Mar 2015
- Affected Packages:
- putty
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 779488.
In Mitre's CVE dictionary: CVE-2015-2157. - More information:
-
MATTA-2015-002
Florent Daigniere discovered that PuTTY did not enforce an acceptable range for the Diffie-Hellman server value, as required by RFC 4253, potentially allowing an eavesdroppable connection to be established in the event of a server weakness.
#779488, CVE-2015-2157
Patrick Coleman discovered that PuTTY did not clear SSH-2 private key information from memory when loading and saving key files, which could result in disclosure of private key material.
For Debian 6
Squeeze
, these issues have been fixed in putty version 0.60+2010-02-20-1+squeeze3