Slashdot Mirror
Another Serious Security Hole in PuTTY, Fixed
Markaci writes "You may recall recently upgrading PuTTY. There is a new version, released 2004-10-26, which fixes a very similar security hole. The bug can allow servers that you think you can trust to execute code on the PuTTY client, even before you verify the hosts key while connecting using SSH2. You can be attacked before you know that you have connected to the wrong machine. Upgrade to version 0.56 now."
When putty goes out over the web, if an attacker can find it then they can press a piece of newsprint against it. Putty will come away from this with some arbitrary instructions left inside. Scary.
The solution is to always keep your putty inside it's protective egg when in unknown territory.
A Multiplayer Strategy Game for Mac OS X, Windows, and Linux
he has a PHD in first posts
More likely the Dr. Frankenfurter / Rocky Horror Picture Show way.
Sorry about that. I've found your patch in my mail archives (although I only see two copies of it, not five!). As far as I can tell, both times it turned up when I had so much mail to read that I simply didn't have time to read it all.
:-) and to ensure the long-term health and maintainability of the code. Even the very best patches I've received still need work before they're usable.
Delegation of work would be nice, but it's very difficult to find anyone competent to vet patches the same way we do, with full appreciation of issues such as portability. At the end of the day, the core PuTTY team need to personally check anything that goes into the code base, to prevent obvious security holes (although this isn't a great time to mention that, I know
Your patches look mostly sensible. I'll respond in detail by email.