Security update for putty SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1113-1 Final 1 1 2019-04-02T11:03:54Z current 2019-04-02T11:03:54Z 2019-04-02T11:03:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for putty This update for putty fixes the following issues: Update to new upstream release 0.71 [boo#1129633] * CVE-2019-9894: Fixed a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification potential recycling of random numbers used in cryptography. * CVE-2019-9895: Fixed a remotely triggerable buffer overflow in any kind of server-to-client forwarding. * CVE-2019-9897: Fixed multiple denial-of-service attacks that can be triggered by writing to the terminal. * CVE-2019-9898: Fixed potential recycling of random numbers used in cryptography * CVE-2019-9896 (Windows only): Fixed hijacking by a malicious help file in the same directory as the executable * Major rewrite of the crypto code to remove cache and timing side channels. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1113 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00004.html E-Mail link for openSUSE-SU-2019:1113-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1129633 SUSE Bug 1129633 https://www.suse.com/security/cve/CVE-2019-9894/ SUSE CVE CVE-2019-9894 page https://www.suse.com/security/cve/CVE-2019-9895/ SUSE CVE CVE-2019-9895 page https://www.suse.com/security/cve/CVE-2019-9896/ SUSE CVE CVE-2019-9896 page https://www.suse.com/security/cve/CVE-2019-9897/ SUSE CVE CVE-2019-9897 page https://www.suse.com/security/cve/CVE-2019-9898/ SUSE CVE CVE-2019-9898 page openSUSE Leap 15.0 putty-0.71-lp150.9.1 putty-0.71-lp150.9.1 as a component of openSUSE Leap 15.0 A remotely triggerable memory overwrite in RSA key exchange in PuTTY before 0.71 can occur before host key verification. CVE-2019-9894 openSUSE Leap 15.0:putty-0.71-lp150.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00004.html https://www.suse.com/security/cve/CVE-2019-9894.html CVE-2019-9894 https://bugzilla.suse.com/1129633 SUSE Bug 1129633 In PuTTY versions before 0.71 on Unix, a remotely triggerable buffer overflow exists in any kind of server-to-client forwarding. CVE-2019-9895 openSUSE Leap 15.0:putty-0.71-lp150.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00004.html https://www.suse.com/security/cve/CVE-2019-9895.html CVE-2019-9895 https://bugzilla.suse.com/1129633 SUSE Bug 1129633 In PuTTY versions before 0.71 on Windows, local attackers could hijack the application by putting a malicious help file in the same directory as the executable. CVE-2019-9896 openSUSE Leap 15.0:putty-0.71-lp150.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00004.html https://www.suse.com/security/cve/CVE-2019-9896.html CVE-2019-9896 https://bugzilla.suse.com/1129633 SUSE Bug 1129633 Multiple denial-of-service attacks that can be triggered by writing to the terminal exist in PuTTY versions before 0.71. CVE-2019-9897 openSUSE Leap 15.0:putty-0.71-lp150.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00004.html https://www.suse.com/security/cve/CVE-2019-9897.html CVE-2019-9897 https://bugzilla.suse.com/1129633 SUSE Bug 1129633 Potential recycling of random numbers used in cryptography exists within PuTTY before 0.71. CVE-2019-9898 openSUSE Leap 15.0:putty-0.71-lp150.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00004.html https://www.suse.com/security/cve/CVE-2019-9898.html CVE-2019-9898 https://bugzilla.suse.com/1129633 SUSE Bug 1129633