Headline
Gentoo Linux Security Advisory 202407-11
Gentoo Linux Security Advisory 202407-11 - Multiple vulnerabilities have been discovered in PuTTY, the worst of which could lead to compromised keys. Versions greater than or equal to 0.81 are affected.
Gentoo Linux Security Advisory GLSA 202407-11
https://security.gentoo.org/
Severity: High
Title: PuTTY: Multiple Vulnerabilities
Date: July 05, 2024
Bugs: #920304, #930082
ID: 202407-11
Synopsis
Multiple vulnerabilities have been discovered in PuTTY, the worst of
which could lead to compromised keys.
Background
PuTTY is a free implementation of Telnet and SSH for Windows and Unix
platforms, along with an xterm terminal emulator.
Affected packages
Package Vulnerable Unaffected
net-misc/putty < 0.81 >= 0.81
Description
Multiple vulnerabilities have been discovered in PuTTY. Please review
the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All PuTTY users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=net-misc/putty-0.81”
In addition, any keys generated with PuTTY versions 0.68 to 0.80 should
be considered breached and should be regenerated.
References
[ 1 ] CVE-2023-48795
https://nvd.nist.gov/vuln/detail/CVE-2023-48795
[ 2 ] CVE-2024-31497
https://nvd.nist.gov/vuln/detail/CVE-2024-31497
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202407-11
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
Red Hat Security Advisory 2024-4662-03 - Red Hat OpenShift Virtualization release 4.15.3 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-3479-03 - Updated container images are now available for director Operator for Red Hat OpenStack Platform 16.2 for RHEL 8.4. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-1557-03 - An update is now available for Red Hat OpenShift Builds 1.0. Issues addressed include denial of service and traversal vulnerabilities.
Red Hat Security Advisory 2024-1197-03 - A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.
Red Hat Security Advisory 2024-1150-03 - An update for buildah is now available for Red Hat Enterprise Linux 9.
Red Hat Security Advisory 2024-0880-03 - Red Hat OpenShift Serverless 1.31.1 is now available. Issues addressed include denial of service and traversal vulnerabilities.
Red Hat Security Advisory 2024-0843-03 - Red Hat OpenShift Serverless version 1.31.1 is now available. Issues addressed include denial of service and traversal vulnerabilities.
Red Hat Security Advisory 2024-0789-03 - An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available. Issues addressed include buffer overflow and denial of service vulnerabilities.
Debian Linux Security Advisory 5601-1 - Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts.
Security researchers from Ruhr University Bochum have discovered a vulnerability in the Secure Shell (SSH) cryptographic network protocol that could allow an attacker to downgrade the connection's security by breaking the integrity of the secure channel. Called Terrapin (CVE-2023-48795, CVSS score: 5.9), the exploit has been described as the "first ever practically exploitable prefix
Gentoo Linux Security Advisory 202312-16 - Multiple vulnerabilities have been discovered in libssh, the worst of which could lead to code execution. Versions greater than or equal to 0.10.6 are affected.