PuTTY 0.63 is released

Simon Tatham anakin at pobox.com
Tue Aug 6 18:56:38 BST 2013

PuTTY version 0.63 is released

All the pre-built binaries, and the source code, are now available
from the PuTTY website at


This is a SECURITY UPDATE. We recommend that _everybody_ upgrade, as
soon as possible.

This release fixes multiple security holes in previous versions of
PuTTY, which can allow an SSH-2 server to make PuTTY overrun or
underrun buffers and crash. We do not know of any way in which these
vulnerabilities could permit a server to actually take control of the
client, but we also don't know that that _can't_ be done, so we
recommend you upgrade.

These vulnerabilities can be triggered before host key verification,
which means that you are not even safe if you trust the server you
_think_ you're connecting to, since it could be spoofed over the
network and the host key check would not detect this before the attack
could take place.

Additionally, when PuTTY authenticated with a user's private key, the
private key or information equivalent to it was accidentally kept in
PuTTY's memory for the rest of its run, where it could be retrieved by
other processes reading PuTTY's memory, or written out to swap files
or crash dumps. This release fixes that as well.

Full descriptions of all these vulnerabilities are on the PuTTY
Wishlist web page, in the 'Fixed in release 0.63' section.

In addition to these, many other non-critical bugs have been fixed,
including in particular:

 - Removed arbitrary limits in PuTTY's configuration storage. In
   particular, the low limit on the number of port forwardings has now
   been removed.

 - Fixed propagation of EOF in port forwarding, so that network
   connections which close one direction before the other should now
   be correctly handled.

 - PuTTYgen no longer generates keys one bit shorter than you
   requested (e.g. 2047 bits when you asked for 2048). This was
   harmless but annoyed people.

The following new features have also been implemented:

 - xterm-like bracketed paste mode. This permits applications aware of
   it to tell the difference between text typed into the terminal and
   pasted into the terminal, so that (for example) editors can avoid
   applying an unhelpful auto-indent policy to pasted text.

 - Unix PSCP and PSFTP now preserve Unix file permissions.

 - Unix PuTTY now supports dead keys and the compose key if you have
   them configured.

Enjoy using PuTTY!

Simon Tatham         "Imagine what the world would be like if
<anakin at pobox.com>    there were no hypothetical situations..."

More information about the PuTTY-announce mailing list