From anakin at pobox.com  Sat Feb 28 09:13:50 2015
From: anakin at pobox.com (Simon Tatham)
Date: Sat, 28 Feb 2015 09:13:50 +0000
Subject: PuTTY 0.64 is released
Message-ID: <E1YRdT4-00020P-Sp@atreus.tartarus.org>

PuTTY version 0.64 is released
------------------------------
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

All the pre-built binaries, and the source code, are now available
from the PuTTY website at

    http://www.chiark.greenend.org.uk/~sgtatham/putty/

This is a SECURITY UPDATE. We recommend that everybody who uses SSH
private keys upgrade, as soon as possible.

When PuTTY authenticated with a user's private key, the private key
was accidentally kept in PuTTY's memory for the rest of its run, where
it could be retrieved by other processes reading PuTTY's memory, or
written out to swap files or crash dumps. This was believed to be
fixed in 0.63, but embarrassingly it turns out there was another copy
we hadn't spotted. We think it's more fixed now. Sorry!

Additionally, PuTTY was missing a range check in Diffie-Hellman key
exchange required by RFC 4253, which could arguably be considered a
security issue as well. This is also now fixed. Details of both issues
can be found on the PuTTY Wishlist web page, in the 'Fixed in release
0.63' section.

Non-security bugs also fixed in this release:

 - Fixed handling of IPv6 literals in PuTTY's configuration and
   command lines. You should now be able to use an IPv6 literal in
   square brackets wherever a hostname or IPv4 address is allowed, and
   in a few cases (where there's no possibility of confusion with a
   trailing colon) without square brackets too.

 - Fixed the annoying repeated host key warnings in mid-session, if
   you selected 'accept once' at the first one.

 - The default setting for bold text display has been reverted to its
   pre-0.63 value, so that bold black should now be visible again.
   (However, any saved sessions or default settings created by 0.63
   will still have the accidental 0.63 default.)

The following new features have also been implemented:

 - SSH-2 connection sharing. This permits multiple instances of PuTTY
   and its supporting tools to open channels over the same SSH
   connection, so that you only have to log in once and can open
   multiple terminal sessions and/or file transfers. You can enable it
   by ticking one box in the SSH configuration panel, and then the
   first PuTTY to connect to a particular host will become the
   'upstream' managing the SSH connection itself, and further PuTTYs
   (or PSCP, PSFTP or Plink) you ask to connect to the same host will
   instead connect to the upstream and share its SSH connection.

 - New command-line and config options to manually specify the host
   key(s) you expect. This should be useful to people running the
   tools in batch mode without a valid Registry, and also to people
   who have a host that can legitimately offer one of multiple host
   keys.

Enjoy using PuTTY!

Cheers,
Simon
-- 
import hashlib; print (lambda p,q,g,y,r,s,m: m if (lambda w:(pow(g,int(hashlib.
 sha1(m).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r else "!"
 )(0xb80b5dacabab6145, 0xf70027d345023, 0x7643bc4018957897, 0x11c2e5d9951130c9,
 0xa54d9cbe4e8ab, 0x746c50eaa1910, "Simon Tatham <anakin at pobox.com>")


From anakin at pobox.com  Sat Feb 28 15:50:14 2015
From: anakin at pobox.com (Simon Tatham)
Date: Sat, 28 Feb 2015 15:50:14 +0000
Subject: PuTTY 0.64 is released
In-Reply-To: <E1YRdT4-00020P-Sp@atreus.tartarus.org>
Message-ID: <E1YRjeg-0000R3-Vd@atreus.tartarus.org>

Simon Tatham <anakin at pobox.com> wrote:

> PuTTY version 0.64 is released
> ------------------------------

I'm sorry for the noise, but the build uploaded this morning as 0.64
was in fact built from the wrong branch, and did not contain the
fixes. It's now been replaced.

Anyone who has downloaded it so far, I recommend downloading it again,
I'm afraid. :-(

Sorry,
Simon
-- 
import hashlib; print (lambda p,q,g,y,r,s,m: m if (lambda w:(pow(g,int(hashlib.
 sha1(m).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r else "!"
 )(0xb80b5dacabab6145, 0xf70027d345023, 0x7643bc4018957897, 0x11c2e5d9951130c9,
 0xa54d9cbe4e8ab, 0x746c50eaa1910, "Simon Tatham <anakin at pobox.com>")


From anakin at pobox.com  Sat Jul 25 12:08:04 2015
From: anakin at pobox.com (Simon Tatham)
Date: Sat, 25 Jul 2015 12:08:04 +0100
Subject: PuTTY 0.65 is released
Message-ID: <1437822434-sup-4716@atreus.tartarus.org>

PuTTY version 0.65 is released
------------------------------

All the pre-built binaries, and the source code, are now available
from the PuTTY website at

    http://www.chiark.greenend.org.uk/~sgtatham/putty/

0.65 is a bug-fix release, with no significant new features over 0.64.
(In particular, the new cryptographic algorithms we are testing in the
development snapshots - elliptic curves, ChaCha20 etc - are *not* in
this release.)

Notable bugs fixed in this release:

 - The configuration dialog box became invisible in some Windows Vista
   display themes, as a side effect of a Windows security update which
   Microsoft released on 2015-06-09. In spite of the Windows update
   having triggered it, this was our bug, and it is now fixed.

 - The Windows PuTTY GUI could become unresponsive if the server sent
   a high-volume flood of data, because PuTTY would prioritise the
   incoming network events too highly and forget to ever check for GUI
   input. This bug was fixed once before, but reappered in 0.64; it is
   now fixed again.

 - PSFTP now exits with a failure status when a command fails in a
   batch-mode script.

 - Fixed some (non-security-critical) crashes in corner cases of SSH:
   when a connection-sharing downstream disconnects while the upstream
   is still doing authentication, and when a server sends a badly
   formatted key exchange packet.

 - PuTTY could sometimes reply to the terminal query code ESC [ 13 t
   (to report the current window position) with an invalid escape
   sequence containing a minus sign.

Despite this mostly being a bug-fix release, there are a couple of
minor new features:

 - The PuTTY Event Log now logs the source of incoming connections to
   local (and dynamic) forwarded ports, and in connection sharing mode
   it also logs the process id of downstreams connecting to it.

 - A performance improvement: when the Unix version of PuTTY is
   compiled for a 64-bit target using gcc or clang, the large-number
   cryptography (RSA, DSA) should now run at least twice as fast,
   because it processes numbers in 64-bit rather than 32-bit chunks.

Enjoy using PuTTY!

-- 
import hashlib; print (lambda p,q,g,y,r,s,m: m if (lambda w:(pow(g,int(hashlib.
 sha1(m).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r else "!"
 )(0xb80b5dacabab6145, 0xf70027d345023, 0x7643bc4018957897, 0x11c2e5d9951130c9,
 0xa54d9cbe4e8ab, 0x746c50eaa1910, "Simon Tatham <anakin at pobox.com>")


From anakin at pobox.com  Sat Nov  7 15:13:22 2015
From: anakin at pobox.com (Simon Tatham)
Date: Sat, 07 Nov 2015 15:13:22 +0000
Subject: PuTTY 0.66 is released
Message-ID: <1446909135-sup-4407@atreus.tartarus.org>

PuTTY version 0.66 is released
------------------------------

All the pre-built binaries, and the source code, are now available
from the PuTTY website at

    http://www.chiark.greenend.org.uk/~sgtatham/putty/

This is a SECURITY UPDATE. We recommend that everybody upgrade, as
soon as possible.

This release fixes a security hole in the terminal emulation code.
Writing a particular escape sequence to the screen in a PuTTY terminal
session could cause the terminal code to read *and potentially write*
memory outside its own data structures. This might be exploitable, so
everybody should upgrade to a fixed version.

In addition to that security fix, some other bugs are fixed in this
release. Notable bugs fixed:

 - Windows PuTTY should now be able to accept arbitrary Unicode
   keypresses sent to it by other applications such as WinCompose.

 - Launching a saved session from a jump list in Windows 10 was
   reported to fail, and is now believed fixed.

 - Fixed a tight-loop bug when a connection-sharing upstream session
   terminated without closing the whole of PuTTY.

And a couple of new (small) features were added:

 - Command-line options in all tools to enable session logging.

 - In the log file name configuration, &P now interpolates the port
   number you told PuTTY to connect to.

Finally, be warned that we have regenerated the GPG keys we use to
sign our release binaries, to use up-to-date protocols and key
lengths. The new keys have been live on our website for two months
now, and are signed by a collection of free software developers who we
hope are well connected in the web of trust. Also, the old Master Keys
have signed the new one, so if you already trusted the old keys, then
that should smooth the upgrade path.

Enjoy using PuTTY!

Cheers,
Simon

-- 
import hashlib; print (lambda p,q,g,y,r,s,m: m if (lambda w:(pow(g,int(hashlib.
 sha1(m).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r else "!"
 )(0xb80b5dacabab6145, 0xf70027d345023, 0x7643bc4018957897, 0x11c2e5d9951130c9,
 0xa54d9cbe4e8ab, 0x746c50eaa1910, "Simon Tatham <anakin at pobox.com>")