PuTTY 0.64 is released

Simon Tatham anakin at pobox.com
Sat Feb 28 09:13:50 GMT 2015


PuTTY version 0.64 is released
------------------------------
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

All the pre-built binaries, and the source code, are now available
from the PuTTY website at

    http://www.chiark.greenend.org.uk/~sgtatham/putty/

This is a SECURITY UPDATE. We recommend that everybody who uses SSH
private keys upgrade, as soon as possible.

When PuTTY authenticated with a user's private key, the private key
was accidentally kept in PuTTY's memory for the rest of its run, where
it could be retrieved by other processes reading PuTTY's memory, or
written out to swap files or crash dumps. This was believed to be
fixed in 0.63, but embarrassingly it turns out there was another copy
we hadn't spotted. We think it's more fixed now. Sorry!

Additionally, PuTTY was missing a range check in Diffie-Hellman key
exchange required by RFC 4253, which could arguably be considered a
security issue as well. This is also now fixed. Details of both issues
can be found on the PuTTY Wishlist web page, in the 'Fixed in release
0.63' section.

Non-security bugs also fixed in this release:

 - Fixed handling of IPv6 literals in PuTTY's configuration and
   command lines. You should now be able to use an IPv6 literal in
   square brackets wherever a hostname or IPv4 address is allowed, and
   in a few cases (where there's no possibility of confusion with a
   trailing colon) without square brackets too.

 - Fixed the annoying repeated host key warnings in mid-session, if
   you selected 'accept once' at the first one.

 - The default setting for bold text display has been reverted to its
   pre-0.63 value, so that bold black should now be visible again.
   (However, any saved sessions or default settings created by 0.63
   will still have the accidental 0.63 default.)

The following new features have also been implemented:

 - SSH-2 connection sharing. This permits multiple instances of PuTTY
   and its supporting tools to open channels over the same SSH
   connection, so that you only have to log in once and can open
   multiple terminal sessions and/or file transfers. You can enable it
   by ticking one box in the SSH configuration panel, and then the
   first PuTTY to connect to a particular host will become the
   'upstream' managing the SSH connection itself, and further PuTTYs
   (or PSCP, PSFTP or Plink) you ask to connect to the same host will
   instead connect to the upstream and share its SSH connection.

 - New command-line and config options to manually specify the host
   key(s) you expect. This should be useful to people running the
   tools in batch mode without a valid Registry, and also to people
   who have a host that can legitimately offer one of multiple host
   keys.

Enjoy using PuTTY!

Cheers,
Simon
-- 
import hashlib; print (lambda p,q,g,y,r,s,m: m if (lambda w:(pow(g,int(hashlib.
 sha1(m).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r else "!"
 )(0xb80b5dacabab6145, 0xf70027d345023, 0x7643bc4018957897, 0x11c2e5d9951130c9,
 0xa54d9cbe4e8ab, 0x746c50eaa1910, "Simon Tatham <anakin at pobox.com>")



More information about the PuTTY-announce mailing list