SECURITY UPDATE: PuTTY version 0.55 is released

Simon Tatham anakin at
Tue Aug 3 19:56:58 BST 2004

SECURITY UPDATE: PuTTY version 0.55 is released

All the pre-built binaries, and the source code, are now available
from the PuTTY website at

This is a bug fix release to 0.54, and also a SECURITY UPDATE. We
recommend that _everybody_ upgrade, as soon as possible.

This version fixes a security hole in previous versions of PuTTY,
which can allow an SSH2 server to attack your client before host key
verification. This means that you are not even safe if you trust the
server you _think_ you're connecting to, since it could be spoofed
over the network and the host key check would not detect this before
the attack could take place. We are not completely certain of the
impact of the attack, but it could be as bad as allowing the server
to execute code of its choice on the client.

This vulnerability was found by Core Security Technologies, who we
understand will shortly release an advisory numbered CORE-2004-0705
on the subject.

In addition to this security fix, there have been some other bug
fixes as well. Notable among them are:

 - general robustness of the SSH1 implementation has been improved,
   which may have fixed further potential security problems although
   we are not aware of any specific ones

 - random noise generation was hanging some computers and
   interfering with other processes' precision timing, and should
   now not do so

 - dead key support should work better

 - a terminal speed is now sent to the SSH server

 - removed a spurious diagnostic message in Plink

 - the `-load' option in PSCP and PSFTP should work better

 - X forwarding on the Unix port can now talk to Unix sockets as
   well as TCP sockets

 - various crashes and assertion failures fixed.

I repeat: PuTTY 0.55 fixes a SERIOUS SECURITY HOLE in all previous
versions of PuTTY. You should upgrade now.

Enjoy using PuTTY!

Simon Tatham         "Imagine what the world would be like if
<anakin at>    there were no hypothetical situations..."

More information about the PuTTY-announce mailing list