SECURITY UPDATE: PuTTY version 0.56 is released

Simon Tatham anakin at
Tue Oct 26 19:25:28 BST 2004

SECURITY UPDATE: PuTTY version 0.56 is released

All the pre-built binaries, and the source code, are now available
from the PuTTY website at

This is a SECURITY UPDATE. We recommend that _everybody_ upgrade, as
soon as possible.

This version fixes a security hole in previous versions of PuTTY,
which can allow an SSH2 server to attack your client before host key
verification. This means that you are not even safe if you trust the
server you _think_ you're connecting to, since it could be spoofed
over the network and the host key check would not detect this before
the attack could take place. The attack can allow the server to
execute code of its choice on the client.

This vulnerability was found by iDEFENSE, who we expect to release
an advisory on the subject shortly.

In addition to this security fix, there have been some other bug
fixes and new features. Notable among them are:

 - Ability to restart a session within an inactive window, via a new
   menu option.

 - Minimal support for not running a shell or command at all in SSH
   protocol 2 (equivalent to OpenSSH's `-N' option). PuTTY/Plink
   still provide a normal window for interaction, and have to be
   explicitly killed.

 - Transparent support for CHAP cryptographic authentication in the
   SOCKS 5 proxy protocol. (Not in PuTTYtel.)

 - More diagnostics in the Event Log, particularly of SSH port

 - Ability to request setting of environment variables in SSH
   (protocol 2 only). (However, we don't know of any _servers_ that
   support this.)

 - Ability to send POSIX signals in SSH (protocol 2 only) via the
   `Special Commands' menu. (Again, we don't know of any servers
   supporting this.)

 - Bug fix: The PuTTY tools now more consistently support usernames
   containing `@' signs.

 - Support for the Polish character set `Mazovia'.

 - When logging is enabled, the log file is flushed more frequently,
   so that its contents can be viewed before it is closed.

 - More flexibility in SSH packet logging: known passwords and
   session data can be omitted from the log file. Passwords are
   omitted by default. (This option isn't perfect for removing
   sensitive details; you should still review log files before
   letting them out of your sight.)

 - Unix-specific changes:
    * Ability to set environment variables in pterm.
    * PuTTY and pterm attempt to use a UTF-8 line character set by
      default if this is indicated by the locale; however, this can
      be overridden.

 - Various minor bug fixes and robustness improvements.

I repeat: PuTTY 0.56 fixes a SERIOUS SECURITY HOLE in all previous
versions of PuTTY. You should upgrade now.

Enjoy using PuTTY!

Simon Tatham         "What a caterpillar calls the end of the
<anakin at>    world, a human calls a butterfly."

More information about the PuTTY-announce mailing list