PuTTY 0.64 is released
anakin at pobox.com
Sat Feb 28 09:13:50 GMT 2015
PuTTY version 0.64 is released
Content-Type: text/plain; charset=US-ASCII
All the pre-built binaries, and the source code, are now available
from the PuTTY website at
This is a SECURITY UPDATE. We recommend that everybody who uses SSH
private keys upgrade, as soon as possible.
When PuTTY authenticated with a user's private key, the private key
was accidentally kept in PuTTY's memory for the rest of its run, where
it could be retrieved by other processes reading PuTTY's memory, or
written out to swap files or crash dumps. This was believed to be
fixed in 0.63, but embarrassingly it turns out there was another copy
we hadn't spotted. We think it's more fixed now. Sorry!
Additionally, PuTTY was missing a range check in Diffie-Hellman key
exchange required by RFC 4253, which could arguably be considered a
security issue as well. This is also now fixed. Details of both issues
can be found on the PuTTY Wishlist web page, in the 'Fixed in release
Non-security bugs also fixed in this release:
- Fixed handling of IPv6 literals in PuTTY's configuration and
command lines. You should now be able to use an IPv6 literal in
square brackets wherever a hostname or IPv4 address is allowed, and
in a few cases (where there's no possibility of confusion with a
trailing colon) without square brackets too.
- Fixed the annoying repeated host key warnings in mid-session, if
you selected 'accept once' at the first one.
- The default setting for bold text display has been reverted to its
pre-0.63 value, so that bold black should now be visible again.
(However, any saved sessions or default settings created by 0.63
will still have the accidental 0.63 default.)
The following new features have also been implemented:
- SSH-2 connection sharing. This permits multiple instances of PuTTY
and its supporting tools to open channels over the same SSH
connection, so that you only have to log in once and can open
multiple terminal sessions and/or file transfers. You can enable it
by ticking one box in the SSH configuration panel, and then the
first PuTTY to connect to a particular host will become the
'upstream' managing the SSH connection itself, and further PuTTYs
(or PSCP, PSFTP or Plink) you ask to connect to the same host will
instead connect to the upstream and share its SSH connection.
- New command-line and config options to manually specify the host
key(s) you expect. This should be useful to people running the
tools in batch mode without a valid Registry, and also to people
who have a host that can legitimately offer one of multiple host
Enjoy using PuTTY!
import hashlib; print (lambda p,q,g,y,r,s,m: m if (lambda w:(pow(g,int(hashlib.
sha1(m).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r else "!"
)(0xb80b5dacabab6145, 0xf70027d345023, 0x7643bc4018957897, 0x11c2e5d9951130c9,
0xa54d9cbe4e8ab, 0x746c50eaa1910, "Simon Tatham <anakin at pobox.com>")
More information about the PuTTY-announce