PuTTY 0.71 is released

Simon Tatham anakin at pobox.com
Sat Mar 16 17:02:31 GMT 2019


PuTTY version 0.71 is released
------------------------------

All the pre-built binaries, and the source code, are now available
from the PuTTY website at

    https://www.chiark.greenend.org.uk/~sgtatham/putty/

This is a SECURITY UPDATE. We recommend that _everybody_ upgrade, as
soon as possible.

This release fixes multiple security vulnerabilities. Most were found
by contributors to a HackerOne bug bounty programme funded by the EU.
Thanks to everybody who reported bugs, to HackerOne for organising it,
and to the EU for the funding!

Vulnerabilities fixed in this release include:

 - A malicious server could trigger a buffer overrun by abusing the
   RSA key exchange protocol. This would happen before host key
   verification, so even if you trust the server you *intended* to
   connect to, you would still be at risk.

 - A malicious server could trigger a buffer overflow in Unix PuTTY by
   opening a very large number of port forwardings.

 - A malicious program able to write to the server-side terminal could
   deny service to the rest of the SSH session, by making PuTTY's
   terminal emulation code fail an assertion in at least two different
   ways, or by making it consume large amounts of memory and CPU.

 - Windows builds of PuTTY were vulnerable to hijacking if an attacker
   could arrange to drop a malicious Windows help file (.chm) in the
   same directory. Running PuTTY directly out of your browser's
   download directory, for example, might make this possible.

Other security-related improvements:

 - The cryptography code has been substantially rewritten to eliminate
   cache and timing side channels.

 - PuTTY has a new system for making legitimate authentication prompts
   distinguishable from fakes sent by the server (e.g. to try to trick
   you into sending information like private key passphrases over the
   wire). This involves displaying 'trust sigils' (in the form of the
   PuTTY icon) on lines of the terminal window that contain data
   originated by PuTTY itself, and a precautionary prompt before
   starting the main login session when using Plink interactively.
   (That prompt can be turned off if it's an inconvenience.)

 - By default, PuTTY now sanitises control characters out of data
   pasted into the terminal data; output sent to standard error by the
   server in Plink, PSCP and PSFTP; and filenames transmitted from the
   server by PSCP and PSFTP.

Other improvements:

 - We now provide builds of PuTTY for Windows on Arm, as well as for
   x86-64 and x86 Windows.

 - The GTK version of PuTTY now runs on non-X11 displays like Wayland,
   and understands high-DPI configurations.

 - You can now type ahead in a PuTTY window as soon as it opens, and
   your keystrokes will no longer be discarded. Instead, PuTTY will
   buffer them until either the login prompts or the main server
   session can use them.

 - PuTTY implements hardware-accelerated versions of the AES, SHA-256,
   and SHA-1 cryptographic functions, on both x86 and Arm platforms.

 - SSH user authentication prompts and banner messages are now allowed
   to contain printable characters outside US-ASCII.

 - PuTTY now supports Kerberos authentication via GSSAPI key exchange
   as an alternative to the previous GSSAPI user authentication
   system. This allows a Kerberos ticket forwarded to the SSH server
   to be kept up to date during a long-running SSH session.

 - Richer colour support in the terminal emulator: it now supports
   true colour, dim text via the SGR 2 sequence, and a query sequence
   that lets a server find out how many colours the terminal provides.

 - The terminal now supports the REP escape sequence to print the same
   character many times, which up-to-date versions of ncurses expect.

 - The terminal has more flexible clipboard / selection handling. You
   can now configure PuTTY not to automatically copy text to the
   clipboard as soon as you select it (i.e. to behave more like a
   normal Windows program). In the GTK version, you can configure
   which of the system clipboards PuTTY uses, or even configure
   different copy/paste keys to access different clipboards.

 - Pressing Ctrl+Shift+PgUp or Ctrl+Shift+PgDn now takes you straight
   to the top or bottom of the terminal scrollback.

Enjoy using PuTTY!

Cheers,
Simon

-- 
import hashlib; print((lambda p,q,g,y,r,s,m: (lambda w:(pow(g,int(hashlib.sha1(
m.encode('ascii')).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r
and m)(0xb80b5dacabab6145,0xf70027d345023,0x7643bc4018957897,0x11c2e5d9951130c9
,0xa54d9cbe4e8ab,0x746c50eaa1910,      "Simon Tatham <anakin at pobox.com>"     ))



More information about the PuTTY-announce mailing list