From anakin at pobox.com Mon Apr 15 20:18:34 2024 From: anakin at pobox.com (Simon Tatham) Date: Mon, 15 Apr 2024 20:18:34 +0100 Subject: PuTTY 0.81 is released Message-ID: <1713208675-sup-6254@thyestes.tartarus.org> PuTTY version 0.81 is released ------------------------------ All the pre-built binaries, and the source code, are now available from the PuTTY website at https://www.chiark.greenend.org.uk/~sgtatham/putty/ This is a SECURITY UPDATE. We recommend that _everybody_ upgrade, as soon as possible. Additionally, if you have any 521-bit ECDSA private keys that you've used with PuTTY, you should consider them to be compromised: generate new keys, and remove the old public keys from any authorized_keys files. The only change between 0.80 and 0.81 is one security fix: - ECDSA signatures using 521-bit keys (the NIST P521 curve, otherwise known as ecdsa-sha2-nistp521) were generated with biased random numbers. This permits an attacker in possession of a few dozen signatures to RECOVER THE PRIVATE KEY. Any 521-bit ECDSA private key that PuTTY or Pageant has used to sign anything should be considered compromised. This vulnerability has the identifier CVE-2024-31497. Enjoy using PuTTY! -- import hashlib; print((lambda p,q,g,y,r,s,m: (lambda w:(pow(g,int(hashlib.sha1( m.encode('ascii')).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r and s%q!=0 and m)(12342649995480866419, 2278082317364501, 1670428356600652640, 5398151833726432125, 645223105888478, 1916678356240619, "")) From anakin at pobox.com Wed Nov 27 19:42:18 2024 From: anakin at pobox.com (Simon Tatham) Date: Wed, 27 Nov 2024 19:42:18 +0000 Subject: PuTTY 0.82 is released Message-ID: <1732736465-sup-7792@thyestes.tartarus.org> PuTTY version 0.82 is released ------------------------------ All the pre-built binaries, and the source code, are now available from the PuTTY website at https://www.chiark.greenend.org.uk/~sgtatham/putty/ The most important change in this version of PuTTY is improved Unicode support in multiple places. Unicode improvements include: - Usernames and passwords read from the terminal, or from a Windows console by the file transfer tools and Plink, are now read in Unicode, rather than the system code page or the character set configured in PuTTY. So if your password (for example) includes special characters not in the system code page, they can now be sent to the server anyway. - The command line of every PuTTY tool on Windows is parsed as Unicode, so that some data given on the command line can also contain characters not in the system code page. This affects usernames and file names in particular. - Filenames, usernames and remote commands also support characters outside the system code page when entered via PuTTY's GUI configuration. However, they will not survive a round trip through saving and reloading a session, because that requires a backwards- incompatible change to the configuration storage, which we haven't made yet. - All of PuTTY's Unicode-related character analysis (e.g. character widths in the terminal, bidirectional algorithm, etc) have been updated to be consistent with the latest version of the Unicode standard, Unicode 16.0.0. - The PuTTY terminal now understands the use of Unicode to represent national and regional flags. (However, correct display of those flags will depend on fonts and operating system.) Other new features in this version of PuTTY include: - The PuTTY Event Log now includes information about the local socket endpoint of a network connection (that is, including the local port number), to make it easier to match up PuTTY instances and log files to any other network logs. - There's a checkbox in the Features panel to turn off bracketed paste mode in the terminal, in case that causes problems. - Unix Pageant has a new --foreground mode, to make it easier to run as a subprocess of something else automated. Bug fixes include: - Some fixes to window size and placement. If you configure a border around the text in the PuTTY window then it will still appear when the window is maximised; also, PuTTY takes more care to ensure the whole window is visible on the screen when it starts up, instead of accidentally off one edge. - The updated RSA signature types in SSH are now sent with correct padding (which differs from correct padding in the old ssh-rsa). Most servers didn't care about the difference, but picky ones would have occasionally rejected a RSA signature from PuTTY. - A fix to terminal wrapping which could cause full-screen applications to redraw incorrectly if they were updating something in the very bottom right of the screen (notably 'ncmpc'). - A fix to terminal keyboard handling which caused Alt + function keys to generate a spurious extra escape character if configured into "Xterm 216+" mode. Enjoy using PuTTY! -- import hashlib; print((lambda p,q,g,y,r,s,m: (lambda w:(pow(g,int(hashlib.sha1( m.encode('ascii')).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r and s%q!=0 and m)(12342649995480866419, 2278082317364501, 1670428356600652640, 5398151833726432125, 645223105888478, 1916678356240619, ""))