simon-git: putty-wishlist (main): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Sat Jul 17 11:45:47 BST 2021
TL;DR:
6d4229f Wishlist entry for no-trivial-auth.
cb31fca Respond to CVE-2021-36367.
Repository: https://git.tartarus.org/simon/putty-wishlist.git
On the web: https://git.tartarus.org/?p=simon/putty-wishlist.git
Branch updated: main
Committer: Simon Tatham <anakin at pobox.com>
Date: 2021-07-17 11:45:47
commit 6d4229f3cd9e92c747a70c0a5a9eabf9121c3242
web diff https://git.tartarus.org/?p=simon/putty-wishlist.git;a=commitdiff;h=6d4229f3cd9e92c747a70c0a5a9eabf9121c3242;hp=8300942a7e1e908af62ee5bc4577bbf9e3084fb7
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Jul 11 11:27:13 2021 +0100
Wishlist entry for no-trivial-auth.
data/reject-trivial-auth | 56 ++++++++++++++++++++++++++++++++++++++++++
data/vuln-auth-prompt-spoofing | 14 +++++++++++
2 files changed, 70 insertions(+)
commit cb31fcaa8641d4d572873b3a48937409b33f0eaf
web diff https://git.tartarus.org/?p=simon/putty-wishlist.git;a=commitdiff;h=cb31fcaa8641d4d572873b3a48937409b33f0eaf;hp=6d4229f3cd9e92c747a70c0a5a9eabf9121c3242
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Jul 17 11:45:24 2021 +0100
Respond to CVE-2021-36367.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36367
describes it as a vulnerability in all released versions of PuTTY that
our client permits trivial authentication, and cites our introduction
of the new 'reject trivial auth' config option as a fix for that
'vulnerability'.
With respect to them, we don't agree. Spoofing attacks involving early
termination of userauth are not a new concept: they were addressed in
0.71 via the trust sigil system. The new option is a convenience and a
second line of defence, but it's not a vital fix for something
previously unaddressed. Also, trivial authentication in the SSH
protocol is not _per se_ an attack or a violation of the spec: it's
perfectly allowed, and has legitimate use cases.
Still, if they're going to have a public page claiming this vuln, we
should have a public response. Accordingly, I've added a footnote to
reject-trivial-auth indicating that it's related to this CVE, and one
to vuln-auth-prompt-spoofing where _we_ believe we addressed this
class of attack.
data/reject-trivial-auth | 13 +++++++++++++
data/vuln-auth-prompt-spoofing | 8 ++++++++
2 files changed, 21 insertions(+)
More information about the tartarus-commits
mailing list