simon-git: putty-wishlist (main): Simon Tatham

Commits to Tartarus hosted VCS tartarus-commits at lists.tartarus.org
Sat Jul 17 11:45:47 BST 2021 

TL;DR:
  6d4229f Wishlist entry for no-trivial-auth.
  cb31fca Respond to CVE-2021-36367.

Repository:     https://git.tartarus.org/simon/putty-wishlist.git
On the web:     https://git.tartarus.org/?p=simon/putty-wishlist.git
Branch updated: main
Committer:      Simon Tatham <anakin at pobox.com>
Date:           2021-07-17 11:45:47

commit 6d4229f3cd9e92c747a70c0a5a9eabf9121c3242
web diff https://git.tartarus.org/?p=simon/putty-wishlist.git;a=commitdiff;h=6d4229f3cd9e92c747a70c0a5a9eabf9121c3242;hp=8300942a7e1e908af62ee5bc4577bbf9e3084fb7
Author: Simon Tatham <anakin at pobox.com>
Date:   Sun Jul 11 11:27:13 2021 +0100

    Wishlist entry for no-trivial-auth.

 data/reject-trivial-auth       | 56 ++++++++++++++++++++++++++++++++++++++++++
 data/vuln-auth-prompt-spoofing | 14 +++++++++++
 2 files changed, 70 insertions(+)

commit cb31fcaa8641d4d572873b3a48937409b33f0eaf
web diff https://git.tartarus.org/?p=simon/putty-wishlist.git;a=commitdiff;h=cb31fcaa8641d4d572873b3a48937409b33f0eaf;hp=6d4229f3cd9e92c747a70c0a5a9eabf9121c3242
Author: Simon Tatham <anakin at pobox.com>
Date:   Sat Jul 17 11:45:24 2021 +0100

    Respond to CVE-2021-36367.
    
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36367
    describes it as a vulnerability in all released versions of PuTTY that
    our client permits trivial authentication, and cites our introduction
    of the new 'reject trivial auth' config option as a fix for that
    'vulnerability'.
    
    With respect to them, we don't agree. Spoofing attacks involving early
    termination of userauth are not a new concept: they were addressed in
    0.71 via the trust sigil system. The new option is a convenience and a
    second line of defence, but it's not a vital fix for something
    previously unaddressed. Also, trivial authentication in the SSH
    protocol is not _per se_ an attack or a violation of the spec: it's
    perfectly allowed, and has legitimate use cases.
    
    Still, if they're going to have a public page claiming this vuln, we
    should have a public response. Accordingly, I've added a footnote to
    reject-trivial-auth indicating that it's related to this CVE, and one
    to vuln-auth-prompt-spoofing where _we_ believe we addressed this
    class of attack.

 data/reject-trivial-auth       | 13 +++++++++++++
 data/vuln-auth-prompt-spoofing |  8 ++++++++
 2 files changed, 21 insertions(+)

More information about the tartarus-commits mailing list