Another Serious Security Hole in PuTTY, Fixed 30
Markaci writes "You may recall recently upgrading PuTTY. There is a new version, released 2004-10-26, which fixes a very similar security hole. The bug can allow servers that you think you can trust to execute code on the PuTTY client, even before you verify the hosts key while connecting using SSH2. You can be attacked before you know that you have connected to the wrong machine. Upgrade to version 0.56 now."
A silly explanation (Score:5, Funny)
When putty goes out over the web, if an attacker can find it then they can press a piece of newsprint against it. Putty will come away from this with some arbitrary instructions left inside. Scary.
The solution is to always keep your putty inside it's protective egg when in unknown territory.
Re:Amazing (Score:5, Funny)
Re:Amazing (Score:1, Funny)
Re:Amazing (Score:5, Funny)
Delegation of work would be nice, but it's very difficult to find anyone competent to vet patches the same way we do, with full appreciation of issues such as portability. At the end of the day, the core PuTTY team need to personally check anything that goes into the code base, to prevent obvious security holes (although this isn't a great time to mention that, I know
Your patches look mostly sensible. I'll respond in detail by email.