Date: Sun, 17 Mar 2019 14:16:03 +0000 (UTC) From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r496062 - head/security/vuxml Message-ID: <201903171416.x2HEG3xN098847@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mandree Date: Sun Mar 17 14:16:03 2019 New Revision: 496062 URL: https://svnweb.freebsd.org/changeset/ports/496062 Log: Record PuTTY security vulnerabilities in versions before 0.71. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Mar 17 14:14:27 2019 (r496061) +++ head/security/vuxml/vuln.xml Sun Mar 17 14:16:03 2019 (r496062) @@ -58,6 +58,48 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="46e1ece5-48bd-11e9-9c40-080027ac955c"> + <topic>PuTTY -- security fixes in new release</topic> + <affects> + <package> + <name>putty</name> + <range><lt>0.71</lt></range> + </package> + <package> + <name>putty-gtk2</name> + <range><lt>0.71</lt></range> + </package> + <package> + <name>putty-nogtk</name> + <range><lt>0.71</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The PuTTY team reports:</p> + <blockquote cite="https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html">; + <p>New in 0.71:</p> + <ul> + <li>Security fixes found by an EU-funded bug bounty programme:</li> + <li>+ a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification</li> + <li>+ potential recycling of random numbers used in cryptography</li> + <li>+ on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding</li> + <li>+ multiple denial-of-service attacks that can be triggered by writing to the terminal</li> + <li>Other security enhancements: major rewrite of the crypto code to remove cache and timing side channels.</li> + <li>User interface changes to protect against fake authentication prompts from a malicious server.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html</url>; + </references> + <dates> + <discovery>2019-03-16</discovery> + <entry>2019-03-17</entry> + </dates> + </vuln> + <vuln vid="72a6e3be-483a-11e9-92d7-f1590402501e"> <topic>Jupyter notebook -- cross-site inclusion (XSSI) vulnerability</topic> <affects> @@ -88,6 +130,15 @@ Notes: </description> <references> <url>https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst</url>; + <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-auth-prompt-spoofing.html</url>; + <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-fd-set-overflow.html</url>; + <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rng-reuse.html</url>; + <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rsa-kex-integer-overflow.html</url>; + <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terminal-dos-combining-chars.html</url>; + <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terminal-dos-combining-chars-double-width-gtk.html</url>; + <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terminal-dos-one-column-cjk.html</url>; + <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/pscp-unsanitised-server-output.html</url>; + <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/side-channels.html</url>; </references> <dates> <discovery>2019-03-10</discovery>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903171416.x2HEG3xN098847>