Date: Mon, 16 Aug 2004 16:23:19 -0700 From: Jay O'Brien <jayobrien@att.net> To: stheg olloydson <stheg_olloydson@yahoo.com> Cc: questions@freebsd.org Subject: Re: [OT] Security hole in PuTTY (Windows ssh client) Message-ID: <412141E7.60205@att.net> In-Reply-To: <20040816225232.20224.qmail@web61302.mail.yahoo.com> References: <20040816225232.20224.qmail@web61302.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
stheg olloydson wrote: > Hello, > > Sorry for the completely OT post, but I saw two mentions of PuTTY in > one day on the list and assume it must be a popular piece of Windows > software. The SANS Institute "@Risk" newsletter dated 8AUG04 contains > the following item regarding PuTTY: > > 04.31.4 CVE: Not Available > Platform: Third Party Windows Apps > Title: PuTTY Remote Buffer Overflow > Description: PuTTY is a free Telnet and SSH client. It has been > reported that PuTTY is subject to a pre-authentication buffer overflow > that can allow malicious servers to execute code on a client machine > as it attempts to negotiate connection. PuTTY 0.54 and previous > versions are vulnerable. > Ref: > http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10 > > Again, sorry for the OT post, but it seems (at least) very marginally > relevant to some. We now return you regularly scheduled program of > FBSD.... > > Regards, > > Stheg > > I think what you are saying is that if you use PuTTY as a client application that you should be concerned about what server you connect to? From what you are saying, I suspect that if the only use is to connect to your own (FreeBSD) server, you are probably ok? Jay O'Brien
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?412141E7.60205>