From owner-freebsd-questions@FreeBSD.ORG Mon Aug 16 23:23:22 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 035AA16A4CE for ; Mon, 16 Aug 2004 23:23:22 +0000 (GMT) Received: from mtiwmhc11.worldnet.att.net (mtiwmhc11.worldnet.att.net [204.127.131.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id B05C843D1F for ; Mon, 16 Aug 2004 23:23:21 +0000 (GMT) (envelope-from jayobrien@worldnet.att.net) Received: from [192.168.1.6] (dsl093-180-184.sac1.dsl.speakeasy.net[66.93.180.184]) by worldnet.att.net (mtiwmhc11) with ESMTP id <2004081623232011100bmslie> (Authid: jayobrien@att.net); Mon, 16 Aug 2004 23:23:20 +0000 Message-ID: <412141E7.60205@att.net> Date: Mon, 16 Aug 2004 16:23:19 -0700 From: Jay O'Brien User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: en-us, en MIME-Version: 1.0 To: stheg olloydson References: <20040816225232.20224.qmail@web61302.mail.yahoo.com> In-Reply-To: <20040816225232.20224.qmail@web61302.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: questions@freebsd.org Subject: Re: [OT] Security hole in PuTTY (Windows ssh client) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Aug 2004 23:23:22 -0000 stheg olloydson wrote: > Hello, > > Sorry for the completely OT post, but I saw two mentions of PuTTY in > one day on the list and assume it must be a popular piece of Windows > software. The SANS Institute "@Risk" newsletter dated 8AUG04 contains > the following item regarding PuTTY: > > 04.31.4 CVE: Not Available > Platform: Third Party Windows Apps > Title: PuTTY Remote Buffer Overflow > Description: PuTTY is a free Telnet and SSH client. It has been > reported that PuTTY is subject to a pre-authentication buffer overflow > that can allow malicious servers to execute code on a client machine > as it attempts to negotiate connection. PuTTY 0.54 and previous > versions are vulnerable. > Ref: > http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10 > > Again, sorry for the OT post, but it seems (at least) very marginally > relevant to some. We now return you regularly scheduled program of > FBSD.... > > Regards, > > Stheg > > I think what you are saying is that if you use PuTTY as a client application that you should be concerned about what server you connect to? From what you are saying, I suspect that if the only use is to connect to your own (FreeBSD) server, you are probably ok? Jay O'Brien