From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 16 23:23:22 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 035AA16A4CE
	for <questions@freebsd.org>; Mon, 16 Aug 2004 23:23:22 +0000 (GMT)
Received: from mtiwmhc11.worldnet.att.net (mtiwmhc11.worldnet.att.net
	[204.127.131.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B05C843D1F
	for <questions@freebsd.org>; Mon, 16 Aug 2004 23:23:21 +0000 (GMT)
	(envelope-from jayobrien@worldnet.att.net)
Received: from [192.168.1.6]
	(dsl093-180-184.sac1.dsl.speakeasy.net[66.93.180.184])
	by worldnet.att.net (mtiwmhc11) with ESMTP
	id <2004081623232011100bmslie>          (Authid: jayobrien@att.net);
	Mon, 16 Aug 2004 23:23:20 +0000
Message-ID: <412141E7.60205@att.net>
Date: Mon, 16 Aug 2004 16:23:19 -0700
From: Jay O'Brien <jayobrien@att.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.7.2) Gecko/20040803
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: stheg olloydson <stheg_olloydson@yahoo.com>
References: <20040816225232.20224.qmail@web61302.mail.yahoo.com>
In-Reply-To: <20040816225232.20224.qmail@web61302.mail.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: questions@freebsd.org
Subject: Re: [OT] Security hole in PuTTY  (Windows ssh client)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2004 23:23:22 -0000

stheg olloydson wrote:
> Hello,
> 
> Sorry for the completely OT post, but I saw two mentions of PuTTY in
> one day on the list and assume it must be a popular piece of Windows
> software. The SANS Institute "@Risk" newsletter dated 8AUG04 contains
> the following item regarding PuTTY:
> 
> 04.31.4 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: PuTTY Remote Buffer Overflow
> Description: PuTTY is a free Telnet and SSH client. It has been
> reported that PuTTY is subject to a pre-authentication buffer overflow
> that can allow malicious servers to execute code on a client machine
> as it attempts to negotiate connection. PuTTY 0.54 and previous
> versions are vulnerable.
> Ref:
> http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10 
> 
> Again, sorry for the OT post, but it seems (at least) very marginally
> relevant to some. We now return you regularly scheduled program of
> FBSD....
> 
> Regards,
> 
> Stheg
> 
> 
I think what you are saying is that if you use PuTTY as a client 
application that you should be concerned about what server you 
connect to?  From what you are saying, I suspect that if the only 
use is to connect to your own (FreeBSD) server, you are probably ok?

Jay O'Brien