Updated putty and filezilla packages fix CVE-2015-2157
Publication date: 06 Mar 2015Modification date: 06 Mar 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-2157
Description
Updated putty and filezilla packages fix security vulnerability:
PuTTY suite versions 0.51 to 0.63 fail to clear SSH-2 private key
information from memory when loading and saving key files to disk,
leading to potential disclosure. The issue affects keys stored on disk
in encrypted and unencrypted form, and is present in PuTTY, Plink,
PSCP, PSFTP, Pageant and PuTTYgen (CVE-2015-2157).
The putty package has been updated to version 0.64, fixing this and other
issues. The filezilla package, which contains a bundled version of PuTTY,
has also been updated, to version 3.10.2.
References
- https://bugs.mageia.org/show_bug.cgi?id=15394
- http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html
- http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
- http://openwall.com/lists/oss-security/2015/02/28/4
- https://filezilla-project.org/newsfeed.php
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2157
SRPMS
4/core
- putty-0.64-1.mga4
- filezilla-3.10.2-1.mga4