Advisories » MGASA-2016-0112

Updated putty packages fix CVE-2016-2563

Publication date: 16 Mar 2016
Modification date: 16 Mar 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-2563

Description

Updated putty package fixes security vulnerability:

Many versions of PSCP in PuTTY prior to 0.67 have a stack corruption
vulnerability in their treatment of the 'sink' direction (i.e. downloading
from server to client) of the old-style SCP protocol. In order for this
vulnerability to be exploited, the user must connect to a malicious server
and attempt to download any file (CVE-2016-2563).

The putty package has been updated to version 0.67 to fix this issue and a
few other bugs.  The halibut package has been updated to version 1.1 to build
the documentation.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=17942
• http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
• http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2563

SRPMS

5/core

• halibut-1.1-2.mga5
• putty-0.67-1.mga5