[v3.0] putty: possible private key leak (CVE-2015-2157)
PuTTY suite versions 0.51 to 0.63 fail to clear SSH-2 private key information from memory when loading and saving key files to disk, leading to potential disclosure. The issue affects keys stored on disk in encrypted and unencrypted form, and is present in PuTTY, Plink, PSCP, PSFTP, Pageant and PuTTYgen.
Fixed in 0.64.
References:
http://seclists.org/oss-sec/2015/q1/707
CONFIRM:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html
CONFIRM:
http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
http://lists.tartarus.org/pipermail/putty-announce/2015/000019.html
(from redmine: issue id 3960, created on 2015-03-04, closed on 2015-03-16)
- Relations:
- parent #3957 (closed)
- Changesets:
- Revision 9885c3b5 by Natanael Copa on 2015-03-11T10:48:44Z:
main/putty: security upgrade to 0.64 (CVE-2015-2157)
fixes #3960