[ASA-202107-37] putty: content spoofing
Jonas Witschel
diabonas at archlinux.org
Tue Jul 20 19:30:10 UTC 2021
Arch Linux Security Advisory ASA-202107-37
==========================================
Severity: Low
Date : 2021-07-20
CVE-ID : CVE-2021-36367
Package : putty
Type : content spoofing
Remote : Yes
Link : https://security.archlinux.org/AVG-2143
Summary
=======
The package putty before version 0.76-1 is vulnerable to content
spoofing.
Resolution
==========
Upgrade to 0.76-1.
# pacman -Syu "putty>=0.76-1"
The problem has been fixed upstream in version 0.76.
Workaround
==========
None.
Description
===========
PuTTY before version 0.76 proceeds with establishing an SSH session
even if it has never sent a substantive authentication response. This
makes it easier for an attacker-controlled SSH server to present a
later spoofed authentication prompt (that the attacker can use to
capture credential data, and use that data for purposes that are
undesired by the client user).
Impact
======
A remote SSH server could present a spoofed authentication prompt.
References
==========
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=1dc5659aa62848f0aeb5de7bd3839fecc7debefa
https://security.archlinux.org/CVE-2021-36367
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210720/38d80dac/attachment-0001.sig>
More information about the arch-security
mailing list