Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 06 Aug 2013 17:45:13 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vincent Danen <vdanen@...hat.com>
Subject: Re: CVE request: three additional flaws fixed in putty
 0.63

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/06/2013 01:56 PM, Vincent Danen wrote:
> There seem to be some CVEs needed for putty 0.63 due to some other
> fixes that were fixed alongside CVE-2013-4852:
> 
> 
> * a heap-corrupting buffer underrun bug in the modmul function
> which performs modular multiplication: 
> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html
>
> 
http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977

Please use CVE-2013-4206 for this issue.

> * A buffer overflow vulnerability in the calculation of modular
> inverses when verifying a DSA signature: 
> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html
>
>  
> http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996

Please
> 
use CVE-2013-4207 for this issue.

> * Private keys left in memory after being used by PuTTY tools: 
> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html
>
>  
> http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988

Please
> 
use CVE-2013-4208 for this issue.

> 
> I can't see any CVE references so I suspect there are none.
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSAYqIAAoJEBYNRVNeJnmT40IQAMf92qB5MISMIwY/d2EKY9Z2
I9eVzuaJWhB6f4s4Lj/zJ+gSQ6ZiGuOWAWE0KXWLP5KbImnZ5cWXG3d1UfmFQb40
UahPLX/FlZ9Ru8TpZA9IBscYchQ7PRCvN7gk2Sr/JTkSLkvVMOZ6xUN7iC30pzlN
ibiWAiXmOhbX/G5QwPRoVC66nejdPgYznWGJUrdgAdHTYpdK8/Gny/b06GtDbrYO
+SZUEMYRcN1cTg0YxJAht9l03zMe4QX0tvfTRJg7TGqYLpUeMWmZmpY42cL1MH4C
XkZOdQ+nLi6IrkTrz+L6X24O0dpaChh9yLi4l27ydvrxIe9T1z1h46kdl0sIQfNx
dTfiKR0aHLCcpysIseV081KQAXQy4aFZ7VnT12jQ3/z0G84hqzfcK1E/2nqhMlAv
XJX8wa+JIk2SwIRynkBUqhwrTx85g46Xl+E6M0378m/HeUc6kKE9xYW+fAYCGGft
aimf5lrES21doSHh4zsQblYHszWXgNIV98HVIMyQT5OtkH1LBxBrOK3nNgG1b2nR
62F05LgXo/HNziDUlfaoCGvBdy0IEi36vAFS6Aa7wJrAr++Aj/F5j1VnWrMW+w7i
BAR0dU3LJrkfXJPZt5EXiEkirTcrKQt8o/a7zxDkCRxSKYLZY21079qmIbx8bCym
OYySyEcyG8jXIgdvmeza
=4Ry2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ