putty: CVE-2021-36367

Debian Bug report logs - #990901
putty: CVE-2021-36367

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: putty: CVE-2021-36367

Date: Sat, 10 Jul 2021 23:25:04 +0200

Source: putty
Version: 0.75-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for putty.

CVE-2021-36367[0]:
| PuTTY through 0.75 proceeds with establishing an SSH session even if
| it has never sent a substantive authentication response. This makes it
| easier for an attacker-controlled SSH server to present a later
| spoofed authentication prompt (that the attacker can use to capture
| credential data, and use that data for purposes that are undesired by
| the client user).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-36367
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36367
[1] https://git.tartarus.org/?p=simon/putty.git;a=commit;h=1dc5659aa62848f0aeb5de7bd3839fecc7debefa

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 990901@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 990901@bugs.debian.org

Subject: Re: Bug#990901: putty: CVE-2021-36367

Date: Sun, 11 Jul 2021 00:09:45 +0100

Control: found -1 0.63-10+deb8u1

On Sat, Jul 10, 2021 at 11:25:04PM +0200, Salvatore Bonaccorso wrote:
> The following vulnerability was published for putty.
> 
> CVE-2021-36367[0]:
> | PuTTY through 0.75 proceeds with establishing an SSH session even if
> | it has never sent a substantive authentication response. This makes it
> | easier for an attacker-controlled SSH server to present a later
> | spoofed authentication prompt (that the attacker can use to capture
> | credential data, and use that data for purposes that are undesired by
> | the client user).

Thanks for letting me know.  I can do an unstable upload shortly, though
am a bit too short of time to deal with stable at the moment.

> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-36367
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36367
> [1] https://git.tartarus.org/?p=simon/putty.git;a=commit;h=1dc5659aa62848f0aeb5de7bd3839fecc7debefa

Probably also
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=413398af85b27cd83134f5618bd82f81758f9603
for some more documentation of the new option.

> Please adjust the affected versions in the BTS as needed.

I think this has been around essentially forever, so I marked the
version in oldoldstable as affected, although that doesn't necessarily
mean I expect anyone to bother with fixing it there.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Message #17 received at 990901-submitter@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 990901-submitter@bugs.debian.org

Subject: Bug#990901 marked as pending in putty

Date: Sat, 10 Jul 2021 23:35:05 +0000

Control: tag -1 pending

Hello,

Bug #990901 in putty reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/ssh-team/putty/-/commit/038d22ebea69fad4bf26e32a7c5e82845ba9b29d

------------------------------------------------------------------------
New option to reject 'trivial' success of userauth

Fixes: CVE-2021-36367
Closes: #990901
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/990901

Message #24 received at 990901-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 990901-close@bugs.debian.org

Subject: Bug#990901: fixed in putty 0.75-3

Date: Sat, 10 Jul 2021 23:48:31 +0000

Source: putty
Source-Version: 0.75-3
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
putty, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990901@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated putty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 11 Jul 2021 00:35:09 +0100
Source: putty
Architecture: source
Version: 0.75-3
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 990901
Changes:
 putty (0.75-3) unstable; urgency=medium
 .
   * Cherry-pick from upstream:
     - CVE-2021-36367: New option to reject 'trivial' success of userauth
       (closes: #990901).
Checksums-Sha1:
 f1638199ce9866b49ab56cd60c5e1fd8567fbcda 2422 putty_0.75-3.dsc
 6f2f8370788cabed499e367d9f3fa7583e4702b4 22884 putty_0.75-3.debian.tar.xz
Checksums-Sha256:
 411b84e7d6c909f0f44f7a0bf33e91f3aa0b1f171d752175f0d3e7620237b058 2422 putty_0.75-3.dsc
 cc45763bdfe661c76659b481cc44a6074449bb3af295ea2ed44161c09d837a60 22884 putty_0.75-3.debian.tar.xz
Files:
 2fadebbf218a2e269427cc52ef46d4f6 2422 net optional putty_0.75-3.dsc
 0964c6854a188b7117fc87ae40d762b3 22884 net optional putty_0.75-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmDqLs0ACgkQOTWH2X2G
UAvX2g/9EpQpWCNWaf26NmMqDZSR9BkodQIhwkBeviuIr4NSo/Br6nxhm6eo1rXj
4H1VKc4k8GV74H6bbyrRVXwNzN6/SehTqpGJblZEjd7xnwFHTrD/RGHRkNC2dJJV
+UFmHQLxPqEL7Nuwdy0lB7cu/BsU5j8vte5hQGPTU8xKjd8R2iKP1DpKMcXlBXtx
nceVGWv2xy1sMHDQdjU5CZxeC2Ixqbb4MW3dtHuHk0MS1IYYW/Jnvd67KOjlK4wm
5C9YIgTZIaQx14MS8XojT8IOdN8KFN0LhfpONLeYOPtOqcPrXORpSJOnvgeSZRf8
A4lvaXzrDZzqNey47fuKpGWDHU82DjAC74oJU76QmZqo2p+5cCGXuJW+xi3oDsGX
LPCquo9Q+30hl6dcjRijeIKmbE1DiAteLccqMOh8NfSfewIINxbwI285BCSZspx7
cp23SfUAYta3rsSyo0g+BuZsq4SVQJd9jDbmviseWLOgc4dqWBzw5T4Loc2JcgOB
b88yN9JK83O+NYid64dVDY+cwEUYTcjaZT3JxrI10Q2Tf94L1I4QioovJ0SuUi0k
8uUwTV2yD8rRKNoSoXvEDqBqMt9Ad16cRVwcsBPzWABgf222CMZJ97heryC7kXCh
XDiHKroMErVAq7Tqj2oNpc+r5vsiMPoN3ytT/sb2CeeP1TYuJv8=
=u0id
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.