Message ID | 20240516163144.640424-1-fontaine.fabrice@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [1/1] package/putty: security bump to version 0.81 | expand |
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > The only change between 0.80 and 0.81 is one security fix: > - ECDSA signatures using 521-bit keys (the NIST P521 curve, otherwise > known as ecdsa-sha2-nistp521) were generated with biased random > numbers. This permits an attacker in possession of a few dozen > signatures to RECOVER THE PRIVATE KEY. > Any 521-bit ECDSA private key that PuTTY or Pageant has used to > sign anything should be considered compromised. > This vulnerability has the identifier CVE-2024-31497. > Update hash of LICENCE file (update in year with > https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2f28ac0386eebbd45ea605818d31d62d219f589) > https://lists.tartarus.org/pipermail/putty-announce/2024/000038.html > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed, thanks.
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > The only change between 0.80 and 0.81 is one security fix: > - ECDSA signatures using 521-bit keys (the NIST P521 curve, otherwise > known as ecdsa-sha2-nistp521) were generated with biased random > numbers. This permits an attacker in possession of a few dozen > signatures to RECOVER THE PRIVATE KEY. > Any 521-bit ECDSA private key that PuTTY or Pageant has used to > sign anything should be considered compromised. > This vulnerability has the identifier CVE-2024-31497. > Update hash of LICENCE file (update in year with > https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2f28ac0386eebbd45ea605818d31d62d219f589) > https://lists.tartarus.org/pipermail/putty-announce/2024/000038.html > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2024.02.x, thanks.
diff --git a/package/putty/putty.hash b/package/putty/putty.hash index 84569a31e5..30b749c47b 100644 --- a/package/putty/putty.hash +++ b/package/putty/putty.hash @@ -1,7 +1,7 @@ # Hashes from: http://the.earth.li/~sgtatham/putty/0.80/{sha1,sha256,sha512}sums -sha1 9c4a96f63ee3e927472191c935cc89228693c03a putty-0.80.tar.gz -sha256 2013c83a721b1753529e9090f7c3830e8fe4c80a070ccce764539badb3f67081 putty-0.80.tar.gz -sha512 c8a6b6fa54ecd8bcf4ec274fef51343dd9996e6458b250b5555c4dc88ded25e87f97277da482c29858510e65635112d541f559ab683635bd950572d850129f90 putty-0.80.tar.gz +sha1 8c88d871855d3730a0473bb1cb1006654e73b680 putty-0.81.tar.gz +sha256 cb8b00a94f453494e345a3df281d7a3ed26bb0dd7e36264f145206f8857639fe putty-0.81.tar.gz +sha512 d86f2fd0e126b18275d58cf64334b3b27c450899a1c2be2502de9faa2ef58f7fc8efc5d45f25c8395623f1e21917aa02407343bb2fee44c4c00b9f81267d5ecd putty-0.81.tar.gz # Locally calculated -sha256 7ede37f344ee03436c155a375ecb6cdb42a77105baa6e7804bf43260dc4a0c54 LICENCE +sha256 e0410341c5e45f7479c28d79298edbf615589cdfc115b2d69683d4ccd0425ce0 LICENCE diff --git a/package/putty/putty.mk b/package/putty/putty.mk index bff6e78074..617518e647 100644 --- a/package/putty/putty.mk +++ b/package/putty/putty.mk @@ -4,7 +4,7 @@ # ################################################################################ -PUTTY_VERSION = 0.80 +PUTTY_VERSION = 0.81 PUTTY_SITE = http://the.earth.li/~sgtatham/putty/$(PUTTY_VERSION) PUTTY_LICENSE = MIT PUTTY_LICENSE_FILES = LICENCE
The only change between 0.80 and 0.81 is one security fix: - ECDSA signatures using 521-bit keys (the NIST P521 curve, otherwise known as ecdsa-sha2-nistp521) were generated with biased random numbers. This permits an attacker in possession of a few dozen signatures to RECOVER THE PRIVATE KEY. Any 521-bit ECDSA private key that PuTTY or Pageant has used to sign anything should be considered compromised. This vulnerability has the identifier CVE-2024-31497. Update hash of LICENCE file (update in year with https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2f28ac0386eebbd45ea605818d31d62d219f589) https://lists.tartarus.org/pipermail/putty-announce/2024/000038.html Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/putty/putty.hash | 8 ++++---- package/putty/putty.mk | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-)