oss-sec mailing list archives
CVE Request: PuTTY fails to clear private key information from memory
From: Patrick Coleman <blinken () gmail com>
Date: Sat, 28 Feb 2015 12:38:01 +0000
Hi, PuTTY suite versions 0.51 to 0.63 fail to clear SSH-2 private key information from memory when loading and saving key files to disk, leading to potential disclosure. The issue affects keys stored on disk in encrypted and unencrypted form, and is present in PuTTY, Plink, PSCP, PSFTP, Pageant and PuTTYgen. The maintainers have provided details at [1], and have promptly patched the vulnerability in version 0.64 [2]. Can a CVE please be assigned for this issue? -Patrick 1. http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html 2. http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
Current thread:
- CVE Request: PuTTY fails to clear private key information from memory Patrick Coleman (Feb 28)
- Re: CVE Request: PuTTY fails to clear private key information from memory cve-assign (Feb 28)
- Re: CVE Request: PuTTY fails to clear private key information from memory Zubin Mithra (Feb 28)