
PuTTY 0.71 released, fixing security vulnerabilities - banana_giraffe
http://www.chiark.greenend.org.uk/~sgtatham/putty/
======
madars
The linked page doesn't list details on the security vulnerabilities but the
mailing list announcement does: [https://lists.tartarus.org/pipermail/putty-
announce/2019/000...](https://lists.tartarus.org/pipermail/putty-
announce/2019/000027.html)

Most major seems to be this: A malicious server could trigger a buffer overrun
by abusing the RSA key exchange protocol. This would happen before host key
verification, so even if you trust the server you _intended_ to connect to,
you would still be at risk.

------
brynet
I'd be curious to know if they ironed out this "small wrinkle" in the 0.71 WoA
(Windows 10 on ARM) binaries they just released.

[https://community.arm.com/developer/tools-
software/tools/b/t...](https://community.arm.com/developer/tools-
software/tools/b/tools-software-ides-blog/posts/porting-putty-to-windows-on-
arm)

Disabling the stack protector is a pretty big "wrinkle" in my opinion.

    
    
        PuTTY 0.71: WoA
    
        $ strings putty.exe | grep Compiler:
    
        %sCompiler: clang %s

------
muterad_murilax
Which one would you recommend nowadays, PuTTY or (the fork) KiTTY?

~~~
PebblesHD
If you have a recent version of Windows, the copy of OpenSSH you get with Bash
for Windows would be ideal, as you then use the same tools everyone else does
eliminating the Putty specific setup and terminal emulation bugs Windows devs
generally need to go through. If you really need to use it, stick with Putty,
as even then you benefit from other people having the same setup steps and
experience, and as such common issues are more likely to be resolved.

Side thought: why doesn’t Putty follow a more normal setup and configuration
process, i.e. why does it have its own private key format and tooling around
that instead of using standards?

~~~
mjw1007
I've always assumed that PuTTY used its own private key format because the
OpenSSH one was terrible until about 2013.

See eg [https://latacora.singles/2018/08/03/the-default-
openssh.html](https://latacora.singles/2018/08/03/the-default-openssh.html)
(which is from 2018, but I think the weakness has been well known for a long
time).

~~~
JdeBP
See
[https://news.ycombinator.com/item?id=18915747](https://news.ycombinator.com/item?id=18915747)
.

