Bug 1690382 (CVE-2019-9894, CVE-2019-9895, CVE-2019-9897, CVE-2019-9898)
Summary: | CVE-2019-9894 CVE-2019-9895 CVE-2019-9898 CVE-2019-9897 putty: multiple vulnerabilities | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED UPSTREAM | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | fedora, jima, jskarvad, olysonek, tremble |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | putty 0.71 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:51:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1690385, 1690386 | ||
Bug Blocks: |
Description
Dhananjay Arunesh
2019-03-19 11:30:04 UTC
External References: https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.71.html Created putty tracking bugs for this issue: Affects: fedora-all [bug 1690385] Created putty tracking bugs for this issue: Affects: epel-all [bug 1690386] Updated flaw with CVEs: CVE-2019-9894: A remotely triggerable memory overwrite in RSA key exchange in PuTTY before 0.71 can occur before host key verification. CVE-2019-9895: In PuTTY versions before 0.71 on Unix, a remotely triggerable buffer overflow exists in any kind of server-to-client forwarding. CVE-2019-9898: Potential recycling of random numbers used in cryptography exists within PuTTY before 0.71. CVE-2019-9897: Multiple denial-of-service attacks that can be triggered by writing to the terminal exist in PuTTY versions before 0.71. This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. |