putty-0.67-1.5 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10374 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z putty-0.67-1.5 on GA media These are all security issues fixed in the putty-0.67-1.5 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10374 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10374 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2013-4852/ SUSE CVE CVE-2013-4852 page https://www.suse.com/security/cve/CVE-2015-2157/ SUSE CVE CVE-2015-2157 page https://www.suse.com/security/cve/CVE-2015-5309/ SUSE CVE CVE-2015-5309 page openSUSE Tumbleweed putty-0.67-1.5 putty-0.67-1.5 as a component of openSUSE Tumbleweed Integer overflow in PuTTY 0.62 and earlier, WinSCP before 5.1.6, and other products that use PuTTY allows remote SSH servers to cause a denial of service (crash) and possibly execute arbitrary code in certain applications that use PuTTY via a negative size value in an RSA key signature during the SSH handshake, which triggers a heap-based buffer overflow. CVE-2013-4852 openSUSE Tumbleweed:putty-0.67-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4852.html CVE-2013-4852 https://bugzilla.suse.com/833567 SUSE Bug 833567 https://bugzilla.suse.com/834202 SUSE Bug 834202 The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory. CVE-2015-2157 openSUSE Tumbleweed:putty-0.67-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-2157.html CVE-2015-2157 https://bugzilla.suse.com/920167 SUSE Bug 920167 Integer overflow in the terminal emulator in PuTTY before 0.66 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via an ECH (erase characters) escape sequence with a large parameter value, which triggers a buffer underflow. CVE-2015-5309 openSUSE Tumbleweed:putty-0.67-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-5309.html CVE-2015-5309 https://bugzilla.suse.com/954191 SUSE Bug 954191