PuTTY vulnerability vuln-passwd-memdump
This is a mirror. The primary PuTTY web site can be found
here.
Home |
Licence |
FAQ |
Docs |
Download |
Keys |
Links
Mirrors |
Updates |
Feedback |
Changes |
Wishlist |
Team
summary: Failure to scrub SSH-2 password from memory after use
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.53b
fixed-in: 2003-01-10 (0.54) (0.55) (0.56) (0.57) (0.58) (0.59) (0.60) (0.61) (0.62) (0.63) (0.64)
As reported in iDEFENSE
Security Advisory
01.28.03,
PuTTY 0.53b fails to scrub the password from a memory buffer after
authentication, making it trivially easy for an attacker with access
to a memory dump to recover the password. (This only applies when
using SSH-2.)
This is fixed in the nightly development snapshots as of 2003-01-10,
and will be fixed in the next stable release.
This vulnerability corresponds to CVE
CVE-2003-0048
.
Audit trail for this vulnerability.
If you want to comment on this web site, see the
Feedback page.
(last revision of this bug record was at 2008-11-22 13:03:10 +0000)