Re: [Buildroot] [PATCH] package/putty: security bump to version 0.80

From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Cc: Alexander Dahl <post@lespocky.de>
Subject: Re: [Buildroot] [PATCH] package/putty: security bump to version 0.80
Date: Sun, 07 Jan 2024 23:41:03 +0100	[thread overview]
Message-ID: <87y1d0ydfk.fsf@48ers.dk> (raw)
In-Reply-To: <20231221140039.246333-1-peter@korsgaard.com> (Peter Korsgaard's message of "Thu, 21 Dec 2023 15:00:39 +0100")

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > As described in the announcement, this fixes a security issue:
 > There is one security fix in this release:

 >  - Fix for a newly discovered security issue known as the 'Terrapin'
 >    attack, also numbered CVE-2023-48795. The issue affects widely-used
 >    OpenSSH extensions to the SSH protocol: the ChaCha20+Poly1305
 >    cipher system, and 'encrypt-then-MAC' mode.

 >    In order to benefit from the fix, you must be using a fixed version
 >    of PuTTY _and_ a server with the fix, so that they can agree to
 >    adopt a modified version of the protocol. Alternatively, you may be
 >    able to reconfigure PuTTY to avoid selecting any of the affected
 >    modes.

 >    If PuTTY 0.80 connects to an SSH server without the fix, it will
 >    warn you if the initial protocol negotiation chooses an insecure
 >    mode to run the connection in, so that you can abandon the
 >    connection. If it's possible to alter PuTTY's configuration to
 >    avoid the problem, then the warning message will tell you how to do
 >    it.

 > https://lists.tartarus.org/pipermail/putty-announce/2023/000037.html

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2023.02.x and 2023.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot