Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/putty: security bump to version 0.80
@ 2023-12-21 14:00 Peter Korsgaard
  2023-12-23 14:14 ` Thomas Petazzoni via buildroot
  2024-01-07 22:41 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-12-21 14:00 UTC (permalink / raw)
  To: buildroot; +Cc: Alexander Dahl

As described in the announcement, this fixes a security issue:

There is one security fix in this release:

 - Fix for a newly discovered security issue known as the 'Terrapin'
   attack, also numbered CVE-2023-48795. The issue affects widely-used
   OpenSSH extensions to the SSH protocol: the ChaCha20+Poly1305
   cipher system, and 'encrypt-then-MAC' mode.

   In order to benefit from the fix, you must be using a fixed version
   of PuTTY _and_ a server with the fix, so that they can agree to
   adopt a modified version of the protocol. Alternatively, you may be
   able to reconfigure PuTTY to avoid selecting any of the affected
   modes.

   If PuTTY 0.80 connects to an SSH server without the fix, it will
   warn you if the initial protocol negotiation chooses an insecure
   mode to run the connection in, so that you can abandon the
   connection. If it's possible to alter PuTTY's configuration to
   avoid the problem, then the warning message will tell you how to do
   it.

https://lists.tartarus.org/pipermail/putty-announce/2023/000037.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/putty/putty.hash | 8 ++++----
 package/putty/putty.mk   | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/putty/putty.hash b/package/putty/putty.hash
index 0ae2a86be8..84569a31e5 100644
--- a/package/putty/putty.hash
+++ b/package/putty/putty.hash
@@ -1,7 +1,7 @@
-# Hashes from: http://the.earth.li/~sgtatham/putty/0.79/{sha1,sha256,sha512}sums
-sha1  c40c3ce9fd334c40e64c6b33ee7e1096dad52701  putty-0.79.tar.gz
-sha256  428cc8666fbb938ebf4ac9276341980dcd70de395b33164496cf7995ef0ef0d8  putty-0.79.tar.gz
-sha512  4f10f870b229c89e928921d3b350955ce1c1170a062e7943d9cc8dbd83389d82a9b844623541605f0db5a429d545c2d188bf8e384c6515466fae69b216120983  putty-0.79.tar.gz
+# Hashes from: http://the.earth.li/~sgtatham/putty/0.80/{sha1,sha256,sha512}sums
+sha1  9c4a96f63ee3e927472191c935cc89228693c03a  putty-0.80.tar.gz
+sha256  2013c83a721b1753529e9090f7c3830e8fe4c80a070ccce764539badb3f67081  putty-0.80.tar.gz
+sha512  c8a6b6fa54ecd8bcf4ec274fef51343dd9996e6458b250b5555c4dc88ded25e87f97277da482c29858510e65635112d541f559ab683635bd950572d850129f90  putty-0.80.tar.gz
 
 # Locally calculated
 sha256  7ede37f344ee03436c155a375ecb6cdb42a77105baa6e7804bf43260dc4a0c54  LICENCE
diff --git a/package/putty/putty.mk b/package/putty/putty.mk
index 4c9164d05e..bff6e78074 100644
--- a/package/putty/putty.mk
+++ b/package/putty/putty.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PUTTY_VERSION = 0.79
+PUTTY_VERSION = 0.80
 PUTTY_SITE = http://the.earth.li/~sgtatham/putty/$(PUTTY_VERSION)
 PUTTY_LICENSE = MIT
 PUTTY_LICENSE_FILES = LICENCE
-- 
2.39.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/putty: security bump to version 0.80
  2023-12-21 14:00 [Buildroot] [PATCH] package/putty: security bump to version 0.80 Peter Korsgaard
@ 2023-12-23 14:14 ` Thomas Petazzoni via buildroot
  2024-01-07 22:41 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2023-12-23 14:14 UTC (permalink / raw)
  To: Peter Korsgaard; +Cc: Alexander Dahl, buildroot

On Thu, 21 Dec 2023 15:00:39 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:

> As described in the announcement, this fixes a security issue:
> 
> There is one security fix in this release:
> 
>  - Fix for a newly discovered security issue known as the 'Terrapin'
>    attack, also numbered CVE-2023-48795. The issue affects widely-used
>    OpenSSH extensions to the SSH protocol: the ChaCha20+Poly1305
>    cipher system, and 'encrypt-then-MAC' mode.
> 
>    In order to benefit from the fix, you must be using a fixed version
>    of PuTTY _and_ a server with the fix, so that they can agree to
>    adopt a modified version of the protocol. Alternatively, you may be
>    able to reconfigure PuTTY to avoid selecting any of the affected
>    modes.
> 
>    If PuTTY 0.80 connects to an SSH server without the fix, it will
>    warn you if the initial protocol negotiation chooses an insecure
>    mode to run the connection in, so that you can abandon the
>    connection. If it's possible to alter PuTTY's configuration to
>    avoid the problem, then the warning message will tell you how to do
>    it.
> 
> https://lists.tartarus.org/pipermail/putty-announce/2023/000037.html
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>  package/putty/putty.hash | 8 ++++----
>  package/putty/putty.mk   | 2 +-
>  2 files changed, 5 insertions(+), 5 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/putty: security bump to version 0.80
  2023-12-21 14:00 [Buildroot] [PATCH] package/putty: security bump to version 0.80 Peter Korsgaard
  2023-12-23 14:14 ` Thomas Petazzoni via buildroot
@ 2024-01-07 22:41 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2024-01-07 22:41 UTC (permalink / raw)
  To: buildroot; +Cc: Alexander Dahl

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > As described in the announcement, this fixes a security issue:
 > There is one security fix in this release:

 >  - Fix for a newly discovered security issue known as the 'Terrapin'
 >    attack, also numbered CVE-2023-48795. The issue affects widely-used
 >    OpenSSH extensions to the SSH protocol: the ChaCha20+Poly1305
 >    cipher system, and 'encrypt-then-MAC' mode.

 >    In order to benefit from the fix, you must be using a fixed version
 >    of PuTTY _and_ a server with the fix, so that they can agree to
 >    adopt a modified version of the protocol. Alternatively, you may be
 >    able to reconfigure PuTTY to avoid selecting any of the affected
 >    modes.

 >    If PuTTY 0.80 connects to an SSH server without the fix, it will
 >    warn you if the initial protocol negotiation chooses an insecure
 >    mode to run the connection in, so that you can abandon the
 >    connection. If it's possible to alter PuTTY's configuration to
 >    avoid the problem, then the warning message will tell you how to do
 >    it.

 > https://lists.tartarus.org/pipermail/putty-announce/2023/000037.html

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2023.02.x and 2023.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-01-07 22:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-21 14:00 [Buildroot] [PATCH] package/putty: security bump to version 0.80 Peter Korsgaard
2023-12-23 14:14 ` Thomas Petazzoni via buildroot
2024-01-07 22:41 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox