The PuTTY team reports:
New in 0.71:
Security fixes found by an EU-funded bug bounty programme:
+ a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification
+ potential recycling of random numbers used in cryptography
+ on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding
+ multiple denial-of-service attacks that can be triggered by writing to the terminal
Other security enhancements: major rewrite of the crypto code to remove cache and timing side channels.
User interface changes to protect against fake authentication prompts from a malicious server.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center