putty: security bump to version 0.71
authorBaruch Siach <baruch@tkos.co.il>
Sun, 24 Mar 2019 19:21:13 +0000 (21:21 +0200)
committerPeter Korsgaard <peter@korsgaard.com>
Sun, 24 Mar 2019 22:05:20 +0000 (23:05 +0100)
CVE-2019-9894: A remotely triggerable memory overwrite in RSA key
exchange can occur before host key verification.

CVE-2019-9895: A remotely triggerable buffer overflow exists in any kind
of server-to-client forwarding.

CVE-2019-9897: Multiple denial-of-service attacks that can be triggered
by writing to the terminal.

CVE-2019-9898: Potential recycling of random numbers used in
cryptography.

Disable static build for now. When building statically configure defines
NO_GSSAPI. Build with NO_GSSAPI is currently broken. The issue has been
reported upstream.

Cc: Alexander Dahl <post@lespocky.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/putty/Config.in
package/putty/putty.hash
package/putty/putty.mk

index cd8b3bb2132dffb1b86c5adb643bf463e491ad74..f901c71da2978ca61912bcf8d4e4da376786374e 100644 (file)
@@ -2,6 +2,7 @@ config BR2_PACKAGE_PUTTY
        bool "putty"
        depends on BR2_USE_MMU # fork()
        depends on BR2_USE_WCHAR
+       depends on !BR2_STATIC_LIBS
        help
          PuTTY is a free SSH and Telnet client. Without GTK2
          activated, only the commandline tools plink, pscp, psftp,
@@ -10,6 +11,6 @@ config BR2_PACKAGE_PUTTY
 
          http://www.chiark.greenend.org.uk/~sgtatham/putty/
 
-comment "putty needs a toolchain w/ wchar"
+comment "putty needs a toolchain w/ wchar, dynamic library"
        depends on BR2_USE_MMU
-       depends on !BR2_USE_WCHAR
+       depends on !BR2_USE_WCHAR || BR2_STATIC_LIBS
index e0527105c1d4a50b0df97457f58e202271555e52..30f51848f80c956d849c618fef700abcb1f93544 100644 (file)
@@ -1,3 +1,6 @@
-# Hashes from: http://the.earth.li/~sgtatham/putty/0.70/{sha256,sha512}sums
-sha256 bb8aa49d6e96c5a8e18a057f3150a1695ed99a24eef699e783651d1f24e7b0be                                                                 putty-0.70.tar.gz
-sha512 2aaf4fa2b4ad2d82eb5cdc4419ade79e0c5d8bd3c093db92b3c048e6107f85a5f1647f9d8203cda0906ce2b926725a75319f981cb32e6f1ebf50b1f738564fed putty-0.70.tar.gz
+# Hashes from: http://the.earth.li/~sgtatham/putty/0.71/{sha256,sha512}sums
+sha256 2f931ce2f89780cc8ca7bbed90fcd22c44515d2773f5fa954069e209b48ec6b8                                                                 putty-0.71.tar.gz
+sha512 f8791210bd5925b26d51b13f0558eea15dbac40808051165b236d6436226f5c2b0aa7d69288ed9e2bddc1066455678cfd0af73ef6b715a136c42f3b6f754ac07 putty-0.71.tar.gz
+
+# Locally calculated
+sha256 b517b4a9504ba0f651d5e590245197b88d9a81d073905cc798cc9464c5ca7ba8  LICENCE
index 52f2d4c3dd360a7acfa16190b3ebcce5de4fa620..c72c05320d395274fa0118ff0ecb05c6d11f01c4 100644 (file)
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PUTTY_VERSION = 0.70
+PUTTY_VERSION = 0.71
 PUTTY_SITE = http://the.earth.li/~sgtatham/putty/$(PUTTY_VERSION)
 PUTTY_SUBDIR = unix
 PUTTY_LICENSE = MIT