-
putty (0.60+2010-02-20-1+squeeze2) oldstable-security; urgency=high
* CVE-2011-4607: Passwords were left in memory using SSH
keyboard-interactive auth.
* CVE-2013-4206: Buffer underrun in modmul could corrupt the heap.
* CVE-2013-4852: Negative string length in public-key signatures could
cause integer overflow and overwrite all of memory (closes: #718779).
* CVE-2013-4207: Non-coprime values in DSA signatures can cause buffer
overflow in modular inverse.
* CVE-2013-4208: Private keys were left in memory after being used by
PuTTY tools.
* Backport some general proactive potentially-security-relevant tightening
from upstream.
-- Colin Watson <email address hidden> Thu, 08 Aug 2013 23:37:19 +0100
-
putty (0.60+2010-02-20-1) unstable; urgency=low
* New experimental development snapshot.
- Console utilities send prompts to /dev/tty or failing that stderr, not
to stdout (closes: #422295).
* Upgrade to debhelper v7.
* Move documentation from putty-tools to a new putty-doc package (closes:
#472195).
* Add a watch file.
* Convert to source format 3.0 (quilt). No remaining Debian patches!
-- Colin Watson <email address hidden> Mon, 22 Feb 2010 01:01:22 +0000
-
putty (0.60+2009-11-22-1) unstable; urgency=low
* New experimental development snapshot.
* Moved to bzr.debian.org; add Vcs-Bzr and Vcs-Browser control fields.
-- Colin Watson <email address hidden> Fri, 01 Jan 2010 14:50:45 +0000
-
putty (0.60+2009-08-22-3) unstable; urgency=low
* Use x11.pc when compiling/linking against GTK (closes: #556125).
-- Colin Watson <email address hidden> Mon, 23 Nov 2009 20:39:22 +0000
-
putty (0.60+2009-08-22-2) unstable; urgency=low
* Rebuild manual pages with halibut 1.0+svn20090906-1, fixing option
markers (see #496063).
* Stop calling dh_desktop, as it's now a no-op thanks to dpkg triggers.
-- Colin Watson <email address hidden> Mon, 07 Sep 2009 01:22:17 +0100
-
putty (0.60+2009-08-22-1) unstable; urgency=low
* New experimental development snapshot.
- Fix potential crash on "reget" in psftp.
- Fix random seed behaviour in the absence of a seed file.
- Support OpenSSH's method of specifying port numbers in known_hosts.
- Improve Pango font handling performance.
* Use dh_install, dh_installman, and dh_lintian, and use some other
debhelper programs more effectively.
* Upgrade to debhelper v6.
-- Colin Watson <email address hidden> Tue, 25 Aug 2009 21:50:05 +0100
-
putty (0.60+2009-04-05-1) unstable; urgency=low
* New experimental development snapshot.
- Stop attempting to make session logs private on Unix. This was
introduced in r7084 at the same time as sensible permissions when
writing private key files; however, it causes an assertion failure
whenever an attempt is made to append to an existing log file on Unix,
and it's not clear what "is_private" *should* do for append, so revert
to log file security being the user's responsibility (LP: #212711).
- Cope with GTK+ 2.0 encoding keypress strings in the current locale
rather than in ISO-8859-1 (closes: #517535).
-- Colin Watson <email address hidden> Sun, 05 Apr 2009 22:42:02 +0100
-
putty (0.60+2009-02-22-1) unstable; urgency=low
* New experimental development snapshot.
- Uses GTK+ 2.0 (closes: #516641, LP: #271277) and as a result supports
Unicode window titles (LP: #48781).
- Fixes handling of trailing CR in key files (closes: #414784).
* Disabled upstream Kerberos support for now, as it produces unwanted
linkage in pterm and other binaries.
-- Colin Watson <email address hidden> Mon, 23 Feb 2009 10:11:54 +0000
-
putty (0.60-4) unstable; urgency=low
* Build-depend on x11proto-core-dev rather than x-dev (thanks, Lintian).
* Backport from upstream (r8150, Jacob Nevins; closes: #503186,
LP: #67488):
- Fix for portfwd-addr-family: on Unix, when a tunnel is specified as
"Auto" (rather than IPv4 or IPv6-only; this is the default), try to
open up listening sockets on both address families, rather than
(unhelpfully) just IPv6. (And don't open one if the other can't be
bound, in a nod to CVE-2008-1483.) Based on a patch from Ben A L
Jemmett.
* Avoid problems with the -D_FORTIFY_SOURCE=2 default on Ubuntu by
explicitly ignoring results from a number of calls to read, write, and
fwrite. (This is pretty ham-handed and I've asked upstream whether they
have any better ideas for any of these.)
-- Colin Watson <email address hidden> Sun, 16 Nov 2008 22:06:59 +0000
