- Security fixes found by the EU-funded bug bounty:
- two separate vulnerabilities affecting the obsolete SSH-1 protocol, both available before host key checking
- a vulnerability in all the SSH client tools (PuTTY, Plink, PSFTP and PSCP) if a malicious program can impersonate Pageant
- Bug fix: crash in GSSAPI / Kerberos key exchange affecting third-party GSSAPI providers on Windows (such as MIT Kerberos for Windows)
- Bug fix: crash in GSSAPI / Kerberos key exchange triggered if the server provided an ordinary SSH host key as part of the exchange
- Bug fix: trust sigils were never turned off in SSH-1 or Rlogin
- Bug fix: trust sigils were never turned back on if you used Restart Session
- Bug fix: PSCP in SCP download mode could create files with a spurious newline at the end of their names
- Bug fix: PSCP in SCP download mode with the
-p option would generate spurious complaints about illegal file renaming
- Bug fix: the initial instruction message was never printed during SSH
keyboard-interactive authentication
- Bug fix: pasting very long lines through connection sharing could crash the downstream PuTTY window
- Bug fix: in keyboard layouts with a ',' key on the numeric keypad (e.g. German), Windows PuTTY would generate '.' instead for that key
- Bug fix: PuTTYgen could generate RSA keys with a modulus one bit shorter than requested
|
|