diff options
| author | Matthias Andree <mandree@FreeBSD.org> | 2015-03-05 22:10:26 +0000 |
|---|---|---|
| committer | Matthias Andree <mandree@FreeBSD.org> | 2015-03-05 22:10:26 +0000 |
| commit | 371c596738ad9def7c25d3d3184315fb2ca72462 (patch) | |
| tree | 807bfa608cb66f7fb46dd694edd115e3f089ab8f /security | |
| parent | a0c547be8786078df896ad087d39f144b29f4ec1 (diff) | |
Notes
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index af9dd3223b51..aabecd6eb211 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -57,6 +57,44 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="92fc2e2b-c383-11e4-8ef7-080027ef73ec"> + <topic>PuTTY -- fails to scrub private keys from memory after use</topic> + <affects> + <package> + <name>putty</name> + <range><lt>0.64</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Simon Tatham reports:</p> + <blockquote cite="http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html"> + <p>When PuTTY has sensitive data in memory and has no further need for + it, it should wipe the data out of its memory, in case malware later + gains access to the PuTTY process or the memory is swapped out to + disk or written into a crash dump file. An obvious example of this + is the password typed during SSH login; other examples include + obsolete session keys, public-key passphrases, and the private + halves of public keys.</p> + <p>PuTTY 0.63 and earlier versions, after loading a private key + from a disk file, mistakenly leak a memory buffer containing a + copy of the private key, in the function ssh2_load_userkey. The + companion function ssh2_save_userkey (only called by PuTTYgen) can + also leak a copy, but only in the case where the file it tried to + save to could not be created.</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html</url> + <cvename>CVE-2015-2157</cvename> + </references> + <dates> + <discovery>2015-02-28</discovery> + <entry>2015-03-05</entry> + </dates> + </vuln> + <vuln vid="8505e013-c2b3-11e4-875d-000c6e25e3e9"> <topic>chromium -- multiple vulnerabilities</topic> <affects> |