Mageia alert MGASA-2015-0098 (putty, filezilla)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2015-0098: Updated putty and filezilla packages fix CVE-2015-2157 
Date:
    	     
 
Fri, 6 Mar 2015 19:09:23 +0100
Message-ID:
    	     
 
<20150306180923.8FC7840692@valstar.mageia.org>
MGASA-2015-0098 - Updated putty and filezilla packages fix CVE-2015-2157

Publication date: 06 Mar 2015
URL: http://advisories.mageia.org/MGASA-2015-0098.html
Type: security
Affected Mageia releases: 4
CVE: CVE-2015-2157

Description:
Updated putty and filezilla packages fix security vulnerability:

PuTTY suite versions 0.51 to 0.63 fail to clear SSH-2 private key
information from memory when loading and saving key files to disk,
leading to potential disclosure. The issue affects keys stored on disk
in encrypted and unencrypted form, and is present in PuTTY, Plink,
PSCP, PSFTP, Pageant and PuTTYgen (CVE-2015-2157).

The putty package has been updated to version 0.64, fixing this and other
issues.  The filezilla package, which contains a bundled version of PuTTY,
has also been updated, to version 3.10.2.

References:
- https://bugs.mageia.org/show_bug.cgi?id=15394
- http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlis...
- http://www.chiark.greenend.org.uk/~sgtatham/putty/changes...
- http://openwall.com/lists/oss-security/2015/02/28/4
- https://filezilla-project.org/newsfeed.php
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2157

SRPMS:
- 4/core/putty-0.64-1.mga4
- 4/core/filezilla-3.10.2-1.mga4