mailing list archives
Re: CVE request: putty does not wipe keyboard-interactive replies from memory after authentication
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 12 Dec 2011 13:55:41 -0700
On 12/12/2011 10:47 AM, Vincent Danen wrote:
Putty 0.59-0.61 does not wipe keyboard-interactive replies from memory
after authentication. If malware is installed on the system and can
access arbitrary memory locations, or if the memory is swapped to disk
or written in a crash dump file, it can expose sensitive authentication
information like passwords, public-key passphrases, etc.
This is fixed upstream in 0.62.
Could a CVE be assigned to this?
Please use CVE-2011-4607 for this issue.
-Kurt Seifried / Red Hat Security Response Team