[1/1] package/putty: security bump to version 0.81

Message ID	20240516163144.640424-1-fontaine.fabrice@gmail.com
State	Accepted
Headers	show Return-Path: <buildroot-bounces@buildroot.org> Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a00:1450:4864:20::32d; helo=mail-wm1-x32d.google.com; envelope-from=fontaine.fabrice@gmail.com; receiver=<UNKNOWN> DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org BC22041781 From: Fabrice Fontaine <fontaine.fabrice@gmail.com> To: buildroot@buildroot.org Date: Thu, 16 May 2024 18:31:44 +0200 Message-ID: <20240516163144.640424-1-fontaine.fabrice@gmail.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715877108; x=1716481908; darn=buildroot.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1/6jNaTkllgFS8RbrsTGIT4c7bgWRIQ/RUTiXm5ywVo=; b=VjhXCAh3CP4l5tBLzve+/iN9ftHqbZMDUplQhxj6htbc89Spbg3WNVGSLaqSZ1DrHi RRdFq+2Mf/K2b+k/WNyeEeCdA+udG6wXFR9xJualE2S0/155Fo/6HUPmaorg3TJgYuBa nXImhnPzndrW+3qeMlDYHlPujwdEbNSnBV+vFaZIsWh4CMdXBZu20qYoZzhQFblJKwCU d+x9ENrH++ugIKsj5b19i6lrySH7/eUyQRINhAMrhDdlZdI5LtW93mrPcCzR7mX9OzW6 WdSyBDB5SeciCCoz8B0pDrZ0cu1hMeqC0HVtSHFbMNG0nCw8pKECJtP3mgNohHxXJofg ZTSw== X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=none dis=none) header.from=gmail.com X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=VjhXCAh3 Subject: [Buildroot] [PATCH 1/1] package/putty: security bump to version 0.81 Precedence: list Cc: Alexander Dahl <post@lespocky.de>, Fabrice Fontaine <fontaine.fabrice@gmail.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" <buildroot-bounces@buildroot.org>
Series	[1/1] package/putty: security bump to version 0.81 \| expand [1/1] package/putty: security bump to version 0.81

Message ID

20240516163144.640424-1-fontaine.fabrice@gmail.com

State

Accepted

Headers

Received-SPF: Pass (mailfrom) identity=mailfrom;
 client-ip=2a00:1450:4864:20::32d; helo=mail-wm1-x32d.google.com;
 envelope-from=fontaine.fabrice@gmail.com; receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org BC22041781
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@buildroot.org
Date: Thu, 16 May 2024 18:31:44 +0200
Message-ID: <20240516163144.640424-1-fontaine.fabrice@gmail.com>
MIME-Version: 1.0
X-Mailman-Original-Authentication-Results: smtp4.osuosl.org;
 dmarc=pass (p=none dis=none)
 header.from=gmail.com
X-Mailman-Original-Authentication-Results: smtp4.osuosl.org;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.a=rsa-sha256 header.s=20230601 header.b=VjhXCAh3
Subject: [Buildroot] [PATCH 1/1] package/putty: security bump to version 0.81
X-BeenThere: buildroot@buildroot.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.buildroot.org>
List-Unsubscribe: <https://lists.buildroot.org/mailman/options/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=unsubscribe>
List-Archive: <http://lists.buildroot.org/pipermail/buildroot/>
List-Post: <mailto:buildroot@buildroot.org>
List-Help: <mailto:buildroot-request@buildroot.org?subject=help>
List-Subscribe: <https://lists.buildroot.org/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=subscribe>
Cc: Alexander Dahl <post@lespocky.de>,
 Fabrice Fontaine <fontaine.fabrice@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@buildroot.org
Sender: "buildroot" <buildroot-bounces@buildroot.org>

Series

[1/1] package/putty: security bump to version 0.81 | expand

Commit Message

Fabrice Fontaine May 16, 2024, 4:31 p.m. UTC

The only change between 0.80 and 0.81 is one security fix:

 - ECDSA signatures using 521-bit keys (the NIST P521 curve, otherwise
   known as ecdsa-sha2-nistp521) were generated with biased random
   numbers. This permits an attacker in possession of a few dozen
   signatures to RECOVER THE PRIVATE KEY.

   Any 521-bit ECDSA private key that PuTTY or Pageant has used to
   sign anything should be considered compromised.

   This vulnerability has the identifier CVE-2024-31497.

Update hash of LICENCE file (update in year with
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2f28ac0386eebbd45ea605818d31d62d219f589)

https://lists.tartarus.org/pipermail/putty-announce/2024/000038.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/putty/putty.hash | 8 ++++----
 package/putty/putty.mk   | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

Comments

Peter Korsgaard May 24, 2024, 12:32 p.m. UTC | #1

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > The only change between 0.80 and 0.81 is one security fix:
 >  - ECDSA signatures using 521-bit keys (the NIST P521 curve, otherwise
 >    known as ecdsa-sha2-nistp521) were generated with biased random
 >    numbers. This permits an attacker in possession of a few dozen
 >    signatures to RECOVER THE PRIVATE KEY.

 >    Any 521-bit ECDSA private key that PuTTY or Pageant has used to
 >    sign anything should be considered compromised.

 >    This vulnerability has the identifier CVE-2024-31497.

 > Update hash of LICENCE file (update in year with
 > https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2f28ac0386eebbd45ea605818d31d62d219f589)

 > https://lists.tartarus.org/pipermail/putty-announce/2024/000038.html

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

diff --git a/package/putty/putty.hash b/package/putty/putty.hash
index 84569a31e5..30b749c47b 100644
--- a/package/putty/putty.hash
+++ b/package/putty/putty.hash
@@ -1,7 +1,7 @@ 
 # Hashes from: http://the.earth.li/~sgtatham/putty/0.80/{sha1,sha256,sha512}sums
-sha1  9c4a96f63ee3e927472191c935cc89228693c03a  putty-0.80.tar.gz
-sha256  2013c83a721b1753529e9090f7c3830e8fe4c80a070ccce764539badb3f67081  putty-0.80.tar.gz
-sha512  c8a6b6fa54ecd8bcf4ec274fef51343dd9996e6458b250b5555c4dc88ded25e87f97277da482c29858510e65635112d541f559ab683635bd950572d850129f90  putty-0.80.tar.gz
+sha1  8c88d871855d3730a0473bb1cb1006654e73b680  putty-0.81.tar.gz
+sha256  cb8b00a94f453494e345a3df281d7a3ed26bb0dd7e36264f145206f8857639fe  putty-0.81.tar.gz
+sha512  d86f2fd0e126b18275d58cf64334b3b27c450899a1c2be2502de9faa2ef58f7fc8efc5d45f25c8395623f1e21917aa02407343bb2fee44c4c00b9f81267d5ecd  putty-0.81.tar.gz
 
 # Locally calculated
-sha256  7ede37f344ee03436c155a375ecb6cdb42a77105baa6e7804bf43260dc4a0c54  LICENCE
+sha256  e0410341c5e45f7479c28d79298edbf615589cdfc115b2d69683d4ccd0425ce0  LICENCE
diff --git a/package/putty/putty.mk b/package/putty/putty.mk
index bff6e78074..617518e647 100644
--- a/package/putty/putty.mk
+++ b/package/putty/putty.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-PUTTY_VERSION = 0.80
+PUTTY_VERSION = 0.81
 PUTTY_SITE = http://the.earth.li/~sgtatham/putty/$(PUTTY_VERSION)
 PUTTY_LICENSE = MIT
 PUTTY_LICENSE_FILES = LICENCE

[1/1] package/putty: security bump to version 0.81

Commit Message

Comments

Patch