Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Simon Tatham
October 26, 2004, 6:26 pm
rate this thread
All the pre-built binaries, and the source code, are now available
from the PuTTY website at
This is a SECURITY UPDATE. We recommend that _everybody_ upgrade, as
soon as possible.
This version fixes a security hole in previous versions of PuTTY,
which can allow an SSH2 server to attack your client before host key
verification. This means that you are not even safe if you trust the
server you _think_ you're connecting to, since it could be spoofed
over the network and the host key check would not detect this before
the attack could take place. The attack can allow the server to
execute code of its choice on the client.
This vulnerability was found by iDEFENSE, who we expect to release
an advisory on the subject shortly.
In addition to this security fix, there have been some other bug
fixes and new features. Notable among them are:
- Ability to restart a session within an inactive window, via a new
- Minimal support for not running a shell or command at all in SSH
protocol 2 (equivalent to OpenSSH's `-N' option). PuTTY/Plink
still provide a normal window for interaction, and have to be
- Transparent support for CHAP cryptographic authentication in the
SOCKS 5 proxy protocol. (Not in PuTTYtel.)
- More diagnostics in the Event Log, particularly of SSH port
- Ability to request setting of environment variables in SSH
(protocol 2 only). (However, we don't know of any _servers_ that
- Ability to send POSIX signals in SSH (protocol 2 only) via the
`Special Commands' menu. (Again, we don't know of any servers
- Bug fix: The PuTTY tools now more consistently support usernames
containing `@' signs.
- Support for the Polish character set `Mazovia'.
- When logging is enabled, the log file is flushed more frequently,
so that its contents can be viewed before it is closed.
- More flexibility in SSH packet logging: known passwords and
session data can be omitted from the log file. Passwords are
omitted by default. (This option isn't perfect for removing
sensitive details; you should still review log files before
letting them out of your sight.)
- Unix-specific changes:
* Ability to set environment variables in pterm.
* PuTTY and pterm attempt to use a UTF-8 line character set by
default if this is indicated by the locale; however, this can
- Various minor bug fixes and robustness improvements.
I repeat: PuTTY 0.56 fixes a SERIOUS SECURITY HOLE in all previous
versions of PuTTY. You should upgrade now.
Enjoy using PuTTY!
Simon Tatham "You may call that a cheap shot.
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum