Simon Tatham on Nostr: We've released #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a ...
We've released #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a #vulnerability in ECDSA signing for #SSH.
If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! Generate a new key pair, and remove the old public key from authorized_keys files.
Other key types are not affected, even other sizes of ECDSA. In particular, Ed25519 is fine.
This vulnerability has id CVE-2024-31497. Full information is at
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.htmlPublished at
2024-04-15 19:20:58Event JSON
{
"id": "8cde324abb19a1ddb7f11a2b60e9626d1a3b641946804080f516ad46f39d1c18",
"pubkey": "19de6bb53e4860106b7a92e57fbec1cef642164c3ebe0c76eb8ab38c2727672f",
"created_at": 1713208858,
"kind": 1,
"tags": [
[
"t",
"ssh"
],
[
"t",
"putty"
],
[
"t",
"vulnerability"
],
[
"proxy",
"https://hachyderm.io/users/simontatham/statuses/112276855758487211",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://hachyderm.io/users/simontatham/statuses/112276855758487211",
"pink.momostr"
]
],
"content": "We've released #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a #vulnerability in ECDSA signing for #SSH.\n\nIf you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! Generate a new key pair, and remove the old public key from authorized_keys files.\n\nOther key types are not affected, even other sizes of ECDSA. In particular, Ed25519 is fine.\n\nThis vulnerability has id CVE-2024-31497. Full information is at https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html",
"sig": "7780f779651ccae99f90619d3e079326f063553d7b0dfa0085d896015cde164c5b637c2bf3a08aafba3a6918e027c7d263080129cbe48b71499964b3e8053efe"
}