Users of putty and filezilla from EPEL, be aware of CVE-2024-31497

General Discussion & Chat
1

The Risky Biz News newsletter for April 17: PuTTY crypto bug exposes private keys, may lead to supply chain attacks.

EPEL users will have vulnerable packages in putty-0.80 and filezilla-3.60.1.

Upstream, putty-0.81 and filezilla-3.67.0 fix the vulnerability. However, so far, updated packages are only available:

  • putty-0.81: in Arch and Debian sid
  • filezilla-3.67.0: in Arch and Fedora rawhide

EPEL still doesn’t have any of them in testing.

I would advise caution until updated packages become available. I’d rather not use putty and filezilla for now.

1 Like
2

Could you file a bug report under https://bugzilla.redhat.com (Product: fedora → epel → component (putty, filezilla)?

3

They did it themselves:

https://bugzilla.redhat.com/show_bug.cgi?id=2275184

https://bugzilla.redhat.com/show_bug.cgi?id=2275186

They’re created for EL8, but a fix will propagate to EL9 too.

1 Like
4

The fixed PuTTY is in EPEL testing:
https://dl.fedoraproject.org/pub/epel/testing/9/Everything/x86_64/Packages/p/putty-0.81-1.el9.x86_64.rpm
https://dl.fedoraproject.org/pub/epel/testing/8/Everything/x86_64/Packages/p/putty-0.81-1.el8.x86_64.rpm