The Risky Biz News newsletter for April 17: PuTTY crypto bug exposes private keys, may lead to supply chain attacks.
EPEL users will have vulnerable packages in
putty-0.80
andfilezilla-3.60.1
.
Upstream, putty-0.81
and filezilla-3.67.0
fix the vulnerability. However, so far, updated packages are only available:
putty-0.81
: in Arch and Debian sidfilezilla-3.67.0
: in Arch and Fedora rawhide
EPEL still doesn’t have any of them in testing.
I would advise caution until updated packages become available. I’d rather not use putty
and filezilla
for now.