Email or username:

Password:

Forgot your password?
Simon's posts Post Back to profile
Simon Tatham

We've released #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a #vulnerability in ECDSA signing for #SSH.

If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! Generate a new key pair, and remove the old public key from authorized_keys files.

Other key types are not affected, even other sizes of ECDSA. In particular, Ed25519 is fine.

This vulnerability has id CVE-2024-31497. Full information is at chiark.greenend.org.uk/~sgtath

15 April at 19:20 | Open on hachyderm.io
13 comments
Cloud Manul

@simontatham Hi and thanks for the quick bugfix. From what I know, ecdsa-sha2-nistp521 has never been the default key type in Puttygen, so "normal" keys (mostly ssh-rsa and ssh-ed25519) should be fine?

15 April at 20:04 | Open on nrw.social
Filene

@simontatham Thank you for your continued development of this application, it's essential and I've relied upon it. πŸ™‡β€β™€οΈπŸ™πŸ’–

15 April at 21:07 | Open on dragon.style
James Cuff

@simontatham superb write up and repair. Y’all were making safe β€œk” before making safe β€œk” was cool. I’m just glad we have folks still around to know how computers work.

Thanks team!!

15 April at 22:15 | Open on mastodon.mit.edu
Bruce Elrick

@simontatham Used such a key with PuTTY, or created such a key with PuTTY?

15 April at 22:22 | Open on cosocial.ca
Bruce Elrick

@simontatham Oh, I see it only has to be used.

Thanks for the effort in fixing this.

15 April at 22:25 | Open on cosocial.ca
Keeper of the orb

@simontatham oh!! Wow!! Thank you for putty! I dont really admin or anything, but ive used it to get into the back end of my MUD for a lifetime and have never felt remotely flustered or confused or held back by the client itself. Just a really good program & i thank your team for it!!

16 April at 0:28 | Open on donphan.social
todo!("change this, Jacky")
SnoopJ

@jalcine it's correct as written, but it's easy to mistake it for a typo if you're expecting powers of 2 (as with key lengths for non-elliptic-curve cryptography)

16 April at 2:22 | Open on hachyderm.io
Simon Tatham

@jalcine no, 521 is right! NIST elliptic curve keys come in three fixed sizes, and one of them _isn't_ the obvious power of 2.

In fact, the difference between 521 and 512 is exactly the cause of the problem – those 9 extra bits are the amount of information that PuTTY was accidentally leaking about the private key per signature.

16 April at 6:07 | Open on hachyderm.io
LisPi
@simontatham @indigoparadox If I understand from skimming the link, this solely affects PuTTY (on Windows) and /not/ other implementations of SSH, right?
16 April at 2:40 | Open on udongein.xyz
Henrik Kramselund - kramse

@simontatham so sad to hear this news, but assured by the open information!

Thanks for your long lasting and hard work on Putty and other projects.

16 April at 4:35 | Open on social.kramse.org
Go Up