CVE-2011-4607

NameCVE-2011-4607
DescriptionPuTTY 0.59 through 0.61 does not clear sensitive process memory when managing user replies that occur during keyboard-interactive authentication, which might allow local users to read login passwords by obtaining access to the process' memory.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
NVD severitylow (attack range: local)
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
putty (PTS)squeeze (security), squeeze0.60+2010-02-20-1+squeeze2fixed
squeeze (lts)0.60+2010-02-20-1+squeeze3fixed
wheezy0.62-9+deb7u1fixed
wheezy (security)0.62-9+deb7u2fixed
jessie, sid0.63-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puttysource(unstable)0.62-1unimportant
puttysourcesqueeze0.60+2010-02-20-1+squeeze2low

Notes

DSA-2736-1
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html
Hardening measure, not a vulnerability

Search for package or bug name: Reporting problems