OMV users relying on Putty to administrate other hosts via SSH should upgrade immediately to at least version 0.71 released two days ago. The list of security related fixes is 'impressive' (total disaster):
- Security fixes found by an EU-funded bug bounty programme:
- a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification
- potential recycling of random numbers used in cryptography
- on Windows, hijacking by a malicious help file in the same directory as the executable
- on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding
- multiple denial-of-service attacks that can be triggered by writing to the terminal
- Other security enhancements: major rewrite of the crypto code to remove cache and timing side channels.
- User interface changes to protect against fake authentication prompts from a malicious server.