Subject: [ASA-202107-37] putty: content spoofing Arch Linux Security Advisory ASA-202107-37 ========================================== Severity: Low Date : 2021-07-20 CVE-ID : CVE-2021-36367 Package : putty Type : content spoofing Remote : Yes Link : https://security.archlinux.org/AVG-2143 Summary ======= The package putty before version 0.76-1 is vulnerable to content spoofing. Resolution ========== Upgrade to 0.76-1. # pacman -Syu "putty>=0.76-1" The problem has been fixed upstream in version 0.76. Workaround ========== None. Description =========== PuTTY before version 0.76 proceeds with establishing an SSH session even if it has never sent a substantive authentication response. This makes it easier for an attacker-controlled SSH server to present a later spoofed authentication prompt (that the attacker can use to capture credential data, and use that data for purposes that are undesired by the client user). Impact ====== A remote SSH server could present a spoofed authentication prompt. References ========== https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=1dc5659aa62848f0aeb5de7bd3839fecc7debefa https://security.archlinux.org/CVE-2021-36367