Francis Irving wrote:
> (Sorry if this has been mentioned on the list already, but I couldn't
> see it in the archive, and thought it important enough to post anyway)
>
> Putty has a serious security hole, which I think TortoiseSVN (in
> SVN+SSH mode, TortoisePlink) suffers from. The hole lets people gain
> control of the client machine. Details here:
>
> http://seclists.org/lists/bugtraq/2004/Aug/0049.html
I updated TortoisePlink in revision 1511 which uses the fixed version 0.55.
> There is a new version of Putty, 0.55, which has this fixed. See
> the latest news on the Putty page:
> http://www.chiark.greenend.org.uk/~sgtatham/putty/
>
> If you haven't made one already, this probably warrants a security
> release of TortoiseSVN for people using it in SVN+SSH mode.
I don't think it's very urgent. The vulnerability can only be exploited
from a server. So you would have first to hack the server to get back at
the clients. And it's not that TSVN is something like a webbrowser where
you visit many many unknown servers - you don't just download the
sources of a project for fun. The servers you "visit" with TSVN are well
known to you.
But the next release of TSVN will have this fixed. If you don't wanna
wait until then, you can either use the command line plink from the
official site or compile your own version of TortoisePlink.
> I've told the TortoiseCVS people about this, and they have a new
> stable release coming out in the next few days which they're going to
> include a fix in. So you might be able to grab TortoisePlink from
> them (not sure how it's been forked / not forked).
It's a "little" forked: The TortoisePlink version of TCVS still pops up
a console window when it's running. Our version doesn't do that.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Sat Aug 7 13:01:11 2004