Putty 0.81 release to fix CVE-2024-31497

[miukumac]

Hi,

Just to bring up that Putty just released 0.81 which fixes the vulnerability detailed in the CVE article where a malicious server operator can, with enough connections, form the private key from the user.

Might want to rebuild against it ASAP.

[miukumac]

Saw binaries in the bin directory, not in releases. Sorry for the unneeded ticket!

[jonkloske]

Technically it's still listed as prerelease instead of latest, so things may change. I think this is probably worth having until it's listed as latest - currently, the tagged latest version contains the vulnerability.

[NoMoreFood]

Yeah, I would really appreciate some testers. I just like to give it some time to bake before I officially call it released. Given the UI elements and hardware token interactions, I don't have a good automated testing pipeline... I depend on you all :-)

[jonkloske]

Ahh, well not sure if this is relevant or not, but I installed the prerelease version and it nuked all my pinned sessions and icon links. I had to repin and connect at least once before all the pinned connections came back. Could be windows, could be the installer. Not a huge issue, but otherwise it's been working fine (modulo my other issue report that's unrelated to this specific version).

[jonkloske]

Yeah, I just confirmed that running the installer breaks pinned icons on the windows task bar. Not sure why, given it's just a file path and that hasn't changed. But it goes white and clicking it after the upgrade gives the "this item can't be found" message and removes the pin. You need to manually relaunch and repin. Also can't be sure if that was the behaviour with other upgrades, but I don't remember it being so.

[C0RD]

Installed it and works fine. (No pin used, but a shortcut on the desktop, which didn't vanish)

Pageant running from Autostart including impting a CAPI-Key also works as intended.