Advertisement

CHANGELOG

What's New in version 0.74:

  • Security fix: if an SSH server accepted an offer of a public key and then rejected the signature, PuTTY could access freed memory, if the key had come from an SSH agent.
  • Security feature: new config option to disable PuTTY's dynamic host key preference policy, if you prefer to avoid giving away to eavesdroppers which hosts you have stored keys for.
  • Bug fix: the installer UI was illegible in Windows high-contrast mode.
  • Bug fix: console password input failed on Windows 7.
  • Bug fixes in the terminal: one instance of the dreaded 'line==NULL' error box, and two other assertion failures.
  • Bug fix: potential memory-consuming loop in bug-compatible padding of an RSA signature from an agent.
  • Bug fix: PSFTP's buffer handling worked badly with some servers (particularly proftpd's mod_sftp).
  • Bug fix: cursor could be wrongly positioned when restoring from the alternate terminal screen. (A bug of this type was fixed in 0.59; this is a case that that fix missed.)
  • Bug fix: character cell height could be a pixel too small when running GTK PuTTY on Ubuntu 20.04 (or any other system with a similarly up-to-date version of Pango).
  • Bug fix: old-style (low resolution) scroll wheel events did not work in GTK 3 PuTTY. This could stop the scroll wheel working at all in VNC.

What's New in version 0.73:

  • Security fix: on Windows, other applications were able to bind to the same TCP port as a PuTTY local port forwarding.
  • Security fix: in bracketed paste mode, the terminal escape sequences that should delimit the pasted data were appearing together on one side of it, making it possible to misidentify pasted data as manual keyboard input.
  • Bug fix (possibly security-related): an SSH-1 server sending a disconnection message could cause an access to freed memory.
  • Bug fix: Windows Plink would crash on startup if it was acting as a connection-sharing downstream.
  • Bug fix: Windows PuTTY now updates its terminal window size correctly if the screen resolution changes while it's maximised.
  • Bug fix: tweaked terminal handling to prevent lost characters at the ends of lines in gcc's coloured error messages.
  • Bug fix: removed a bad interaction between the 'clear scrollback' operation and mouse selection that could give rise to the dreaded 'line==NULL' assertion box.

What's New in version 0.72:

  • It fixes a small number of further security issues found by the 2019 EU-funded HackerOne bug bounty, and a variety of other bugs introduced in 0.71.

What's New in version 0.68:

  • Security fix: an integer overflow bug in the agent forwarding code.
  • Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking by specially named DLLs in the same directory (on versions of Windows where they previously were).
  • Windows PuTTY no longer sets a restrictive process ACL by default, because this turned out to inconvenience too many legitimate applications such as NVDA and TortoiseGit. You can still manually request a restricted ACL using the command-line option -restrict-acl.
  • The Windows PuTTY tools now come in a 64-bit version.
  • The Windows PuTTY tools now have Windows's ASLR and DEP security features turned on.
  • Support for elliptic-curve cryptography (the NIST curves and 25519), for host keys, user authentication keys, and key exchange.
  • Support for importing and exporting OpenSSH's new private key format.
  • Host key preference policy change: PuTTY prefers host key formats for which it already knows the key.
  • Run-time option (from the system menu / Ctrl-right-click menu) to retrieve other host keys from the same server (which cross-certifies them using the session key established using an already-known key) and add them to the known host-keys database.

What's New in version 0.66 Beta:

  • Security fix: an escape sequence which used to make PuTTY's terminal code read and potentially write the wrong memory is fixed. See vuln-ech-overflow.
  • Bug fix: better Unicode handling in Windows PuTTY keyboard messages, so it should now work better with WinCompose.
  • Bug fix: jump lists on Windows 10 should now work.
  • There's now a set of command-line options to enable session logging.
  • &P in the log file name now substitutes in the port number from the configuration.

What's New in version 0.63 Beta:

  • Security fix: prevent a nefarious SSH server or network attacker from crashing PuTTY at startup in three different ways by presenting a maliciously constructed public key and signature.
  • Security fix: PuTTY no longer retains the private half of users' keys in memory by mistake after authenticating with them.
  • Revamped the internal configuration storage system to remove all fixed arbitrary limits on string lengths. In particular, there should now no longer be an unreasonably small limit on the number of port forwardings PuTTY can store.
  • Port-forwarded TCP connections which close one direction before the other should now be reliably supported, with EOF propagated independently in the two directions. This also fixes some instances of port-forwarding data corruption (if the corruption consisted of losing data from the very end of the connection) and some instances of PuTTY failing to close when the session is over (because it wrongly thought a forwarding channel was still active when it was not).
  • The terminal emulation now supports xterm's bracketed paste mode (allowing aware applications to tell the difference between typed and pasted text, so that e.g. editors need not apply inappropriate auto-indent).
  • You can now choose to display bold text by both brightening the foreground colour and changing the font, not just one or the other.
  • PuTTYgen will now never generate a 2047-bit key when asked for 2048 (or more generally n-1 bits when asked for n).
  • Some updates to default settings: PuTTYgen now generates 2048-bit keys by default (rather than 1024), and PuTTY defaults to UTF-8 encoding and 2000 lines of scrollback (rather than ISO 8859-1 and 200).
  • Unix: PSCP and PSFTP now preserve the Unix file permissions, on copies in both directions.
  • Unix: dead keys and compose-character sequences are now supported.
  • Unix: PuTTY and pterm now permit font fallback (where glyphs not present in your selected font are automatically filled in from other fonts on the system) even if you are using a server-side X11 font rather than a Pango client-side one.
  • Bug fixes too numerous to list, mostly resulting from running the code through Coverity Scan which spotted an assortment of memory and resource leaks, logic errors, and crashes in various circumstances.