Users of putty and filezilla from EPEL, be aware of CVE-2024-31497

The Risky Biz News newsletter for April 17: PuTTY crypto bug exposes private keys, may lead to supply chain attacks.

EPEL users will have vulnerable packages in putty-0.80 and filezilla-3.60.1.

Upstream, putty-0.81 and filezilla-3.67.0 fix the vulnerability. However, so far, updated packages are only available:

  • putty-0.81: in Arch and Debian sid
  • filezilla-3.67.0: in Arch and Fedora rawhide

EPEL still doesn’t have any of them in testing.

I would advise caution until updated packages become available. I’d rather not use putty and filezilla for now.

1 Like

Could you file a bug report under (Product: fedora → epel → component (putty, filezilla)?

They did it themselves:

They’re created for EL8, but a fix will propagate to EL9 too.

1 Like

The fixed PuTTY is in EPEL testing: