Putty SSH v0.80 CVE-2024-31497 Fix

[ratkinsonuk]

Just a quick one for a Friday afternoon....

As Veeam package PuTTY in with the B&R console, will there be a patch/version/fix issued for it please?

Cheers, Rob

[Gostev]

Hi, Rob. Sure, we always update 3rd party components in our periodic maintenance releases. Meanwhile feel free to replace it manually (or even delete) as it's not used by VBR in any way. It is only included for user's convenience. Thanks

[jon_654]

Hi Gostev

Although I appreciate the intention and convenience, I find it odd that you include PuTTY at all. I would propose that you do not include it as up to the users ourselves to ensure such peripheral tools reserving the choice of toolstack at the same time to be up to us instead. By providing it for our convenience you at the same time provide a risk of secure posture decrease as we now have to ensure the binaries you provide are upgraded.

I hope it makes sense.

/Jon

[Gostev]

Hi, Jon.

Actually, this does not make sense to me as our software includes hundreds of binaries, not just this one. And generally you don't need to "ensure the binaries you provide are upgraded" as we take care of this with periodic product updates aka maintenance releases.

In any case, I don't see us removing PuTTY as many support cases that involve Linux server interaction require using it, especially when our support engineers provide assistance remotely, and having it readily available reduces time to resolution.

Thanks.