PuTTY 0.69 GSS-API keyex 0.9

Changes compared to upstream PuTTY 0.69:

• Support for GSS-API key exchange and gssapi-keyex authentication.
• Support for Heimdal GSS-API.
• Source compiles with MinGW32/64.

Changes previously unique to PuTTY GSS-API keyex but now part of upstream PuTTY 0.69:

• 64-bit binaries and installer.
• Data Execution Prevention enabled for all binaries.
• Binaries and installer signed using Microsoft Authenticode.

Changes compared to PuTTY 0.67 GSS-API keyex 1.0:

• Authenticode signatures use expired certificate. Very sorry about that. Apparently I need to get a HSM to renew my code signing certificate.
• Proper MSI installers instead of Inno Setup executables.
• ASLR enabled for all binaries.
• Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking by specially named DLLs in the same directory (on versions of Windows where they previously were). See vuln-indirect-dll-hijack and vuln-indirect-dll-hijack-2.
• Jump lists should now appear again on the PuTTY shortcut in the Windows Start Menu.
• You can now explicitly configure SSH terminal mode settings not to be sent to the server, if your server objects to them.
• Security fix: an integer overflow bug in the agent forwarding code. See vuln-agent-fwd-overflow.
• Windows PuTTY no longer sets a restrictive process ACL by default, because this turned out to inconvenience too many legitimate applications such as NVDA and TortoiseGit. You can still manually request a restricted ACL using the command-line option -restrict-acl.
• Support for elliptic-curve cryptography (the NIST curves and 25519), for host keys, user authentication keys, and key exchange.
• Support for importing and exporting OpenSSH's new private key format.
• Host key preference policy change: PuTTY prefers host key formats for which it already knows the key.
• Run-time option (from the system menu / Ctrl-right-click menu) to retrieve other host keys from the same server (which cross-certifies them using the session key established using an already-known key) and add them to the known host-keys database.
• The Unix GUI PuTTY tools can now be built against GTK 3.
• There is now a Unix version of Pageant.

PuTTY 0.67 GSS-API keyex 1.0

Changes compared to upstream PuTTY 0.67:

• Support for GSS-API key exchange and gssapi-keyex authentication.
• Support for Heimdal GSS-API.
• 64-bit binaries and installer.
• Data Execution Prevention enabled for all binaries.
• Source compiles with MinGW32/64.

Changes previously unique to PuTTY GSS-API keyex but now part of upstream PuTTY 0.67:

• Binaries and installer signed using Microsoft Authenticode.

Changes compared to PuTTY 0.66 GSS-API keyex 1.0:

• Security fix: a buffer overrun in the old-style SCP protocol when receiving the header of each file downloaded from the server is fixed. See vuln-pscp-sink-sscanf.
• Windows PuTTY now sets its process ACL more restrictively, in an attempt to defend against malicious other processes reading sensitive data out of its memory.
• Assorted other robustness fixes for crashes and memory leaks.

PuTTY 0.66 GSS-API keyex 1.0

Changes compared to upstream PuTTY 0.66:

• Support for GSS-API key exchange and gssapi-keyex authentication.
• Support for Heimdal GSS-API.
• 64-bit binaries and installer.
• Data Execution Prevention enabled for all binaries.
• Binaries and installer signed using Microsoft Authenticode.
• Source compiles with MinGW32/64.

Changes compared to PuTTY 0.64 GSS-API keyex 1.1:

• Switched certificate for Authenticode so that signatures no longer expire when the signing certificate does.
• Security fix: an escape sequence which used to make PuTTY's terminal code read and potentially write the wrong memory is fixed. See vuln-ech-overflow.
• Bug fix: better Unicode handling in Windows PuTTY keyboard messages, so it should now work better with WinCompose.
• Bug fix: jump lists on Windows 10 should now work.
• There's now a set of command-line options to enable session logging.
• &P in the log file name now substitutes in the port number from the configuration.
• Incoming connections to PuTTY tools (to forwarded ports and to the connection-sharing socket) now log their source address or pid, where facilities exist to do so.
• Cryptography speedup on 64-bit Unix platforms by using gcc and clang's __uint128_t built-in type.
• Bug fix: the configuration dialog is no longer accidentally invisible in some Windows Vista display themes.
• Bug fix: the Windows PuTTY GUI no longer becomes unresponsive if the server sends a continuous flood of data. (Sorry! We fixed that once before, but it came back in 0.64.)
• Bug fix: PSFTP now returns a failure exit status if a command fails in a batch-mode script.
• Bug fix: ESC [ 13 t can no longer elicit an invalid escape sequence as a response.

PuTTY 0.64 GSS-API keyex 1.1

• Fix bug preventing gssapi-with-mic authentication from being used together with GSS-API key exchange.
• Fix memory leak when doing rekey using GSS-API key exchange.
• Fix small memory leak in gssapi-with-mic authentication.
• Only try GSS-API key exchange during rekeying if used for the initial exchange. This should make rekeying faster when not using GSS-API.

PuTTY 0.64 GSS-API keyex 1.0

Changes compared to upstream PuTTY 0.64:

• Support for GSS-API key exchange and gssapi-keyex authentication.
• Support for Heimdal GSS-API.
• 64-bit binaries and installer.
• Data Execution Prevention enabled for all binaries.
• Binaries and installer signed using Microsoft Authenticode.

Changes compared to PuTTY 0.63 GSS-API keyex 1.2:

• Update README.txt in binary distribution to describe GSS-API keyex specifics.
• Rebase to upstream PuTTY 0.64, which includes the following changes:
• Security fix: PuTTY no longer retains the private half of users' keys in memory by mistake after authenticating with them.
• Support for SSH connection sharing, so that multiple instances of PuTTY to the same host can share a single SSH connection instead of all having to log in independently.
• Command-line and configuration option to specify the expected host key(s).
• Defaults change: PuTTY now defaults to SSH-2 only, instead of its previous default of SSH-2 preferred.
• Local socket errors in port-forwarded connections are now recorded in the PuTTY Event Log.
• Bug fix: repeat key exchanges in the middle of an SSH session now never cause an annoying interactive host key prompt.
• Bug fix: reset the bolded-text default setting back to what it used to be. (0.63 set it to something wrong, as a side effect of refactoring.)
• Bug fix: IPv6 literals are handled sensibly throughout the suite, if you enclose them in square brackets to prevent the colons being mistaken for a :port suffix.
• Bug fix: IPv6 dynamic port forwardings should work again.

PuTTY 0.63 GSS-API keyex 1.2

Do not trigger assertion when GSS-API key exchange succeeded but user authentication failed.

PuTTY 0.63 GSS-API keyex 1.1

• Support for Heimdal GSS-API. [*]
• Data Execution Prevention enabled for 32-bit binaries. [*]
• Binaries signed using Microsoft Authenticode. [*]
• Provide 64-bit installer. [*]
• Provide 32-bit installer.
• Provide all binaries from the PuTTY suite. PSCP, PSFTP and Plink also supports GSS-API key exchange. PuTTYtel, Pageant and PuTTYgen are just provided for completeness.
• Re-enable HTML Help support that was disabled in 1.0 builds.
• Re-enable multi monitor fullscreen support that was disabled in 1.0 builds.

Features with an asterisk [*] are not present in the standard 32-bit upstream PUTTY distribution.

PuTTY 0.63 GSS-API keyex 1.0

• Support for MIT Kerberos GSS-API on Win64 builds.
• Support for GSS-API key exchange and gssapi-keyex authentication.

Features with an asterisk [*] are not present in the standard 32-bit upstream PUTTY distribution.