PuTTY, an SSH and Telnet client program, and LibSSH2, a client-side C library for the SSH2 protocol, have both received updates fixing multiple vulnerabilities. Eight vulnerabilities have been fixed in version 0.71 of PuTTY, and nine vulnerabilities fixed in version 1.8.1 of LibSSH2.

Seven of the eight PuTTY vulnerabilities were found through the auspices of the EU-FOSSA bug bounty project being operated through HackerOne and Intigriti/Deloitte.

The PuTTY scheme runs from 7 January 2019 until 15 December 2019. Its total available bounty is €90,000, which is the highest single amount in the scheme.

Three of the eight PuTTY vulnerabilities allow DoS attacks against it. The three conditions are, if a CJK wide character is written to a 1-column-wide terminal; combining characters, double-width text, an odd number of terminal columns, and GTK; and if many Unicode combining characters are written to the terminal.