--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2018-3ff1cb628b
2018-10-19 16:05:40.322424
--------------------------------------------------------------------------------
Name : python-paramiko
Product : Fedora 28
Version : 2.4.2
Release : 1.fc28
URL :
https://github.com/paramiko/paramiko
Summary : SSH2 protocol library for python
Description :
Paramiko (a combination of the Esperanto words for "paranoid" and
"friend") is
a module for python 2.3 or greater that implements the SSH2 protocol for secure
(encrypted and authenticated) connections to remote machines. Unlike SSL (aka
TLS), the SSH2 protocol does not require hierarchical certificates signed by a
powerful central authority. You may know SSH2 as the protocol that replaced
telnet and rsh for secure access to remote shells, but the protocol also
includes the ability to open arbitrary channels to remote services across an
encrypted tunnel (this is how sftp works, for example).
--------------------------------------------------------------------------------
Update Information:
Python Paramiko versions 2.3.2 and 2.4.1 are vulnerable to an authentication
bypass in `paramiko/auth_handler.py`. A remote attacker could exploit this
vulnerability in Paramiko SSH servers to execute arbitrary code. Note that
applications using Paramiko only as a client (such as ansible) are not affected
by this. There is also an additional fix preventing `MSG_UNIMPLEMENTED`
feedback loops that could manifest when both ends of a connection are Paramiko-
based.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Oct 9 2018 Paul Howarth <paul(a)city-fan.org> - 2.4.2-1
- Update to 2.4.2
- Fix exploit (GH#1283, CVE-2018-1000805) in Paramiko���s server mode (not
client mode) where hostile clients could trick the server into thinking
they were authenticated without actually submitting valid authentication
- Modify protocol message handling such that Transport does not respond to
MSG_UNIMPLEMENTED with its own MSG_UNIMPLEMENTED; this behavior probably
didn���t cause any outright errors, but it doesn���t seem to conform to the
RFCs and could cause (non-infinite) feedback loops in some scenarios
(usually those involving Paramiko on both ends)
- Add *.pub files to the MANIFEST so distributed source packages contain
some necessary test assets (GH#1262)
- Test suite now requires mock ��� 2.0.0
* Sat Jul 14 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 2.4.1-5
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jun 20 2018 Miro Hron��ok <mhroncok(a)redhat.com> - 2.4.1-4
- Rebuilt for Python 3.7
- Remove dependency on on pytest-relaxed
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1637263 - CVE-2018-1000805 python-paramiko: Authentication bypass in
auth_handler.py
https://bugzilla.redhat.com/show_bug.cgi?id=1637263
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2018-3ff1cb628b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------