--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2018-aff51f5e62
2018-10-14 23:28:32.311556
--------------------------------------------------------------------------------
Name : python-paramiko
Product : Fedora 27
Version : 2.3.3
Release : 1.fc27
URL :
https://github.com/paramiko/paramiko
Summary : SSH2 protocol library for python
Description :
Paramiko (a combination of the Esperanto words for "paranoid" and
"friend") is
a module for python 2.3 or greater that implements the SSH2 protocol for secure
(encrypted and authenticated) connections to remote machines. Unlike SSL (aka
TLS), the SSH2 protocol does not require hierarchical certificates signed by a
powerful central authority. You may know SSH2 as the protocol that replaced
telnet and rsh for secure access to remote shells, but the protocol also
includes the ability to open arbitrary channels to remote services across an
encrypted tunnel (this is how sftp works, for example).
--------------------------------------------------------------------------------
Update Information:
Python Paramiko versions 2.3.2 and 2.4.1 are vulnerable to an authentication
bypass in `paramiko/auth_handler.py`. A remote attacker could exploit this
vulnerability in Paramiko SSH servers to execute arbitrary code. Note that
applications using Paramiko only as a client (such as ansible) are not affected
by this. There is also an additional fix preventing `MSG_UNIMPLEMENTED`
feedback loops that could manifest when both ends of a connection are Paramiko-
based.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Oct 9 2018 Paul Howarth <paul(a)city-fan.org> - 2.3.3-1
- Update to 2.3.3
- Fix exploit (GH#1283, CVE-2018-1000805) in Paramiko���s server mode (not
client mode) where hostile clients could trick the server into thinking
they were authenticated without actually submitting valid authentication
- Modify protocol message handling such that Transport does not respond to
MSG_UNIMPLEMENTED with its own MSG_UNIMPLEMENTED; this behavior probably
didn���t cause any outright errors, but it doesn���t seem to conform to the
RFCs and could cause (non-infinite) feedback loops in some scenarios
(usually those involving Paramiko on both ends)
- Add *.pub files to the MANIFEST so distributed source packages contain some
necessary test assets (GH#1262)
- Backport pytest support and application of the black code formatter (both
of which previously only existed in the 2.4 branch and above) to everything
2.0 and newer, which makes back/forward porting bugfixes significantly
easier (GH#1291)
- Test suite now requires mock ��� 2.0.0 and uses pytest
* Fri Mar 16 2018 Paul Howarth <paul(a)city-fan.org> - 2.3.2-1
- Update to 2.3.2
- Fix a security flaw (GH#1175, CVE-2018-7750) in Paramiko's server mode
(this does not impact client use) where authentication status was not
checked before processing channel-open and other requests typically only
sent after authenticating
- Ed25519 auth key decryption raised an unexpected exception when given a
unicode password string (typical in python 3) (GH#1039)
- Rename a private method keyword argument (which was named 'async') so that
we're compatible with the upcoming Python 3.7 release (where 'async' is a
new keyword) (GH#1108)
* Sun Oct 29 2017 Athmane Madjoudj <athmane(a)fedoraproject.org> - 2.3.1-3
- Add a patch to disable gssapi on unsupported version (rhbz #1507174)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1637263 - CVE-2018-1000805 python-paramiko: Authentication bypass in
auth_handler.py
https://bugzilla.redhat.com/show_bug.cgi?id=1637263
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2018-aff51f5e62' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------