Fedora 34: python-paramiko 2022-806492f1d1
Summary
Paramiko (a combination of the Esperanto words for "paranoid" and "friend") is
a module for python 2.3 or greater that implements the SSH2 protocol for secure
(encrypted and authenticated) connections to remote machines. Unlike SSL (aka
TLS), the SSH2 protocol does not require hierarchical certificates signed by a
powerful central authority. You may know SSH2 as the protocol that replaced
telnet and rsh for secure access to remote shells, but the protocol also
includes the ability to open arbitrary channels to remote services across an
encrypted tunnel (this is how sftp works, for example).
CVE-2022-24302: Creation of new private key files using `~paramiko.pkey.PKey`
subclasses was subject to a race condition between file creation and mode
modification, which could be exploited by an attacker with knowledge of where
the Paramiko-using code would write out such files; this has been patched by
using `os.open` and `os.fdopen` to ensure new files are opened with the correct
mode immediately (we've left the subsequent explicit 'chmod' in place to
minimize any possible disruption, though it may get removed in future
backwards-incompatible updates).
* Sat Mar 19 2022 Paul Howarth
- Update to 2.10.3
- Certificate-based pubkey auth was inadvertently broken when adding SHA2
support in version 2.9.0 (GH#1963, GH#1977)
- Switch from module-global to thread-local storage when recording thread IDs
for a logging helper; this should avoid one flavor of memory leak for
long-running processes (GH#2002, GH#2003)
* Tue Mar 15 2022 Paul Howarth
- Update to 2.10.2
- Fix Python 2 compatibility breakage introduced in 2.10.1 (GH#2001)
- Re-enable sftp tests, no longer failing under mock
* Sun Mar 13 2022 Paul Howarth
- Update to 2.10.1
- CVE-2022-24302: Creation of new private key files using
'~paramiko.pkey.PKey' subclasses was subject to a race condition between
file creation and mode modification, which could be exploited by an
attacker with knowledge of where the Paramiko-using code would write out
such files; this has been patched by using 'os.open' and 'os.fdopen' to
ensure new files are opened with the correct mode immediately (we've left
the subsequent explicit 'chmod' in place to minimize any possible
disruption, though it may get removed in future backwards-incompatible
updates)
- Add support for the '%C' token when parsing SSH config files (GH#1976)
- Add support for OpenSSH's Windows agent as a fallback when Putty/WinPageant
isn't available or functional (GH#1509, GH#1837, GH#1868)
- Significantly speed up low-level read/write actions on
'~paramiko.sftp_file.SFTPFile' objects by using 'bytearray'/'memoryview'
(GH#892); this is unlikely to change anything for users of the higher level
methods like 'SFTPClient.get' or 'SFTPClient.getfo', but users of
'SFTPClient.open' will likely see orders of magnitude improvements for
files larger than a few megabytes in size
- Add 'six' explicitly to install-requires; it snuck into active use at some
point but has only been indicated by transitive dependency on 'bcrypt'
until they somewhat-recently dropped it (GH#1985); this will be short-lived
until we drop Python 2 support
* Fri Jan 21 2022 Fedora Release Engineering
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Jan 14 2022 Paul Howarth
- Avoid use of deprecated python-mock by using unittest.mock instead
https://github.com/paramiko/paramiko/pull/1666
* Sat Jan 8 2022 Paul Howarth
- Update to 2.9.2
- Connecting to servers that support 'server-sig-algs' but which have no
overlap between that list and what a Paramiko client supports, now raise
an exception instead of defaulting to 'rsa-sha2-512' (since the use of
'server-sig-algs' allows us to know what the server supports)
- Enhanced log output when connecting to servers that do not support
'server-sig-algs' extensions, making the new-as-of-2.9 defaulting to SHA2
pubkey algorithms more obvious when it kicks in
[ 1 ] Bug #2065665 - CVE-2022-24302 python-paramiko: Race condition in the write_private_key_file function
https://bugzilla.redhat.com/show_bug.cgi?id=2065665
su -c 'dnf upgrade --advisory FEDORA-2022-806492f1d1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
FEDORA-2022-806492f1d1 2022-03-27 01:40:15.366140 Product : Fedora 34 Version : 2.10.3 Release : 1.fc34 URL : https://github.com/paramiko/paramiko Summary : SSH2 protocol library for python Description : Paramiko (a combination of the Esperanto words for "paranoid" and "friend") is a module for python 2.3 or greater that implements the SSH2 protocol for secure (encrypted and authenticated) connections to remote machines. Unlike SSL (aka TLS), the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. You may know SSH2 as the protocol that replaced telnet and rsh for secure access to remote shells, but the protocol also includes the ability to open arbitrary channels to remote services across an encrypted tunnel (this is how sftp works, for example). CVE-2022-24302: Creation of new private key files using `~paramiko.pkey.PKey` subclasses was subject to a race condition between file creation and mode modification, which could be exploited by an attacker with knowledge of where the Paramiko-using code would write out such files; this has been patched by using `os.open` and `os.fdopen` to ensure new files are opened with the correct mode immediately (we've left the subsequent explicit 'chmod' in place to minimize any possible disruption, though it may get removed in future backwards-incompatible updates). * Sat Mar 19 2022 Paul Howarth - 2.10.3-1 - Update to 2.10.3 - Certificate-based pubkey auth was inadvertently broken when adding SHA2 support in version 2.9.0 (GH#1963, GH#1977) - Switch from module-global to thread-local storage when recording thread IDs for a logging helper; this should avoid one flavor of memory leak for long-running processes (GH#2002, GH#2003) * Tue Mar 15 2022 Paul Howarth - 2.10.2-1 - Update to 2.10.2 - Fix Python 2 compatibility breakage introduced in 2.10.1 (GH#2001) - Re-enable sftp tests, no longer failing under mock * Sun Mar 13 2022 Paul Howarth - 2.10.1-1 - Update to 2.10.1 - CVE-2022-24302: Creation of new private key files using '~paramiko.pkey.PKey' subclasses was subject to a race condition between file creation and mode modification, which could be exploited by an attacker with knowledge of where the Paramiko-using code would write out such files; this has been patched by using 'os.open' and 'os.fdopen' to ensure new files are opened with the correct mode immediately (we've left the subsequent explicit 'chmod' in place to minimize any possible disruption, though it may get removed in future backwards-incompatible updates) - Add support for the '%C' token when parsing SSH config files (GH#1976) - Add support for OpenSSH's Windows agent as a fallback when Putty/WinPageant isn't available or functional (GH#1509, GH#1837, GH#1868) - Significantly speed up low-level read/write actions on '~paramiko.sftp_file.SFTPFile' objects by using 'bytearray'/'memoryview' (GH#892); this is unlikely to change anything for users of the higher level methods like 'SFTPClient.get' or 'SFTPClient.getfo', but users of 'SFTPClient.open' will likely see orders of magnitude improvements for files larger than a few megabytes in size - Add 'six' explicitly to install-requires; it snuck into active use at some point but has only been indicated by transitive dependency on 'bcrypt' until they somewhat-recently dropped it (GH#1985); this will be short-lived until we drop Python 2 support * Fri Jan 21 2022 Fedora Release Engineering - 2.9.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild * Fri Jan 14 2022 Paul Howarth - 2.9.2-2 - Avoid use of deprecated python-mock by using unittest.mock instead https://github.com/paramiko/paramiko/pull/1666 * Sat Jan 8 2022 Paul Howarth - 2.9.2-1 - Update to 2.9.2 - Connecting to servers that support 'server-sig-algs' but which have no overlap between that list and what a Paramiko client supports, now raise an exception instead of defaulting to 'rsa-sha2-512' (since the use of 'server-sig-algs' allows us to know what the server supports) - Enhanced log output when connecting to servers that do not support 'server-sig-algs' extensions, making the new-as-of-2.9 defaulting to SHA2 pubkey algorithms more obvious when it kicks in [ 1 ] Bug #2065665 - CVE-2022-24302 python-paramiko: Race condition in the write_private_key_file function https://bugzilla.redhat.com/show_bug.cgi?id=2065665 su -c 'dnf upgrade --advisory FEDORA-2022-806492f1d1' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Change Log
References