--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2022-bb5c461682
2022-03-26 14:56:28.658477
--------------------------------------------------------------------------------Name        : python-paramiko
Product     : Fedora 36
Version     : 2.10.3
Release     : 1.fc36
URL         : https://github.com/paramiko/paramiko
Summary     : SSH2 protocol library for python
Description :

Paramiko (a combination of the Esperanto words for "paranoid" and "friend") is
a module for python 2.3 or greater that implements the SSH2 protocol for secure
(encrypted and authenticated) connections to remote machines. Unlike SSL (aka
TLS), the SSH2 protocol does not require hierarchical certificates signed by a
powerful central authority. You may know SSH2 as the protocol that replaced
telnet and rsh for secure access to remote shells, but the protocol also
includes the ability to open arbitrary channels to remote services across an
encrypted tunnel (this is how sftp works, for example).

--------------------------------------------------------------------------------Update Information:

CVE-2022-24302: Creation of new private key files using `~paramiko.pkey.PKey`
subclasses was subject to a race condition between file creation and mode
modification, which could be exploited by an attacker with knowledge of where
the Paramiko-using code would write out such files; this has been patched by
using `os.open` and `os.fdopen` to ensure new files are opened with the correct
mode immediately (we've left the subsequent explicit 'chmod' in place to
minimize any possible  disruption, though it may get removed in future
backwards-incompatible updates).
--------------------------------------------------------------------------------ChangeLog:

* Sat Mar 19 2022 Paul Howarth  - 2.10.3-1
- Update to 2.10.3
  - Certificate-based pubkey auth was inadvertently broken when adding SHA2
    support in version 2.9.0 (GH#1963, GH#1977)
  - Switch from module-global to thread-local storage when recording thread IDs
    for a logging helper; this should avoid one flavor of memory leak for
    long-running processes (GH#2002, GH#2003)
* Tue Mar 15 2022 Paul Howarth  - 2.10.2-1
- Update to 2.10.2
  - Fix Python 2 compatibility breakage introduced in 2.10.1 (GH#2001)
- Re-enable sftp tests, no longer failing under mock
* Sun Mar 13 2022 Paul Howarth  - 2.10.1-1
- Update to 2.10.1
  - CVE-2022-24302: Creation of new private key files using
    '~paramiko.pkey.PKey' subclasses was subject to a race condition between
    file creation and mode modification, which could be exploited by an
    attacker with knowledge of where the Paramiko-using code would write out
    such files; this has been patched by using 'os.open' and 'os.fdopen' to
    ensure new files are opened with the correct mode immediately (we've left
    the subsequent explicit 'chmod' in place to minimize any possible
    disruption, though it may get removed in future backwards-incompatible
    updates)
  - Add support for the '%C' token when parsing SSH config files (GH#1976)
  - Add support for OpenSSH's Windows agent as a fallback when Putty/WinPageant
    isn't available or functional (GH#1509, GH#1837, GH#1868)
  - Significantly speed up low-level read/write actions on
    '~paramiko.sftp_file.SFTPFile' objects by using 'bytearray'/'memoryview'
    (GH#892); this is unlikely to change anything for users of the higher level
    methods like 'SFTPClient.get' or 'SFTPClient.getfo', but users of
    'SFTPClient.open' will likely see orders of magnitude improvements for
    files larger than a few megabytes in size
  - Add 'six' explicitly to install-requires; it snuck into active use at some
    point but has only been indicated by transitive dependency on 'bcrypt'
    until they somewhat-recently dropped it (GH#1985); this will be short-lived
    until we drop Python 2 support
--------------------------------------------------------------------------------References:

  [ 1 ] Bug #2065665 - CVE-2022-24302 python-paramiko: Race condition in the write_private_key_file function
        https://bugzilla.redhat.com/show_bug.cgi?id=2065665
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-bb5c461682' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Fedora 36: python-paramiko 2022-bb5c461682

March 26, 2022
CVE-2022-24302: Creation of new private key files using `~paramiko.pkey.PKey` subclasses was subject to a race condition between file creation and mode modification, which could be...

Summary

Paramiko (a combination of the Esperanto words for "paranoid" and "friend") is

a module for python 2.3 or greater that implements the SSH2 protocol for secure

(encrypted and authenticated) connections to remote machines. Unlike SSL (aka

TLS), the SSH2 protocol does not require hierarchical certificates signed by a

powerful central authority. You may know SSH2 as the protocol that replaced

telnet and rsh for secure access to remote shells, but the protocol also

includes the ability to open arbitrary channels to remote services across an

encrypted tunnel (this is how sftp works, for example).

CVE-2022-24302: Creation of new private key files using `~paramiko.pkey.PKey`

subclasses was subject to a race condition between file creation and mode

modification, which could be exploited by an attacker with knowledge of where

the Paramiko-using code would write out such files; this has been patched by

using `os.open` and `os.fdopen` to ensure new files are opened with the correct

mode immediately (we've left the subsequent explicit 'chmod' in place to

minimize any possible disruption, though it may get removed in future

backwards-incompatible updates).

* Sat Mar 19 2022 Paul Howarth - 2.10.3-1

- Update to 2.10.3

- Certificate-based pubkey auth was inadvertently broken when adding SHA2

support in version 2.9.0 (GH#1963, GH#1977)

- Switch from module-global to thread-local storage when recording thread IDs

for a logging helper; this should avoid one flavor of memory leak for

long-running processes (GH#2002, GH#2003)

* Tue Mar 15 2022 Paul Howarth - 2.10.2-1

- Update to 2.10.2

- Fix Python 2 compatibility breakage introduced in 2.10.1 (GH#2001)

- Re-enable sftp tests, no longer failing under mock

* Sun Mar 13 2022 Paul Howarth - 2.10.1-1

- Update to 2.10.1

- CVE-2022-24302: Creation of new private key files using

'~paramiko.pkey.PKey' subclasses was subject to a race condition between

file creation and mode modification, which could be exploited by an

attacker with knowledge of where the Paramiko-using code would write out

such files; this has been patched by using 'os.open' and 'os.fdopen' to

ensure new files are opened with the correct mode immediately (we've left

the subsequent explicit 'chmod' in place to minimize any possible

disruption, though it may get removed in future backwards-incompatible

updates)

- Add support for the '%C' token when parsing SSH config files (GH#1976)

- Add support for OpenSSH's Windows agent as a fallback when Putty/WinPageant

isn't available or functional (GH#1509, GH#1837, GH#1868)

- Significantly speed up low-level read/write actions on

'~paramiko.sftp_file.SFTPFile' objects by using 'bytearray'/'memoryview'

(GH#892); this is unlikely to change anything for users of the higher level

methods like 'SFTPClient.get' or 'SFTPClient.getfo', but users of

'SFTPClient.open' will likely see orders of magnitude improvements for

files larger than a few megabytes in size

- Add 'six' explicitly to install-requires; it snuck into active use at some

point but has only been indicated by transitive dependency on 'bcrypt'

until they somewhat-recently dropped it (GH#1985); this will be short-lived

until we drop Python 2 support

[ 1 ] Bug #2065665 - CVE-2022-24302 python-paramiko: Race condition in the write_private_key_file function

https://bugzilla.redhat.com/show_bug.cgi?id=2065665

su -c 'dnf upgrade --advisory FEDORA-2022-bb5c461682' at the command

line. For more information, refer to the dnf documentation available at

http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/keys

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

FEDORA-2022-bb5c461682 2022-03-26 14:56:28.658477 Product : Fedora 36 Version : 2.10.3 Release : 1.fc36 URL : https://github.com/paramiko/paramiko Summary : SSH2 protocol library for python Description : Paramiko (a combination of the Esperanto words for "paranoid" and "friend") is a module for python 2.3 or greater that implements the SSH2 protocol for secure (encrypted and authenticated) connections to remote machines. Unlike SSL (aka TLS), the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. You may know SSH2 as the protocol that replaced telnet and rsh for secure access to remote shells, but the protocol also includes the ability to open arbitrary channels to remote services across an encrypted tunnel (this is how sftp works, for example). CVE-2022-24302: Creation of new private key files using `~paramiko.pkey.PKey` subclasses was subject to a race condition between file creation and mode modification, which could be exploited by an attacker with knowledge of where the Paramiko-using code would write out such files; this has been patched by using `os.open` and `os.fdopen` to ensure new files are opened with the correct mode immediately (we've left the subsequent explicit 'chmod' in place to minimize any possible disruption, though it may get removed in future backwards-incompatible updates). * Sat Mar 19 2022 Paul Howarth - 2.10.3-1 - Update to 2.10.3 - Certificate-based pubkey auth was inadvertently broken when adding SHA2 support in version 2.9.0 (GH#1963, GH#1977) - Switch from module-global to thread-local storage when recording thread IDs for a logging helper; this should avoid one flavor of memory leak for long-running processes (GH#2002, GH#2003) * Tue Mar 15 2022 Paul Howarth - 2.10.2-1 - Update to 2.10.2 - Fix Python 2 compatibility breakage introduced in 2.10.1 (GH#2001) - Re-enable sftp tests, no longer failing under mock * Sun Mar 13 2022 Paul Howarth - 2.10.1-1 - Update to 2.10.1 - CVE-2022-24302: Creation of new private key files using '~paramiko.pkey.PKey' subclasses was subject to a race condition between file creation and mode modification, which could be exploited by an attacker with knowledge of where the Paramiko-using code would write out such files; this has been patched by using 'os.open' and 'os.fdopen' to ensure new files are opened with the correct mode immediately (we've left the subsequent explicit 'chmod' in place to minimize any possible disruption, though it may get removed in future backwards-incompatible updates) - Add support for the '%C' token when parsing SSH config files (GH#1976) - Add support for OpenSSH's Windows agent as a fallback when Putty/WinPageant isn't available or functional (GH#1509, GH#1837, GH#1868) - Significantly speed up low-level read/write actions on '~paramiko.sftp_file.SFTPFile' objects by using 'bytearray'/'memoryview' (GH#892); this is unlikely to change anything for users of the higher level methods like 'SFTPClient.get' or 'SFTPClient.getfo', but users of 'SFTPClient.open' will likely see orders of magnitude improvements for files larger than a few megabytes in size - Add 'six' explicitly to install-requires; it snuck into active use at some point but has only been indicated by transitive dependency on 'bcrypt' until they somewhat-recently dropped it (GH#1985); this will be short-lived until we drop Python 2 support [ 1 ] Bug #2065665 - CVE-2022-24302 python-paramiko: Race condition in the write_private_key_file function https://bugzilla.redhat.com/show_bug.cgi?id=2065665 su -c 'dnf upgrade --advisory FEDORA-2022-bb5c461682' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Change Log

References

Update Instructions

Severity
Product : Fedora 36
Version : 2.10.3
Release : 1.fc36
URL : https://github.com/paramiko/paramiko
Summary : SSH2 protocol library for python

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved