pool/python-paramiko
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1134140 from devel:languages:python

Browse Source 
- Update to 3.4.0: (CVE-2023-48795, bsc#1218168)
  * Transport grew a new packetizer_class kwarg for overriding the
    packet-handler class used internally.
  * Address CVE 2023-48795 (aka the "Terrapin Attack", a vulnerability found
    in the SSH protocol re: treatment of packet sequence numbers) as follows:
    + The vulnerability only impacts encrypt-then-MAC digest algorithms in
      tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko
      currently only implements hmac-sha2-(256|512)-etm in tandem with
      AES-CBC.
    + As the fix for the vulnerability requires both ends of the connection
      to cooperate, the below changes will only take effect when the remote
      end is OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode,
      as of this patch version) and configured to use the new
      "strict kex" mode.
    + Paramiko will now raise an SSHException subclass (MessageOrderError)
      when protocol messages are received in unexpected order. This includes
      situations like receiving MSG_DEBUG or MSG_IGNORE during initial key
      exchange, which are no longer allowed during strict mode.
    + Key (re)negotiation -- i.e. MSG_NEWKEYS, whenever it is encountered --
      now resets packet sequence numbers. (This should be invisible to users
      during normal operation, only causing exceptions if the exploit is
      encountered, which will usually result in, again, MessageOrderError.)
    + Sequence number rollover will now raise SSHException if it occurs
      during initial key exchange (regardless of strict mode status).
  * Tweak ext-info-(c|s) detection during KEXINIT protocol phase; the
    original implementation made assumptions based on an OpenSSH
    implementation detail.
- Add patch use-64-bit-maxsize-everywhere.patch:
  * Use the 64-bit value of sys.maxsize.

OBS-URL: https://build.opensuse.org/request/show/1134140
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-paramiko?expand=0&rev=61
This commit is contained in:
Ana Guerrero 2023-12-20 20:00:13 +00:00 committed by Git OBS Bridge
commit 4b816dae87
5 changed files with 58 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
paramiko-3.3.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6a3777a961ac86dbef375c5f5b8d50014a1a96d0fd7f054a43bc880134b0ff77
size 1270242

BIN
paramiko-3.4.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

33
python-paramiko.changes
View File

@ -1,3 +1,36 @@
-------------------------------------------------------------------
Wed Dec 20 06:57:15 UTC 2023 - Steve Kowalik <steven.kowalik@suse.com>
- Update to 3.4.0: (CVE-2023-48795, bsc#1218168)
* Transport grew a new packetizer_class kwarg for overriding the
packet-handler class used internally.
* Address CVE 2023-48795 (aka the "Terrapin Attack", a vulnerability found
in the SSH protocol re: treatment of packet sequence numbers) as follows:
+ The vulnerability only impacts encrypt-then-MAC digest algorithms in
tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko
currently only implements hmac-sha2-(256|512)-etm in tandem with
AES-CBC.
+ As the fix for the vulnerability requires both ends of the connection
to cooperate, the below changes will only take effect when the remote
end is OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode,
as of this patch version) and configured to use the new
"strict kex" mode.
+ Paramiko will now raise an SSHException subclass (MessageOrderError)
when protocol messages are received in unexpected order. This includes
situations like receiving MSG_DEBUG or MSG_IGNORE during initial key
exchange, which are no longer allowed during strict mode.
+ Key (re)negotiation -- i.e. MSG_NEWKEYS, whenever it is encountered --
now resets packet sequence numbers. (This should be invisible to users
during normal operation, only causing exceptions if the exploit is
encountered, which will usually result in, again, MessageOrderError.)
+ Sequence number rollover will now raise SSHException if it occurs
during initial key exchange (regardless of strict mode status).
* Tweak ext-info-(c|s) detection during KEXINIT protocol phase; the
original implementation made assumptions based on an OpenSSH
implementation detail.
- Add patch use-64-bit-maxsize-everywhere.patch:
* Use the 64-bit value of sys.maxsize.
-------------------------------------------------------------------
Fri Sep 29 22:29:46 UTC 2023 - Ondřej Súkup <mimi.vx@gmail.com>

6
python-paramiko.spec
View File

@ -18,16 +18,17 @@
%{?sle15_python_module_pythons}
Name: python-paramiko
Version: 3.3.1
Version: 3.4.0
Release: 0
Summary: SSH2 protocol library
License: LGPL-2.1-or-later
Group: Documentation/Other
URL: https://www.paramiko.org/
Source0: https://files.pythonhosted.org/packages/source/p/paramiko/paramiko-%{version}.tar.gz
Patch0: paramiko-test_extend_timeout.patch
# PATCH-FIX-OPENSUSE remove-icecream-dep.patch to do not depend on python-icecream and unvendor lexicon
Patch1: remove-icecream-dep.patch
# PATCH-FIX-OPENSUSE use 64-bit value of sys.maxsize to prevent test failure on 32-bit
Patch2: use-64-bit-maxsize-everywhere.patch
BuildRequires: %{python_module PyNaCl >= 1.0.1}
BuildRequires: %{python_module Sphinx}
BuildRequires: %{python_module bcrypt >= 3.2}
@ -60,7 +61,6 @@ are supported. SFTP client and server mode are both supported too.
%package -n python-paramiko-doc
Summary: Documentation for %{name}
Group: Documentation/Other
Provides: %{python_module paramiko-doc = %{version}}
%description -n python-paramiko-doc

19
use-64-bit-maxsize-everywhere.patch Normal file
View File

@ -0,0 +1,19 @@
Index: paramiko-3.4.0/tests/test_transport.py
===================================================================
--- paramiko-3.4.0.orig/tests/test_transport.py
+++ paramiko-3.4.0/tests/test_transport.py
@@ -1423,12 +1423,12 @@ class TestStrictKex:
setattr(
self.packetizer,
"_Packetizer__sequence_number_in",
- sys.maxsize,
+ 2**63-1,
)
setattr(
self.packetizer,
"_Packetizer__sequence_number_out",
- sys.maxsize,
+ 2**63-1,
)
with raises(