diff --git a/paramiko-3.3.1.tar.gz b/paramiko-3.3.1.tar.gz deleted file mode 100644 index 17405ba..0000000 --- a/paramiko-3.3.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6a3777a961ac86dbef375c5f5b8d50014a1a96d0fd7f054a43bc880134b0ff77 -size 1270242 diff --git a/paramiko-3.4.0.tar.gz b/paramiko-3.4.0.tar.gz new file mode 100644 index 0000000..f2db31d --- /dev/null +++ b/paramiko-3.4.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aac08f26a31dc4dffd92821527d1682d99d52f9ef6851968114a8728f3c274d3 +size 1277306 diff --git a/python-paramiko.changes b/python-paramiko.changes index c28ecb2..5d25f06 100644 --- a/python-paramiko.changes +++ b/python-paramiko.changes @@ -1,3 +1,34 @@ +------------------------------------------------------------------- +Tue Dec 19 06:37:20 UTC 2023 - Steve Kowalik + +- Update to 3.4.0: (CVE-2023-48795, bsc#1218168) + * Transport grew a new packetizer_class kwarg for overriding the + packet-handler class used internally. + * Address CVE 2023-48795 (aka the "Terrapin Attack", a vulnerability found + in the SSH protocol re: treatment of packet sequence numbers) as follows: + + The vulnerability only impacts encrypt-then-MAC digest algorithms in + tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko + currently only implements hmac-sha2-(256|512)-etm in tandem with + AES-CBC. + + As the fix for the vulnerability requires both ends of the connection + to cooperate, the below changes will only take effect when the remote + end is OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode, + as of this patch version) and configured to use the new + "strict kex" mode. + + Paramiko will now raise an SSHException subclass (MessageOrderError) + when protocol messages are received in unexpected order. This includes + situations like receiving MSG_DEBUG or MSG_IGNORE during initial key + exchange, which are no longer allowed during strict mode. + + Key (re)negotiation -- i.e. MSG_NEWKEYS, whenever it is encountered -- + now resets packet sequence numbers. (This should be invisible to users + during normal operation, only causing exceptions if the exploit is + encountered, which will usually result in, again, MessageOrderError.) + + Sequence number rollover will now raise SSHException if it occurs + during initial key exchange (regardless of strict mode status). + * Tweak ext-info-(c|s) detection during KEXINIT protocol phase; the + original implementation made assumptions based on an OpenSSH + implementation detail. + ------------------------------------------------------------------- Fri Sep 29 22:29:46 UTC 2023 - Ondřej Súkup diff --git a/python-paramiko.spec b/python-paramiko.spec index 745eb82..52f1ea6 100644 --- a/python-paramiko.spec +++ b/python-paramiko.spec @@ -18,11 +18,10 @@ %{?sle15_python_module_pythons} Name: python-paramiko -Version: 3.3.1 +Version: 3.4.0 Release: 0 Summary: SSH2 protocol library License: LGPL-2.1-or-later -Group: Documentation/Other URL: https://www.paramiko.org/ Source0: https://files.pythonhosted.org/packages/source/p/paramiko/paramiko-%{version}.tar.gz Patch0: paramiko-test_extend_timeout.patch @@ -60,7 +59,6 @@ are supported. SFTP client and server mode are both supported too. %package -n python-paramiko-doc Summary: Documentation for %{name} -Group: Documentation/Other Provides: %{python_module paramiko-doc = %{version}} %description -n python-paramiko-doc