pool/python-paramiko
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Update to 3.4.0: (CVE-2023-48795, bsc#1218168)

Browse Source 
* Transport grew a new packetizer_class kwarg for overriding the
    packet-handler class used internally.
  * Address CVE 2023-48795 (aka the "Terrapin Attack", a vulnerability found
    in the SSH protocol re: treatment of packet sequence numbers) as follows:
    + The vulnerability only impacts encrypt-then-MAC digest algorithms in
      tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko
      currently only implements hmac-sha2-(256|512)-etm in tandem with
      AES-CBC.
    + As the fix for the vulnerability requires both ends of the connection
      to cooperate, the below changes will only take effect when the remote
      end is OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode,
      as of this patch version) and configured to use the new
      "strict kex" mode.
    + Paramiko will now raise an SSHException subclass (MessageOrderError)
      when protocol messages are received in unexpected order. This includes
      situations like receiving MSG_DEBUG or MSG_IGNORE during initial key
      exchange, which are no longer allowed during strict mode.
    + Key (re)negotiation -- i.e. MSG_NEWKEYS, whenever it is encountered --
      now resets packet sequence numbers. (This should be invisible to users
      during normal operation, only causing exceptions if the exploit is
      encountered, which will usually result in, again, MessageOrderError.)
    + Sequence number rollover will now raise SSHException if it occurs
      during initial key exchange (regardless of strict mode status).
  * Tweak ext-info-(c|s) detection during KEXINIT protocol phase; the
    original implementation made assumptions based on an OpenSSH
    implementation detail.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=118
This commit is contained in:
Steve Kowalik 2023-12-19 06:43:04 +00:00 committed by Git OBS Bridge
parent 51336eb89a
commit 7f0e9918e5
4 changed files with 35 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
paramiko-3.3.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6a3777a961ac86dbef375c5f5b8d50014a1a96d0fd7f054a43bc880134b0ff77
size 1270242

BIN
paramiko-3.4.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

31
python-paramiko.changes
View File

@ -1,3 +1,34 @@
-------------------------------------------------------------------
Tue Dec 19 06:37:20 UTC 2023 - Steve Kowalik <steven.kowalik@suse.com>
- Update to 3.4.0: (CVE-2023-48795, bsc#1218168)
* Transport grew a new packetizer_class kwarg for overriding the
packet-handler class used internally.
* Address CVE 2023-48795 (aka the "Terrapin Attack", a vulnerability found
in the SSH protocol re: treatment of packet sequence numbers) as follows:
+ The vulnerability only impacts encrypt-then-MAC digest algorithms in
tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko
currently only implements hmac-sha2-(256|512)-etm in tandem with
AES-CBC.
+ As the fix for the vulnerability requires both ends of the connection
to cooperate, the below changes will only take effect when the remote
end is OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode,
as of this patch version) and configured to use the new
"strict kex" mode.
+ Paramiko will now raise an SSHException subclass (MessageOrderError)
when protocol messages are received in unexpected order. This includes
situations like receiving MSG_DEBUG or MSG_IGNORE during initial key
exchange, which are no longer allowed during strict mode.
+ Key (re)negotiation -- i.e. MSG_NEWKEYS, whenever it is encountered --
now resets packet sequence numbers. (This should be invisible to users
during normal operation, only causing exceptions if the exploit is
encountered, which will usually result in, again, MessageOrderError.)
+ Sequence number rollover will now raise SSHException if it occurs
during initial key exchange (regardless of strict mode status).
* Tweak ext-info-(c|s) detection during KEXINIT protocol phase; the
original implementation made assumptions based on an OpenSSH
implementation detail.
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Sep 29 22:29:46 UTC 2023 - Ondřej Súkup <mimi.vx@gmail.com> Fri Sep 29 22:29:46 UTC 2023 - Ondřej Súkup <mimi.vx@gmail.com>

4
python-paramiko.spec
View File

@ -18,11 +18,10 @@
%{?sle15_python_module_pythons} %{?sle15_python_module_pythons}
Name: python-paramiko Name: python-paramiko
Version: 3.3.1 Version: 3.4.0
Release: 0 Release: 0
Summary: SSH2 protocol library Summary: SSH2 protocol library
License: LGPL-2.1-or-later License: LGPL-2.1-or-later
Group: Documentation/Other
URL: https://www.paramiko.org/ URL: https://www.paramiko.org/
Source0: https://files.pythonhosted.org/packages/source/p/paramiko/paramiko-%{version}.tar.gz Source0: https://files.pythonhosted.org/packages/source/p/paramiko/paramiko-%{version}.tar.gz
Patch0: paramiko-test_extend_timeout.patch Patch0: paramiko-test_extend_timeout.patch
@ -60,7 +59,6 @@ are supported. SFTP client and server mode are both supported too.
%package -n python-paramiko-doc %package -n python-paramiko-doc
Summary: Documentation for %{name} Summary: Documentation for %{name}
Group: Documentation/Other
Provides: %{python_module paramiko-doc = %{version}} Provides: %{python_module paramiko-doc = %{version}}
%description -n python-paramiko-doc %description -n python-paramiko-doc