7b148b9064
Accepting request 1245348 from devel:languages:python
Ana Guerrero2025-02-12 20:30:38 +00:00
20e1148d4c
- Update to 3.5.1 * [Bug] #2490: Private key material is now explicitly ‘unpadded’ during decryption, removing a reliance on some lax OpenSSL behavior & making us compatible with future Cryptography releases. Patch courtesy of Alex Gaynor.
Markéta Machová2025-02-12 10:40:50 +00:00
d3da9124ab
Accepting request 1245339 from home:glaubitz:branches:devel:languages:python
Markéta Machová2025-02-12 10:40:50 +00:00
c62096dfdb
Accepting request 1225317 from devel:languages:python
Ana Guerrero2024-11-21 14:13:13 +00:00
23ff4bf74e
Accepting request 1225317 from devel:languages:python
Ana Guerrero2024-11-21 14:13:13 +00:00
7c39cbb9f2
- reenable python 313 build * [Feature] #982: (via #2444, which was a rebase of #2157) Add support for AES-GCM encryption ciphers (128 and 256 bit variants). Thanks to Alex Gaynor for the report (& for cryptography review), Shen Cheng for the original PR, and Chris Mason for the updated PR; This functionality has been tested in client mode against OpenSSH 9.0, 9.2, and 9.6, as well as against a number of proprietary appliance SSH servers.
Dirk Mueller2024-11-20 15:22:00 +00:00
7a3fe22990
- reenable python 313 build * [Feature] #982: (via #2444, which was a rebase of #2157) Add support for AES-GCM encryption ciphers (128 and 256 bit variants). Thanks to Alex Gaynor for the report (& for cryptography review), Shen Cheng for the original PR, and Chris Mason for the updated PR; This functionality has been tested in client mode against OpenSSH 9.0, 9.2, and 9.6, as well as against a number of proprietary appliance SSH servers.
Dirk Mueller2024-11-20 15:22:00 +00:00
cab21216e1
- Update to 3.5.0: * [Feature] #982: (via #2444, which was a rebase of #2157) Add support for AES-GCM encryption ciphers (128 and 256 bit variants). Thanks to Alex Gaynor for the report (& for cryptography review), Shen Cheng for the original PR, and Chris Mason for the updated PR; plus as usual to everyone who tested the patches and reported their results! This functionality has been tested in client mode against OpenSSH 9.0, 9.2, and 9.6, as well as against a number of proprietary appliance SSH servers.
Robert Schweikert2024-11-20 14:08:17 +00:00
716ea3dc40
Accepting request 1225296 from home:asmorodskyi:branches:devel:languages:python
Robert Schweikert2024-11-20 14:08:17 +00:00
47aa01ff23
- Update to 3.4.1: * Fix a 64-bit-ism in the test suite so the tests don't encounter a false negative on 32-bit systems. * Modify a test-harness skiptest check to work with newer versions of Cryptography. * Massage our import of the TripleDES cipher to support Cryptography >=43; this should prevent CryptographyDeprecationWarning from appearing upon import. - Remove patches that are not needed anymore since they've been fixed upstream: * support-pytest-8.patch * use-64-bit-maxsize-everywhere.patch
Robert Schweikert2024-08-30 17:20:46 +00:00
fe77062908
Accepting request 1194596 from home:alarrosa:branches:devel:languages:python
Robert Schweikert2024-08-30 17:20:46 +00:00
f099bdfd92
Accepting request 1173814 from devel:languages:python
Ana Guerrero2024-05-15 19:25:35 +00:00
bf36da7f3c
Accepting request 1173814 from devel:languages:python
Ana Guerrero2024-05-15 19:25:35 +00:00
945e04b08b
- Add patch support-pytest-8.patch: * Use non-deprecated setup method to support pytest >= 8.
Steve Kowalik2024-05-14 03:28:44 +00:00
f2bdec38a1
- Add patch support-pytest-8.patch: * Use non-deprecated setup method to support pytest >= 8.
Steve Kowalik2024-05-14 03:28:44 +00:00
4b816dae87
Accepting request 1134140 from devel:languages:python
Ana Guerrero2023-12-20 20:00:13 +00:00
921a02b2cd
Accepting request 1134140 from devel:languages:python
Ana Guerrero2023-12-20 20:00:13 +00:00
1cce8650fb
- Add patch use-64-bit-maxsize-everywhere.patch: * Use the 64-bit value of sys.maxsize.
Steve Kowalik2023-12-20 06:58:14 +00:00
3cf6c212be
- Add patch use-64-bit-maxsize-everywhere.patch: * Use the 64-bit value of sys.maxsize.
Steve Kowalik2023-12-20 06:58:14 +00:00
7f0e9918e5
- Update to 3.4.0: (CVE-2023-48795, bsc#1218168) * Transport grew a new packetizer_class kwarg for overriding the packet-handler class used internally. * Address CVE 2023-48795 (aka the "Terrapin Attack", a vulnerability found in the SSH protocol re: treatment of packet sequence numbers) as follows: + The vulnerability only impacts encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko currently only implements hmac-sha2-(256|512)-etm in tandem with AES-CBC. + As the fix for the vulnerability requires both ends of the connection to cooperate, the below changes will only take effect when the remote end is OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode, as of this patch version) and configured to use the new "strict kex" mode. + Paramiko will now raise an SSHException subclass (MessageOrderError) when protocol messages are received in unexpected order. This includes situations like receiving MSG_DEBUG or MSG_IGNORE during initial key exchange, which are no longer allowed during strict mode. + Key (re)negotiation -- i.e. MSG_NEWKEYS, whenever it is encountered -- now resets packet sequence numbers. (This should be invisible to users during normal operation, only causing exceptions if the exploit is encountered, which will usually result in, again, MessageOrderError.) + Sequence number rollover will now raise SSHException if it occurs during initial key exchange (regardless of strict mode status). * Tweak ext-info-(c|s) detection during KEXINIT protocol phase; the original implementation made assumptions based on an OpenSSH implementation detail.
Steve Kowalik2023-12-19 06:43:04 +00:00
e74fb6ed40
- Update to 3.4.0: (CVE-2023-48795, bsc#1218168) * Transport grew a new packetizer_class kwarg for overriding the packet-handler class used internally. * Address CVE 2023-48795 (aka the "Terrapin Attack", a vulnerability found in the SSH protocol re: treatment of packet sequence numbers) as follows: + The vulnerability only impacts encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko currently only implements hmac-sha2-(256|512)-etm in tandem with AES-CBC. + As the fix for the vulnerability requires both ends of the connection to cooperate, the below changes will only take effect when the remote end is OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode, as of this patch version) and configured to use the new "strict kex" mode. + Paramiko will now raise an SSHException subclass (MessageOrderError) when protocol messages are received in unexpected order. This includes situations like receiving MSG_DEBUG or MSG_IGNORE during initial key exchange, which are no longer allowed during strict mode. + Key (re)negotiation -- i.e. MSG_NEWKEYS, whenever it is encountered -- now resets packet sequence numbers. (This should be invisible to users during normal operation, only causing exceptions if the exploit is encountered, which will usually result in, again, MessageOrderError.) + Sequence number rollover will now raise SSHException if it occurs during initial key exchange (regardless of strict mode status). * Tweak ext-info-(c|s) detection during KEXINIT protocol phase; the original implementation made assumptions based on an OpenSSH implementation detail.
Steve Kowalik2023-12-19 06:43:04 +00:00
109447d61b
Accepting request 1116019 from devel:languages:python
Ana Guerrero2023-10-06 19:12:11 +00:00
ce88c5e99b
Accepting request 1116019 from devel:languages:python
Ana Guerrero2023-10-06 19:12:11 +00:00
51336eb89a
* [Feature] #1951: Add SSH config token expansion (eg %h, %p) when * [Support] #2004: (via #2011) Apply unittest skipIf to tests currently using SHA1 in their critical path, to avoid failures on systems starting * [Support] #1838: (via #1870/#2028) Update camelCase method calls against the threading module to be snake_case; this and related tweaks * [Support] #2038: (via #2039) Recent versions of Cryptography have deprecated Blowfish algorithm support; in lieu of an easy method for users to remove it from the list of algorithms Paramiko tries to import and use, we’ve decided to remove it from our “preferred algorithms” list. This will both discourage use of a weak algorithm, and avoid warnings. * [Bug] #2017: OpenSSH 7.7 and older has a bug preventing it from understanding how to perform SHA2 signature verification for RSA certificates (specifically certs - not keys), so when we added SHA2 support it broke all clients using RSA certificates with these servers. This has been fixed in a manner similar to what OpenSSH’s own client does: a version check is performed and the algorithm used is downgraded * [Bug] #1933: Align signature verification algorithm with OpenSSH re: zero-padding signatures which don’t match their nominal size/length. This shouldn’t affect most users, but will help Paramiko-implemented SSH - Update to 2.10.3 (bsc#1197279, CVE-2022-24302) - [Feature] #1846: Add a prefetch keyword argument to - [Support] #1727: Add missing test suite fixtures directory to - Set environment to utf-8 to allow tests to pass on Python 2. (bsc#1178341) * gh#paramiko/paramiko#1655 - update to 2.7.2 (bsc#1166758, bsc#1166758, bsc#1205132) - update to 2.6.0 (bsc#1200603) - update to 2.5.0 extend timeout in testsuite to pass on ppc64le key-decryption passphrases from password-auth passwords. * Certificate support broke the no-certificate case for Ed25519 keys
Dirk Mueller2023-10-06 10:37:03 +00:00
0bc5d4378b
* [Feature] #1951: Add SSH config token expansion (eg %h, %p) when * [Support] #2004: (via #2011) Apply unittest skipIf to tests currently using SHA1 in their critical path, to avoid failures on systems starting * [Support] #1838: (via #1870/#2028) Update camelCase method calls against the threading module to be snake_case; this and related tweaks * [Support] #2038: (via #2039) Recent versions of Cryptography have deprecated Blowfish algorithm support; in lieu of an easy method for users to remove it from the list of algorithms Paramiko tries to import and use, we’ve decided to remove it from our “preferred algorithms” list. This will both discourage use of a weak algorithm, and avoid warnings. * [Bug] #2017: OpenSSH 7.7 and older has a bug preventing it from understanding how to perform SHA2 signature verification for RSA certificates (specifically certs - not keys), so when we added SHA2 support it broke all clients using RSA certificates with these servers. This has been fixed in a manner similar to what OpenSSH’s own client does: a version check is performed and the algorithm used is downgraded * [Bug] #1933: Align signature verification algorithm with OpenSSH re: zero-padding signatures which don’t match their nominal size/length. This shouldn’t affect most users, but will help Paramiko-implemented SSH - Update to 2.10.3 (bsc#1197279, CVE-2022-24302) - [Feature] #1846: Add a prefetch keyword argument to - [Support] #1727: Add missing test suite fixtures directory to - Set environment to utf-8 to allow tests to pass on Python 2. (bsc#1178341) * gh#paramiko/paramiko#1655 - update to 2.7.2 (bsc#1166758, bsc#1166758, bsc#1205132) - update to 2.6.0 (bsc#1200603) - update to 2.5.0 extend timeout in testsuite to pass on ppc64le key-decryption passphrases from password-auth passwords. * Certificate support broke the no-certificate case for Ed25519 keys
Dirk Mueller2023-10-06 10:37:03 +00:00
bd20bb11fb
Accepting request 1114537 from devel:languages:python
Ana Guerrero2023-10-02 18:04:04 +00:00
eb1247653f
Accepting request 1114537 from devel:languages:python
Ana Guerrero2023-10-02 18:04:04 +00:00
eea616c4d7
Accepting request 1114462 from home:mimi_vx:branches:devel:languages:python
Matej Cepl2023-09-30 13:02:20 +00:00
f2524dd538
Accepting request 1114462 from home:mimi_vx:branches:devel:languages:python
Matej Cepl2023-09-30 13:02:20 +00:00
0b8f87a515
- Delete paramiko-pr1665-remove-pytest-relaxed.patch - Add remove-icecream-dep.patch - Update to 3.1.0: * [Feature] #2173: Accept single tabs as field separators (in addition to single spaces) in <paramiko.hostkeys.HostKeyEntry.from_line> for parity with OpenSSH’s KnownHosts parser. Patched by Alex Chavkin. * [Feature] #2013: (solving #2009, plus others) Add an explicit channel_timeout keyword argument to paramiko.client.SSHClient.connect, allowing users to configure the previously-hardcoded default value of 3600 seconds. Thanks to @VakarisZ and @ilija-lazoroski for the report and patch, with credit to Mike Salvatore for patch review. * [Support] #2178: Apply codespell to the codebase, which found a lot of very old minor spelling mistakes in docstrings. Also modernize many instances of *largs vs *args and **kwarg vs **kwargs. Patch courtesy of Yaroslav Halchenko, with review from Brian Skinn. - 3.0.0: * [Bug]: A handful of lower-level classes (notably paramiko.message.Message and paramiko.pkey.PKey) previously returned bytes objects from their implementation of __str__, even under Python 3; and there was never any __bytes__ method. * These issues have been fixed by renaming __str__ to __bytes__ and relying on Python’s default “stringification returns the output of __repr__” behavior re: any real attempts to str() such objects. * [Bug] #2165: Streamline some redundant (and costly) byte conversion calls in the packetizer and the core SFTP module. This should lead to some SFTP speedups at the very least. Thanks to Alex Gaynor for the patch.
Daniel Garcia2023-05-12 09:31:22 +00:00
d79927a46a
- Delete paramiko-pr1665-remove-pytest-relaxed.patch - Add remove-icecream-dep.patch - Update to 3.1.0: * [Feature] #2173: Accept single tabs as field separators (in addition to single spaces) in <paramiko.hostkeys.HostKeyEntry.from_line> for parity with OpenSSH’s KnownHosts parser. Patched by Alex Chavkin. * [Feature] #2013: (solving #2009, plus others) Add an explicit channel_timeout keyword argument to paramiko.client.SSHClient.connect, allowing users to configure the previously-hardcoded default value of 3600 seconds. Thanks to @VakarisZ and @ilija-lazoroski for the report and patch, with credit to Mike Salvatore for patch review. * [Support] #2178: Apply codespell to the codebase, which found a lot of very old minor spelling mistakes in docstrings. Also modernize many instances of *largs vs *args and **kwarg vs **kwargs. Patch courtesy of Yaroslav Halchenko, with review from Brian Skinn. - 3.0.0: * [Bug]: A handful of lower-level classes (notably paramiko.message.Message and paramiko.pkey.PKey) previously returned bytes objects from their implementation of __str__, even under Python 3; and there was never any __bytes__ method. * These issues have been fixed by renaming __str__ to __bytes__ and relying on Python’s default “stringification returns the output of __repr__” behavior re: any real attempts to str() such objects. * [Bug] #2165: Streamline some redundant (and costly) byte conversion calls in the packetizer and the core SFTP module. This should lead to some SFTP speedups at the very least. Thanks to Alex Gaynor for the patch.
Daniel Garcia2023-05-12 09:31:22 +00:00
925537a411
- update to 2.10.4: * Servers offering certificate variants of hostkey algorithms (eg ssh-rsa-cert-v01@openssh.com) could not have their host keys verified by Paramiko clients, as it only ever considered non-cert key types for that part of connection handshaking. This has been fixed. * gq PKey instances’ __eq__ did not have the usual safety guard in place to ensure they were being compared to another PKey object, causing occasional spurious BadHostKeyException (among other things). This has been fixed. * Update camelCase method calls against the threading module to be snake_case; this and related tweaks should fix some deprecation warnings under Python 3.10.
Dirk Mueller2022-04-29 06:46:25 +00:00
ae7bb2a84e
- update to 2.10.4: * Servers offering certificate variants of hostkey algorithms (eg ssh-rsa-cert-v01@openssh.com) could not have their host keys verified by Paramiko clients, as it only ever considered non-cert key types for that part of connection handshaking. This has been fixed. * gq PKey instances’ __eq__ did not have the usual safety guard in place to ensure they were being compared to another PKey object, causing occasional spurious BadHostKeyException (among other things). This has been fixed. * Update camelCase method calls against the threading module to be snake_case; this and related tweaks should fix some deprecation warnings under Python 3.10.
Dirk Mueller2022-04-29 06:46:25 +00:00
59ad0c6437
- update to 2.7.2 - drop configs.tar.gz * Add missing test suite fixtures directory to MANIFEST.in * Remove leading whitespace from OpenSSH RSA test suite static key fixture, * Fix incorrect string formatting causing unhelpful error message annotation when using Kerberos/GSSAPI. * Fix incorrectly swapped order of p and q numbers when loading OpenSSH-format RSA private keys.
Ondřej Súkup2020-09-04 06:31:05 +00:00
6b2b25730a
- update to 2.7.2 - drop configs.tar.gz * Add missing test suite fixtures directory to MANIFEST.in * Remove leading whitespace from OpenSSH RSA test suite static key fixture, * Fix incorrect string formatting causing unhelpful error message annotation when using Kerberos/GSSAPI. * Fix incorrectly swapped order of p and q numbers when loading OpenSSH-format RSA private keys.
Ondřej Súkup2020-09-04 06:31:05 +00:00
fd964421b4
- update to 2.6.0 - drop relaxed.patch and 1311.patch * add a new keyword argument to SSHClient.connect <paramiko.client.SSHClient.connect> and paramiko.transport.Transport -> disabled_algorithms * Fix Ed25519 key handling so certain key comment lengths don't cause SSHException("Invalid key") * Add backwards-compatible support for the gssapi
Ondřej Súkup2019-06-25 10:50:32 +00:00
ce2f464f8f
- update to 2.6.0 - drop relaxed.patch and 1311.patch * add a new keyword argument to SSHClient.connect <paramiko.client.SSHClient.connect> and paramiko.transport.Transport -> disabled_algorithms * Fix Ed25519 key handling so certain key comment lengths don't cause SSHException("Invalid key") * Add backwards-compatible support for the gssapi
Ondřej Súkup2019-06-25 10:50:32 +00:00
45b4cf43d8
- update to 2.5.0 - dropped 1379.patch - refreshed patches: paramiko-test_extend_timeout.patch relaxed.patch 1311.patch * Add support for encrypt-then-MAC (ETM) schemes (hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com) and two newer Diffie-Hellman group key exchange algorithms (group14, using SHA256; and group16, using SHA512). * Add support for Curve25519 key exchange. * Raise Cryptography dependency requirement to version 2.5 * Add support for the modern (as of Python 3.3) import location of MutableMapping
Ondřej Súkup2019-06-11 11:26:30 +00:00
bf59e35158
- update to 2.5.0 - dropped 1379.patch - refreshed patches: paramiko-test_extend_timeout.patch relaxed.patch 1311.patch * Add support for encrypt-then-MAC (ETM) schemes (hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com) and two newer Diffie-Hellman group key exchange algorithms (group14, using SHA256; and group16, using SHA512). * Add support for Curve25519 key exchange. * Raise Cryptography dependency requirement to version 2.5 * Add support for the modern (as of Python 3.3) import location of MutableMapping
Ondřej Súkup2019-06-11 11:26:30 +00:00
Ana Guerrero
Steve Kowalik
Markéta Machová
Dirk Mueller
Robert Schweikert
Dominique Leuenberger
Matej Cepl
Daniel Garcia
Tomáš Chvátal
Ondřej Súkup
Stephan Kulow