You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa python-paramiko

Sigurnosni nedostatak programskog paketa python-paramiko

——————————————————————————–
Fedora Update Notification
FEDORA-2018-c1769746da
2018-04-01 03:51:20.561315
——————————————————————————–

Name : python-paramiko
Product : Fedora 26
Version : 2.2.3
Release : 1.fc26
URL : https://github.com/paramiko/paramiko
Summary : SSH2 protocol library for python
Description :

Paramiko (a combination of the Esperanto words for “paranoid” and “friend”) is
a module for python 2.3 or greater that implements the SSH2 protocol for secure
(encrypted and authenticated) connections to remote machines. Unlike SSL (aka
TLS), the SSH2 protocol does not require hierarchical certificates signed by a
powerful central authority. You may know SSH2 as the protocol that replaced
telnet and rsh for secure access to remote shells, but the protocol also
includes the ability to open arbitrary channels to remote services across an
encrypted tunnel. (This is how sftp works, for example.)

——————————————————————————–
Update Information:

A flaw was found in the implementation of `transport.py` in Paramiko, which did
not properly check whether authentication was completed before processing other
requests. A customized SSH client could simply skip the authentication step.
This flaw is a user authentication bypass in the SSH Server functionality of
Paramiko. Where Paramiko is used only for its client-side functionality (e.g.
`paramiko.SSHClient`), the vulnerability is not exposed and thus cannot be
exploited. This update also fixes an issue where Ed25519 auth key decryption
raised an unexpected exception when given a unicode password string (typical in
Python 3).
——————————————————————————–
References:

[ 1 ] Bug #1557130 – CVE-2018-7750 python-paramiko: Authentication bypass in transport.py
https://bugzilla.redhat.com/show_bug.cgi?id=1557130
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade python-paramiko’ at the command line.
For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2018-6db2f7a02e
2018-04-01 03:28:15.910067
——————————————————————————–

Name : python-paramiko
Product : Fedora 27
Version : 2.3.2
Release : 1.fc27
URL : https://github.com/paramiko/paramiko
Summary : SSH2 protocol library for python
Description :

Paramiko (a combination of the Esperanto words for “paranoid” and “friend”) is
a module for python 2.3 or greater that implements the SSH2 protocol for secure
(encrypted and authenticated) connections to remote machines. Unlike SSL (aka
TLS), the SSH2 protocol does not require hierarchical certificates signed by a
powerful central authority. You may know SSH2 as the protocol that replaced
telnet and rsh for secure access to remote shells, but the protocol also
includes the ability to open arbitrary channels to remote services across an
encrypted tunnel (this is how sftp works, for example).

——————————————————————————–
Update Information:

A flaw was found in the implementation of `transport.py` in Paramiko, which did
not properly check whether authentication was completed before processing other
requests. A customized SSH client could simply skip the authentication step.
This flaw is a user authentication bypass in the SSH Server functionality of
Paramiko. Where Paramiko is used only for its client-side functionality (e.g.
`paramiko.SSHClient`), the vulnerability is not exposed and thus cannot be
exploited. This update also fixes an issue where Ed25519 auth key decryption
raised an unexpected exception when given a unicode password string (typical in
Python 3).
——————————————————————————–
References:

[ 1 ] Bug #1557130 – CVE-2018-7750 python-paramiko: Authentication bypass in transport.py
https://bugzilla.redhat.com/show_bug.cgi?id=1557130
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade python-paramiko’ at the command line.
For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Top
More in Preporuke
Sigurnosni nedostaci programskog paketa memcached

Otkriveni su sigurnosni nedostaci u programskom paketu memcached za operacijski sustav openSUSE. Otkriveni nedostaci potencijalnim napadačima omogućuju prekoračenje memorijskog spremnika...

Close