A flaw was found in the implementation of transport.py in Paramiko, which did not properly check whether authentication was completed before processing other requests. A customized SSH client could simply skip the authentication step.
This flaw is a user authentication bypass in the SSH Server functionality of Paramiko. Where Paramiko is used only for its client-side functionality (e.g. paramiko.SSHClient), the vulnerability is not exposed and thus cannot be exploited.
This update also fixes an issue where Ed25519 auth key decryption raised an unexpected exception when given a unicode password string (typical in Python 3).
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2018-6db2f7a02ePlease login to add feedback.
This update has been submitted for testing by pghmcfc.
This update has been pushed to testing.
no regressions noted
Works
This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.
Works for me.
Working.
This update has been submitted for batched by pghmcfc.
This update has been submitted for stable by bodhi.
This update has been pushed to stable.