A flaw was found in the implementation of
transport.py in Paramiko, which did not properly check whether authentication was completed before processing other requests. A customized SSH client could simply skip the authentication step.
This flaw is a user authentication bypass in the SSH Server functionality of Paramiko. Where Paramiko is used only for its client-side functionality (e.g.
paramiko.SSHClient), the vulnerability is not exposed and thus cannot be exploited.
This update also fixes an issue where Ed25519 auth key decryption raised an unexpected exception when given a unicode password string (typical in Python 3).
sudo dnf upgrade --advisory=FEDORA-2018-8f9d81a3fb
|submitted||a year ago|
|in testing||a year ago|
|in stable||a year ago|
|modified||a year ago|
|0||0||#1557075 python-paramiko-2.4.1 is available|
|0||0||#1557130 CVE-2018-7750 python-paramiko: Authentication bypass in transport.py|
|0||0||#1557131 CVE-2018-7750 python-paramiko: Authentication bypass in transport.py [fedora-all]|