FEDORA-2018-8f9d81a3fb

security update in Fedora 28 for python-paramiko

Status: stable 2 years ago

A flaw was found in the implementation of transport.py in Paramiko, which did not properly check whether authentication was completed before processing other requests. A customized SSH client could simply skip the authentication step.

This flaw is a user authentication bypass in the SSH Server functionality of Paramiko. Where Paramiko is used only for its client-side functionality (e.g. paramiko.SSHClient), the vulnerability is not exposed and thus cannot be exploited.

This update also fixes an issue where Ed25519 auth key decryption raised an unexpected exception when given a unicode password string (typical in Python 3).

How to install

sudo dnf upgrade --advisory=FEDORA-2018-8f9d81a3fb

Comments 8

This update has been submitted for testing by pghmcfc.

pghmcfc edited this update.

This update has been pushed to testing.

Works

karma: +1

This update has reached 3 days in testing and can be pushed to stable now if the maintainer wishes

This update has been submitted for batched by pghmcfc.

This update has been submitted for stable by bodhi.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
high
Karma
+1
stable threshold: 2
unstable threshold: -1
Autopush (karma)
Disabled
Autopush (time)
Disabled
Dates
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago
modified 2 years ago

Related Bugs 3

00 #1557075 python-paramiko-2.4.1 is available
00 #1557130 CVE-2018-7750 python-paramiko: Authentication bypass in transport.py
00 #1557131 CVE-2018-7750 python-paramiko: Authentication bypass in transport.py [fedora-all]

Automated Test Results