ELBA-2024-28122
- ULN >
- Oracle Linux Errata repository >
- ELBA-2024-28122
ELBA-2024-28122 - python-paramiko Bug Fix update
| Type: | BUG |
| Severity: | NA |
| Release Date: | 2024-10-10 |
Description
[2.12.0-3]
- Add support for AES-GCM ciphers (rhbz#2311864)
- Remove cache Sphinx build folder '.doctrees'
[2.12.0-2]
- Address CVE 2023-48795 (a.k.a. the 'Terrapin Attack', a vulnerability found
in the SSH protocol re: treatment of packet sequence numbers) as follows:
- The vulnerability only impacts encrypt-then-MAC digest algorithms in tandem
with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko currently only
implements hmac-sha2-(256|512)-etm in tandem with 'AES-CBC'
- As the fix for the vulnerability requires both ends of the connection to
cooperate, the below changes will only take effect when the remote end is
OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode, as of this
patch version) and configured to use the new 'strict kex' mode
- Paramiko will always attempt to use 'strict kex' mode if offered by the
server, unless you override this by specifying 'strict_kex=False' in
'Transport.__init__'
- Paramiko will now raise an 'SSHException' subclass ('MessageOrderError')
when protocol messages are received in unexpected order; this includes
situations like receiving 'MSG_DEBUG' or 'MSG_IGNORE' during initial key
exchange, which are no longer allowed during strict mode
- Key (re)negotiation, i.e. 'MSG_NEWKEYS', whenever it is encountered, now
resets packet sequence numbers (this should be invisible to users during
normal operation, only causing exceptions if the exploit is encountered,
which will usually result in, again, 'MessageOrderError')
- Sequence number rollover will now raise 'SSHException' if it occurs during
initial key exchange (regardless of strict mode status)
- Tweak 'ext-info-(c|s)' detection during KEXINIT protocol phase; the original
implementation made assumptions based on an OpenSSH implementation detail
- 'Transport' grew a new 'packetizer_class' kwarg for overriding the
packet-handler class used internally; this is mostly for testing, but advanced
users may find this useful when doing deep hacks
- A handful of lower-level classes (notably 'paramiko.message.Message' and
'paramiko.pkey.PKey') previously returned 'bytes' objects from their
implementation of '__str__', even under Python 3, and there was never any
'__bytes__' method; these issues have been fixed by renaming '__str__' to
'__bytes__' and relying on Python's default 'stringification returns the
output of '__repr__'' behavior re: any real attempts to 'str()' such objects
[2.12.0-1]
- Update to 2.12.0 (rhbz#2140281)
- Add a 'transport_factory' kwarg to 'SSHClient.connect' for advanced users
to gain more control over early Transport setup and manipulation (GH#2054,
GH#2125)
- Update '~paramiko.client.SSHClient' so it explicitly closes its wrapped
socket object upon encountering socket errors at connection time; this
should help somewhat with certain classes of memory leaks, resource
warnings, and/or errors (though we hasten to remind everyone that Client
and Transport have their own '.close()' methods for use in non-error
situations!) (GH#1822)
- Raise '~paramiko.ssh_exception.SSHException' explicitly when blank private
key data is loaded, instead of the natural result of 'IndexError'; this
should help more bits of Paramiko or Paramiko-adjacent codebases to
correctly handle this class of error (GH#1599, GH#1637)
- Use SPDX-format license tag
Updated Packages
| Release/Architecture | Filename | MD5sum | Superseded By Advisory | Channel Label |
| Oracle Linux 9 (aarch64) | python-paramiko-2.12.0-3.el9.src.rpm | 3437b118ddabd1463dab227d5c5a1254 | - | ol9_aarch64_developer_EPEL |
| python-paramiko-doc-2.12.0-3.el9.noarch.rpm | 038ecf6cbfb527d59aa95f07d3135ac0 | - | ol9_aarch64_developer_EPEL | |
| python3-paramiko-2.12.0-3.el9.noarch.rpm | 3d5655fa475dead7f9c84ff1ee464f41 | - | ol9_aarch64_developer_EPEL | |
| Oracle Linux 9 (x86_64) | python-paramiko-2.12.0-3.el9.src.rpm | 3437b118ddabd1463dab227d5c5a1254 | - | ol9_x86_64_developer_EPEL |
| python-paramiko-doc-2.12.0-3.el9.noarch.rpm | 038ecf6cbfb527d59aa95f07d3135ac0 | - | ol9_x86_64_developer_EPEL | |
| python3-paramiko-2.12.0-3.el9.noarch.rpm | 3d5655fa475dead7f9c84ff1ee464f41 | - | ol9_x86_64_developer_EPEL | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
