Fedora Packages

python-paramiko-doc-2.10.3-1.fc36 in Fedora 36

↵ Return to the main page of python-paramiko-doc
View build
Search for updates

Package Info
🠗 Changelog
🠗 Dependencies
🠗 Provides
🠗 Files

Changelog

Date Author Change
2022-03-19 Paul Howarth <paul at city dash fan dot org> - 2.10.3-1 - Update to 2.10.3 - Certificate-based pubkey auth was inadvertently broken when adding SHA2 support in version 2.9.0 (GH#1963, GH#1977) - Switch from module-global to thread-local storage when recording thread IDs for a logging helper; this should avoid one flavor of memory leak for long-running processes (GH#2002, GH#2003)
2022-03-15 Paul Howarth <paul at city dash fan dot org> - 2.10.2-1 - Update to 2.10.2 - Fix Python 2 compatibility breakage introduced in 2.10.1 (GH#2001) - Re-enable sftp tests, no longer failing under mock
2022-03-13 Paul Howarth <paul at city dash fan dot org> - 2.10.1-1 - Update to 2.10.1 - CVE-2022-24302: Creation of new private key files using '~paramiko.pkey.PKey' subclasses was subject to a race condition between file creation and mode modification, which could be exploited by an attacker with knowledge of where the Paramiko-using code would write out such files; this has been patched by using 'os.open' and 'os.fdopen' to ensure new files are opened with the correct mode immediately (we've left the subsequent explicit 'chmod' in place to minimize any possible disruption, though it may get removed in future backwards-incompatible updates) - Add support for the '%C' token when parsing SSH config files (GH#1976) - Add support for OpenSSH's Windows agent as a fallback when Putty/WinPageant isn't available or functional (GH#1509, GH#1837, GH#1868) - Significantly speed up low-level read/write actions on '~paramiko.sftp_file.SFTPFile' objects by using 'bytearray'/'memoryview' (GH#892); this is unlikely to change anything for users of the higher level methods like 'SFTPClient.get' or 'SFTPClient.getfo', but users of 'SFTPClient.open' will likely see orders of magnitude improvements for files larger than a few megabytes in size - Add 'six' explicitly to install-requires; it snuck into active use at some point but has only been indicated by transitive dependency on 'bcrypt' until they somewhat-recently dropped it (GH#1985); this will be short-lived until we drop Python 2 support
2022-01-21 Fedora Release Engineering <releng at fedoraproject dot org> - 2.9.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
2022-01-14 Paul Howarth <paul at city dash fan dot org> - 2.9.2-2 - Avoid use of deprecated python-mock by using unittest.mock instead https://github.com/paramiko/paramiko/pull/1666
2022-01-08 Paul Howarth <paul at city dash fan dot org> - 2.9.2-1 - Update to 2.9.2 - Connecting to servers that support 'server-sig-algs' but which have no overlap between that list and what a Paramiko client supports, now raise an exception instead of defaulting to 'rsa-sha2-512' (since the use of 'server-sig-algs' allows us to know what the server supports) - Enhanced log output when connecting to servers that do not support 'server-sig-algs' extensions, making the new-as-of-2.9 defaulting to SHA2 pubkey algorithms more obvious when it kicks in
2021-12-25 Paul Howarth <paul at city dash fan dot org> - 2.9.1-1 - Update to 2.9.1 - Server-side support for 'rsa-sha2-256' and 'ssh-rsa' wasn't fully operable after 2.9.0's release (signatures for RSA pubkeys were always run through 'rsa-sha2-512' instead) (GH#1935)
2021-12-24 Paul Howarth <paul at city dash fan dot org> - 2.9.0-1 - Update to 2.9.0 - Add support for SHA-2 variants of RSA key verification algorithms (as described in RFC 8332) as well as limited SSH extension negotiation (RFC 8308) (GH#1326, GH#1643, GH#1644, GH#1925) How SSH servers/clients decide when and how to use this functionality can be complicated; Paramiko's support is as follows: - Client verification of server host key during key exchange will now prefer rsa-sha2-512, rsa-sha2-256, and legacy ssh-rsa algorithms, in that order, instead of just ssh-rsa - Note that the preference order of other algorithm families such as ed25519 and ecdsa has not changed; for example, those two groups are still preferred over RSA - Server mode will now offer all 3 RSA algorithms for host key verification during key exchange, similar to client mode, if it has been configured with an RSA host key - Client mode key exchange now sends the ext-info-c flag signaling support for MSG_EXT_INFO, and support for parsing the latter (specifically, its server-sig-algs flag) has been added - Client mode, when performing public key authentication with an RSA key or cert, will act as follows: - In all cases, the list of algorithms to consider is based on the new preferred_pubkeys list and disabled_algorithms; this list, like with host keys, prefers SHA2-512, SHA2-256 and SHA1, in that order - When the server does not send server-sig-algs, Paramiko will attempt the first algorithm in the above list; clients connecting to legacy servers should thus use disabled_algorithms to turn off SHA2 - When the server does send server-sig-algs, the first algorithm supported by both ends is used, or if there is none, it falls back to the previous behavior - SSH agent support grew the ability to specify algorithm flags when requesting private key signatures; this is now used to forward SHA2 algorithms when appropriate - Server mode is now capable of pubkey auth involving SHA-2 signatures from clients, provided one's server implementation actually provides for doing so; this includes basic support for sending MSG_EXT_INFO (containing server-sig-algs only) to clients advertising ext-info-c in their key exchange list In order to implement the above, the following API additions were made: - 'PKey.sign_ssh_data <paramiko.pkey.PKey>': Grew an extra, optional 'algorithm' keyword argument (defaulting to 'None' for most subclasses, and to "ssh-rsa" for '~paramiko.rsakey.RSAKey') - A new '~paramiko.ssh_exception.SSHException' subclass was added, '~paramiko.ssh_exception.IncompatiblePeer', and is raised in all spots where key exchange aborts due to algorithmic incompatibility; like all other exceptions in that module, it inherits from 'SSHException', and as nothing else was changed about the raising (i.e. the attributes and message text are the same) this change is backwards compatible - '~paramiko.transport.Transport' grew a '_preferred_pubkeys' attribute and matching 'preferred_pubkeys' property to match the other, kex-focused, such members; this allows client pubkey authentication to honor the 'disabled_algorithms' feature
2021-11-29 Paul Howarth <paul at city dash fan dot org> - 2.8.1-1 - Update to 2.8.1 - Fix listdir failure when server uses a locale (GH#985, GH#992); now on Python 2.7 SFTPAttributes will decode abbreviated month names correctly rather than raise 'UnicodeDecodeError' - Deleting items from '~paramiko.hostkeys.HostKeys' would incorrectly raise 'KeyError' even for valid keys, due to a logic bug (GH#1024) - Update RSA and ECDSA key decoding subroutines to correctly catch exception types thrown by modern versions of Cryptography (specifically 'TypeError' and its internal 'UnsupportedAlgorithm') (GH#1257, GH#1266); these exception classes will now become '~paramiko.ssh_exception.SSHException' instances instead of bubbling up - Update '~paramiko.pkey.PKey' and subclasses to compare ('__eq__') via direct field/attribute comparison instead of hashing (while retaining the existing behavior of '__hash__' via a slight refactor) (GH#908) Warning: This fixes a security flaw! If you are running Paramiko on 32-bit systems with low entropy (such as any 32-bit Python 2, or a 32-bit Python 3 that is running with 'PYTHONHASHSEED=0') it is possible for an attacker to craft a new keypair from an exfiltrated public key, which Paramiko would consider equal to the original key. This could enable attacks such as, but not limited to, the following: - Paramiko server processes would incorrectly authenticate the attacker (using their generated private key) as if they were the victim. We see this as the most plausible attack using this flaw. - Paramiko client processes would incorrectly validate a connected server (when host key verification is enabled) while subjected to a man-in-the-middle attack. This impacts more users than the server-side version, but also carries higher requirements for the attacker, namely successful DNS poisoning or other MITM techniques.
2021-10-11 Paul Howarth <paul at city dash fan dot org> - 2.8.0-1 - Update to 2.8.0 - Administrivia overhaul, including but not limited to: - Migrate CI to CircleCI - Primary dev branch is now 'main' (renamed) - Many README edits for clarity, modernization etc.; including a bunch more (and consistent) status badges and unification with main project site index - PyPI page much more fleshed out (long_description is now filled in with the README; sidebar links expanded; etc.) - flake8, pytest configs split out of setup.cfg into their own files - Invoke/invocations (used by maintainers/contributors) upgraded to modern versions - Newer server-side key exchange algorithms not intended to use SHA1 (diffie-hellman-group14-sha256, diffie-hellman-group16-sha512) were incorrectly using SHA1 after all, due to a bug causing them to ignore the 'hash_algo' class attribute; this has been corrected (GH#1452, GH#1882) - Add a 'prefetch' keyword argument to 'SFTPClient.get'/'SFTPClient.getfo' so that users who need to skip SFTP prefetching are able to conditionally turn it off (GH#1846)

Dependencies

Provides

  • python-paramiko-doc

Files


Sources on Pagure