Описание
ELSA-2018-1124: python-paramiko security update (CRITICAL)
[1.7.5-4]
- Fix and enable tests (%check).
- Backport a change which makes tests exit with nonzero status when they fail.
- Add a fix for upstream tests for CVE-2018-7750 (broken in previous).
[1.7.5-3]
- Fix a security flaw (CVE-2018-7750) in Paramiko's server mode (emphasis on server mode; this does not impact client use!) Backported from 1.10: https://gist.github.com/stevebeattie/0eb190004e10ba0926ad8782f89676ad Resolves #1557140
Обновленные пакеты
Oracle Linux 6
Oracle Linux x86_64
python-paramiko
1.7.5-4.el6_9
Oracle Linux i686
python-paramiko
1.7.5-4.el6_9
Связанные CVE
Связанные уязвимости
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
transport.py in the SSH server implementation of Paramiko before 1.17. ...
