Log message:
py-paramiko: updated to 2.8.1

2.8.1 2021-11-28
[Bug]: (also 908) Update PKey and subclasses to compare (__eq__) via direct \ 
field/attribute comparison instead of hashing (while retaining the existing \ 
behavior of __hash__ via a slight refactor). Big thanks to Josh Snyder and Jun \ 
Omae for the reports, and to Josh Snyder for reproduction details & patch.

Warning
This fixes a security flaw! If you are running Paramiko on 32-bit systems with \ 
low entropy (such as any 32-bit Python 2, or a 32-bit Python 3 which is running \ 
with PYTHONHASHSEED=0) it is possible for an attacker to craft a new keypair \ 
from an exfiltrated public key, which Paramiko would consider equal to the \ 
original key.

This could enable attacks such as, but not limited to, the following:

Paramiko server processes would incorrectly authenticate the attacker (using \ 
their generated private key) as if they were the victim. We see this as the most \ 
plausible attack using this flaw.
Paramiko client processes would incorrectly validate a connected server (when \ 
host key verification is enabled) while subjected to a man-in-the-middle attack. \ 
This impacts more users than the server-side version, but also carries higher \ 
requirements for the attacker, namely successful DNS poisoning or other MITM \ 
techniques.
[Bug] 1257: (also 1266) Update RSA and ECDSA key decoding subroutines to \ 
correctly catch exception types thrown by modern versions of Cryptography \ 
(specifically TypeError and its internal UnsupportedAlgorithm). These exception \ 
classes will now become SSHException instances instead of bubbling up. Thanks to \ 
Ignat Semenov for the report and @tylergarcianet for an early patch.
[Bug] 1024: Deleting items from HostKeys would incorrectly raise KeyError even \ 
for valid keys, due to a logic bug. This has been fixed. Report & patch \ 
credit: Jia Zhang.
[Bug] 985: (via 992) Fix listdir failure when server uses a locale. Now on \ 
Python 2.7 SFTPAttributes will decode abbreviated month names correctly rather \ 
than raise UnicodeDecodeError`. Patch courtesy of Martin Packman.

Log message:
security: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo \ 
cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2

Log message:
py-paramiko: updated to 2.8.0

2.8.0 2021-10-09
[Feature] Add a prefetch keyword argument to SFTPClient.get/SFTPClient.getfo so \ 
users who need to skip SFTP prefetching are able to conditionally turn it off. \ 
Thanks to Github user @h3ll0r for the PR.
[Bug] Newer server-side key exchange algorithms not intended to use SHA1 \ 
(diffie-hellman-group14-sha256, diffie-hellman-group16-sha512) were incorrectly \ 
using SHA1 after all, due to a bug causing them to ignore the hash_algo class \ 
attribute. This has been corrected. Big thanks to @miverson for the report and \ 
to Benno Rice for the patch.
[Support] Remove leading whitespace from OpenSSH RSA test suite static key \ 
fixture, to conform better to spec. Credit: Alex Gaynor.
[Support] Add missing test suite fixtures directory to MANIFEST.in, reinstating \ 
the ability to run Paramiko’s tests from an sdist tarball. Thanks to Sandro \ 
Tosi for reporting the issue and to Blazej Michalik for the PR.
[Support]: Update our CI to catch issues with sdist generation, installation and \ 
testing.
[Support]: Administrivia overhaul, including but not limited to:
Migrate CI to CircleCI
Primary dev branch is now main (renamed)
Many README edits for clarity, modernization etc; including a bunch more (and \ 
consistent) status badges & unification with main project site index
PyPI page much more fleshed out (long_description is now filled in with the \ 
README; sidebar links expanded; etc)
flake8, pytest configs split out of setup.cfg into their own files
Invoke/invocations (used by maintainers/contributors) upgraded to modern versions

Log message:
security: Remove SHA1 hashes for distfiles

Log message:
py-paramiko: updated to 2.7.2

2.7.2:
[Bug] Fix incorrectly swapped order of p and q numbers when loading \ 
OpenSSH-format RSA private keys. At minimum this should address a slowdown when \ 
using such keys, and it also means Paramiko works with Cryptography 3.1 and \ 
above (which complains strenuously when this problem appears). Thanks to Alex \ 
Gaynor for the patch.
[Bug]: Fix incorrect string formatting causing unhelpful error message \ 
annotation when using Kerberos/GSSAPI. (Thanks, newer version of flake8!)
[Support] Remove leading whitespace from OpenSSH RSA test suite static key \ 
fixture, to conform better to spec. Credit: Alex Gaynor.
[Support] Add missing test suite fixtures directory to MANIFEST.in, reinstating \ 
the ability to run Paramiko’s tests from an sdist tarball. Thanks to Sandro \ 
Tosi for reporting the issue and to Blazej Michalik for the PR.
[Support]: Update our CI to catch issues with sdist generation, installation and \ 
testing.

Log message:
pytest from versioned depends

Log message:
all: migrate homepages from http to https

pkglint -r --network --only "migrate"

As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.

Log message:
py-paramiko: updated to 2.7.1

2.7.1:
[Bug] Fix a bug in support for ECDSA keys under the newly supported OpenSSH key \ 
format. Thanks to Pierce Lopez for the patch.
[Bug] The new-style private key format (added in 2.7) suffered from an unpadding \ 
bug which had been fixed earlier for Ed25519 (as that key type has always used \ 
the newer format). That fix has been refactored and applied to the base key \ 
class, courtesy of Pierce Lopez.

2.7.0:
[Feature]: Add new convenience classmethod constructors to SSHConfig: from_text, \ 
from_file, and from_path. No more annoying two-step process!
[Feature] Implement most ‘canonical hostname’ ssh_config functionality \ 
(CanonicalizeHostname, CanonicalDomains, CanonicalizeFallbackLocal, and \ 
CanonicalizeMaxDots; CanonicalizePermittedCNAMEs has not yet been implemented). \ 
All were previously silently ignored. Reported by Michael Leinartas.
[Feature] Implement support for the Match keyword in ssh_config files. \ 
Previously, this keyword was simply ignored & keywords inside such blocks \ 
were treated as if they were part of the previous block. Thanks to Michael \ 
Leinartas for the initial patchset.

Note
This feature adds a new optional install dependency, Invoke, for managing Match \ 
exec subprocesses.

[Feature]: A couple of outright SSHConfig parse errors were previously \ 
represented as vanilla Exception instances; as part of recent feature work a \ 
more specific exception class, ConfigParseError, has been created. It is now \ 
also used in those older spots, which is naturally backwards compatible.
[Feature] Implement support for OpenSSH 6.5-style private key files (typically \ 
denoted as having BEGIN OPENSSH PRIVATE KEY headers instead of PEM format’s \ 
BEGIN RSA PRIVATE KEY or similar). If you were getting any sort of weird auth \ 
error from “modern” keys generated on newer operating system releases (such \ 
as macOS Mojave), this is the first update to try.

Major thanks to everyone who contributed or tested versions of the patch, \ 
including but not limited to: Kevin Abel, Michiel Tiller, Pierce Lopez, and \ 
Jared Hobbs.

[Bug]: Perform deduplication of IdentityFile contents during ssh_config parsing; \ 
previously, if your config would result in the same value being encountered more \ 
than once, IdentityFile would contain that many copies of the same string.
[Bug]: Paramiko’s use of subprocess for ProxyCommand support is conditionally \ 
imported to prevent issues on limited interpreter platforms like Google Compute \ 
Engine. However, any resulting ImportError was lost instead of preserved for \ 
raising (in the rare cases where a user tried leveraging ProxyCommand in such an \ 
environment). This has been fixed.
[Bug]: ssh_config token expansion used a different method of determining the \ 
local username ($USER env var), compared to what the (much older) client \ 
connection code does (getpass.getuser, which includes $USER but may check other \ 
variables first, and is generally much more comprehensive). Both modules now use \ 
getpass.getuser.
[Support]: Explicitly document which ssh_config features we currently support. \ 
Previously users just had to guess, which is simply no good.
[Support]: Additional installation extras_require “flavors” (ed25519, \ 
invoke, and all) have been added to our packaging metadata; see the install docs \ 
for details.

Log message:
py-paramiko: updated to 2.6.0

2.6.0:
Add a new keyword argument to SSHClient.connect and Transport, \ 
disabled_algorithms, which allows selectively disabling one or more \ 
kex/key/cipher/etc algorithms. This can be useful when disabling algorithms your \ 
target server (or client) does not support cleanly, or to work around unpatched \ 
bugs in Paramiko’s own implementation thereof.

SSHClient.exec_command previously returned a naive ChannelFile object for its \ 
stdin value; such objects don’t know to properly shut down the remote end’s \ 
stdin when they .close(). This lead to issues (such as hangs) when running \ 
remote commands that read from stdin.

Add backwards-compatible support for the gssapi GSSAPI library, as the previous \ 
backend (python-gssapi) has since become defunct. This change also includes \ 
tests for the GSSAPI functionality.

Tweak many exception classes so their string representations are more \ 
human-friendly; this also includes incidental changes to some super() calls.

Log message:
py-paramiko: updated to 2.5.0

2.5.0:
[Feature] Updated SSHConfig.lookup so it returns a new, type-casting-friendly \ 
dict subclass (SSHConfigDict) in lieu of dict literals. This ought to be \ 
backwards compatible, and allows an easier way to check boolean or int type \ 
ssh_config values.

[Feature] Add support for Curve25519 key exchange (aka curve25519-sha256@libssh.org).

[Feature] Add support for encrypt-then-MAC (ETM) schemes \ 
(hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com) and two newer \ 
Diffie-Hellman group key exchange algorithms (group14, using SHA256; and \ 
group16, using SHA512). Patch courtesy of Edgar Sousa.

[Support] Update our install docs with (somewhat) recently added additional \ 
dependencies; we previously only required Cryptography, but the docs never got \ 
updated after we incurred bcrypt and pynacl requirements for Ed25519 key \ 
support.

Additionally, pyasn1 was never actually hard-required; it was necessary during a \ 
development branch, and is used by the optional GSSAPI support, but is not \ 
required for regular installation. Thus, it has been removed from our setup.py \ 
and its imports in the GSSAPI code made optional.

[Support] Add *.pub files to the MANIFEST so distributed source packages contain \ 
some necessary test assets. Credit: Alexander Kapshuna.

[Support] Add support for the modern (as of Python 3.3) import location of \ 
MutableMapping (used in host key management) to avoid the old location becoming \ 
deprecated in Python 3.8.
[Support] Raise Cryptography dependency requirement to version 2.5 (from 1.5) \ 
and update some deprecated uses of its API.