Subject: CVS commit: pkgsrc/security/py-paramiko
From: Adam Ciarcinski
Date: 2018-09-21 13:04:16
Message id: 20180921110417.2B0A8FBEE@cvs.NetBSD.org

Log Message:
py-paramiko: updated to 2.4.2

2.4.2:
Fix exploit (CVE pending) in Paramiko’s server mode (not client mode) where \ 
hostile clients could trick the server into thinking they were authenticated \ 
without actually submitting valid authentication.

Specifically, steps have been taken to start separating client and server \ 
related message types in the message handling tables within Transport and \ 
AuthHandler; this work is not complete but enough has been performed to close \ 
off this particular exploit (which was the only obvious such exploit for this \ 
particular channel).

Modify protocol message handling such that Transport does not respond to \ 
MSG_UNIMPLEMENTED with its own MSG_UNIMPLEMENTED. This behavior probably \ 
didn’t cause any outright errors, but it doesn’t seem to conform to the RFCs \ 
and could cause (non-infinite) feedback loops in some scenarios (usually those \ 
involving Paramiko on both ends).
Add *.pub files to the MANIFEST so distributed source packages contain some \ 
necessary test assets. Credit: Alexander Kapshuna.
Backport pytest support and application of the black code formatter (both of \ 
which previously only existed in the 2.4 branch and above) to everything 2.0 and \ 
newer. This makes back/forward porting bugfixes significantly easier.
Backport changes from 979 (added in Paramiko 2.3) to Paramiko 2.0-2.2, using \ 
duck-typing to preserve backwards compatibility. This allows these older \ 
versions to use newer Cryptography sign/verify APIs when available, without \ 
requiring them (as is the case with Paramiko 2.3+).

Files:
RevisionActionfile
1.2modifypkgsrc/security/py-paramiko/patches/patch-paramiko_ssh__gss.py
1.20modifypkgsrc/security/py-paramiko/distinfo
1.16modifypkgsrc/security/py-paramiko/PLIST
1.34modifypkgsrc/security/py-paramiko/Makefile