Subject: CVS commit: pkgsrc/security/py-paramiko
From: Adam Ciarcinski
Date: 2018-09-21 13:04:16
Message id:

Log Message:
py-paramiko: updated to 2.4.2

Fix exploit (CVE pending) in Paramiko’s server mode (not client mode) where \ 
hostile clients could trick the server into thinking they were authenticated \ 
without actually submitting valid authentication.

Specifically, steps have been taken to start separating client and server \ 
related message types in the message handling tables within Transport and \ 
AuthHandler; this work is not complete but enough has been performed to close \ 
off this particular exploit (which was the only obvious such exploit for this \ 
particular channel).

Modify protocol message handling such that Transport does not respond to \ 
MSG_UNIMPLEMENTED with its own MSG_UNIMPLEMENTED. This behavior probably \ 
didn’t cause any outright errors, but it doesn’t seem to conform to the RFCs \ 
and could cause (non-infinite) feedback loops in some scenarios (usually those \ 
involving Paramiko on both ends).
Add *.pub files to the MANIFEST so distributed source packages contain some \ 
necessary test assets. Credit: Alexander Kapshuna.
Backport pytest support and application of the black code formatter (both of \ 
which previously only existed in the 2.4 branch and above) to everything 2.0 and \ 
newer. This makes back/forward porting bugfixes significantly easier.
Backport changes from 979 (added in Paramiko 2.3) to Paramiko 2.0-2.2, using \ 
duck-typing to preserve backwards compatibility. This allows these older \ 
versions to use newer Cryptography sign/verify APIs when available, without \ 
requiring them (as is the case with Paramiko 2.3+).