Subject: CVS commit: pkgsrc/security/py-paramiko
From: Adam Ciarcinski
Date: 2021-11-29 10:33:19
Message id:

Log Message:
py-paramiko: updated to 2.8.1

2.8.1 2021-11-28
[Bug]: (also 908) Update PKey and subclasses to compare (__eq__) via direct \ 
field/attribute comparison instead of hashing (while retaining the existing \ 
behavior of __hash__ via a slight refactor). Big thanks to Josh Snyder and Jun \ 
Omae for the reports, and to Josh Snyder for reproduction details & patch.

This fixes a security flaw! If you are running Paramiko on 32-bit systems with \ 
low entropy (such as any 32-bit Python 2, or a 32-bit Python 3 which is running \ 
with PYTHONHASHSEED=0) it is possible for an attacker to craft a new keypair \ 
from an exfiltrated public key, which Paramiko would consider equal to the \ 
original key.

This could enable attacks such as, but not limited to, the following:

Paramiko server processes would incorrectly authenticate the attacker (using \ 
their generated private key) as if they were the victim. We see this as the most \ 
plausible attack using this flaw.
Paramiko client processes would incorrectly validate a connected server (when \ 
host key verification is enabled) while subjected to a man-in-the-middle attack. \ 
This impacts more users than the server-side version, but also carries higher \ 
requirements for the attacker, namely successful DNS poisoning or other MITM \ 
[Bug] 1257: (also 1266) Update RSA and ECDSA key decoding subroutines to \ 
correctly catch exception types thrown by modern versions of Cryptography \ 
(specifically TypeError and its internal UnsupportedAlgorithm). These exception \ 
classes will now become SSHException instances instead of bubbling up. Thanks to \ 
Ignat Semenov for the report and @tylergarcianet for an early patch.
[Bug] 1024: Deleting items from HostKeys would incorrectly raise KeyError even \ 
for valid keys, due to a logic bug. This has been fixed. Report & patch \ 
credit: Jia Zhang.
[Bug] 985: (via 992) Fix listdir failure when server uses a locale. Now on \ 
Python 2.7 SFTPAttributes will decode abbreviated month names correctly rather \ 
than raise UnicodeDecodeError`. Patch courtesy of Martin Packman.