kpriv
/
pkgsrc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

py-paramiko: update to 3.4.0. 

- :release:`3.4.0 <2023-12-18>`
- :feature:`-` `Transport` grew a new ``packetizer_class`` kwarg for overriding
  the packet-handler class used internally. Mostly for testing, but advanced
  users may find this useful when doing deep hacks.
- 🐛`-` Address `CVE 2023-48795<https://terrapin-attack.com/>`_ (aka the
  "Terrapin Attack", a vulnerability found in the SSH protocol re: treatment of
  packet sequence numbers) as follows:

    - The vulnerability only impacts encrypt-then-MAC digest algorithms in
      tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko
      currently only implements ``hmac-sha2-(256|512)-etm`` in tandem with
      ``AES-CBC``. If you are unable to upgrade to Paramiko versions containing
      the below fixes right away, you may instead use the
      ``disabled_algorithms`` connection option to disable the ETM MACs and/or
      the CBC ciphers (this option is present in Paramiko >=2.6).
    - As the fix for the vulnerability requires both ends of the connection to
      cooperate, the below changes will only take effect when the remote end is
      OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode, as of
      this patch version) and configured to use the new "strict kex" mode.
      Paramiko will always attempt to use "strict kex" mode if offered by the
      server, unless you override this by specifying ``strict_kex=False`` in
      `Transport.__init__`.
    - Paramiko will now raise an `SSHException` subclass (`MessageOrderError`)
      when protocol messages are received in unexpected order. This includes
      situations like receiving ``MSG_DEBUG`` or ``MSG_IGNORE`` during initial
      key exchange, which are no longer allowed during strict mode.
    - Key (re)negotiation -- i.e. ``MSG_NEWKEYS``, whenever it is encountered
      -- now resets packet sequence numbers. (This should be invisible to users
      during normal operation, only causing exceptions if the exploit is
      encountered, which will usually result in, again, `MessageOrderError`.)
    - Sequence number rollover will now raise `SSHException` if it occurs
      during initial key exchange (regardless of strict mode status).

  Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk for submitting
  details on the CVE prior to release.

- 🐛`-` Tweak ``ext-info-(c|s)`` detection during KEXINIT protocol phase;
  the original implementation made assumptions based on an OpenSSH
  implementation detail.
This commit is contained in:
wiz 2023-12-18 21:16:04 +00:00
parent 6a95707347
commit 015e9fb71d
2 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
security/py-paramiko/Makefile
View File

@ -1,8 +1,7 @@
# $NetBSD: Makefile,v 1.51 2023/12/18 16:25:43 wiz Exp $
# $NetBSD: Makefile,v 1.52 2023/12/18 21:16:04 wiz Exp $
DISTNAME= paramiko-3.3.1
DISTNAME= paramiko-3.4.0
PKGNAME= ${PYPKGPREFIX}-${DISTNAME}
PKGREVISION= 1
CATEGORIES= security python
MASTER_SITES= ${MASTER_SITE_PYPI:=p/paramiko/}

8
security/py-paramiko/distinfo
View File

@ -1,5 +1,5 @@
$NetBSD: distinfo,v 1.33 2023/07/31 16:16:48 adam Exp $
$NetBSD: distinfo,v 1.34 2023/12/18 21:16:04 wiz Exp $
BLAKE2s (paramiko-3.3.1.tar.gz) = 72e41a51dba24bf0bbf0138c05293d2db1c29af720cccf2931b5f8fbb4798d2a
SHA512 (paramiko-3.3.1.tar.gz) = 63fab82a25cf378768ddb29e727c012b47179a137a78f2e3e1316cc7bfe8e7707f90fddb4d4e65d659357ab624db93a09aa43d8aa4e1eb30a2a5f67e01bbd6ab
Size (paramiko-3.3.1.tar.gz) = 1270242 bytes
BLAKE2s (paramiko-3.4.0.tar.gz) = ee83ccda4e152dff5acb3bd6834c92436827d1d7a4cf524848936480b8c5bdd9
SHA512 (paramiko-3.4.0.tar.gz) = fdbc8e45fefc7f9adcc1d576cf8979fe87a9bc403d15e4cedb3f06d1f75a52228f2e368c61ff8941b3c60c1090d4f1bad5adbdcaa50bf19d919a160f871b084b
Size (paramiko-3.4.0.tar.gz) = 1277306 bytes