py-paramiko: update to 3.4.0.
- :release:`3.4.0 <2023-12-18>` - :feature:`-` `Transport` grew a new ``packetizer_class`` kwarg for overriding the packet-handler class used internally. Mostly for testing, but advanced users may find this useful when doing deep hacks. - 🐛`-` Address `CVE 2023-48795<https://terrapin-attack.com/>`_ (aka the "Terrapin Attack", a vulnerability found in the SSH protocol re: treatment of packet sequence numbers) as follows: - The vulnerability only impacts encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko currently only implements ``hmac-sha2-(256|512)-etm`` in tandem with ``AES-CBC``. If you are unable to upgrade to Paramiko versions containing the below fixes right away, you may instead use the ``disabled_algorithms`` connection option to disable the ETM MACs and/or the CBC ciphers (this option is present in Paramiko >=2.6). - As the fix for the vulnerability requires both ends of the connection to cooperate, the below changes will only take effect when the remote end is OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode, as of this patch version) and configured to use the new "strict kex" mode. Paramiko will always attempt to use "strict kex" mode if offered by the server, unless you override this by specifying ``strict_kex=False`` in `Transport.__init__`. - Paramiko will now raise an `SSHException` subclass (`MessageOrderError`) when protocol messages are received in unexpected order. This includes situations like receiving ``MSG_DEBUG`` or ``MSG_IGNORE`` during initial key exchange, which are no longer allowed during strict mode. - Key (re)negotiation -- i.e. ``MSG_NEWKEYS``, whenever it is encountered -- now resets packet sequence numbers. (This should be invisible to users during normal operation, only causing exceptions if the exploit is encountered, which will usually result in, again, `MessageOrderError`.) - Sequence number rollover will now raise `SSHException` if it occurs during initial key exchange (regardless of strict mode status). Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk for submitting details on the CVE prior to release. - 🐛`-` Tweak ``ext-info-(c|s)`` detection during KEXINIT protocol phase; the original implementation made assumptions based on an OpenSSH implementation detail.
This commit is contained in:
parent
6a95707347
commit
015e9fb71d
|
@ -1,8 +1,7 @@
|
|||
# $NetBSD: Makefile,v 1.51 2023/12/18 16:25:43 wiz Exp $
|
||||
# $NetBSD: Makefile,v 1.52 2023/12/18 21:16:04 wiz Exp $
|
||||
|
||||
DISTNAME= paramiko-3.3.1
|
||||
DISTNAME= paramiko-3.4.0
|
||||
PKGNAME= ${PYPKGPREFIX}-${DISTNAME}
|
||||
PKGREVISION= 1
|
||||
CATEGORIES= security python
|
||||
MASTER_SITES= ${MASTER_SITE_PYPI:=p/paramiko/}
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
$NetBSD: distinfo,v 1.33 2023/07/31 16:16:48 adam Exp $
|
||||
$NetBSD: distinfo,v 1.34 2023/12/18 21:16:04 wiz Exp $
|
||||
|
||||
BLAKE2s (paramiko-3.3.1.tar.gz) = 72e41a51dba24bf0bbf0138c05293d2db1c29af720cccf2931b5f8fbb4798d2a
|
||||
SHA512 (paramiko-3.3.1.tar.gz) = 63fab82a25cf378768ddb29e727c012b47179a137a78f2e3e1316cc7bfe8e7707f90fddb4d4e65d659357ab624db93a09aa43d8aa4e1eb30a2a5f67e01bbd6ab
|
||||
Size (paramiko-3.3.1.tar.gz) = 1270242 bytes
|
||||
BLAKE2s (paramiko-3.4.0.tar.gz) = ee83ccda4e152dff5acb3bd6834c92436827d1d7a4cf524848936480b8c5bdd9
|
||||
SHA512 (paramiko-3.4.0.tar.gz) = fdbc8e45fefc7f9adcc1d576cf8979fe87a9bc403d15e4cedb3f06d1f75a52228f2e368c61ff8941b3c60c1090d4f1bad5adbdcaa50bf19d919a160f871b084b
|
||||
Size (paramiko-3.4.0.tar.gz) = 1277306 bytes
|
||||
|
|
Loading…
Reference in New Issue