---
- branch: MAIN
  date: Mon Nov 29 09:33:19 UTC 2021
  files:
  - new: '1.42'
    old: '1.41'
    path: pkgsrc/security/py-paramiko/Makefile
    pathrev: pkgsrc/security/py-paramiko/Makefile@1.42
    type: modified
  - new: '1.28'
    old: '1.27'
    path: pkgsrc/security/py-paramiko/distinfo
    pathrev: pkgsrc/security/py-paramiko/distinfo@1.28
    type: modified
  id: 20211129T093319Z.9c4d501ab4763435ac2645934d5f65fd5274adad
  log: |
    py-paramiko: updated to 2.8.1

    2.8.1 2021-11-28
    [Bug]: (also 908) Update PKey and subclasses to compare (__eq__) via direct field/attribute comparison instead of hashing (while retaining the existing behavior of __hash__ via a slight refactor). Big thanks to Josh Snyder and Jun Omae for the reports, and to Josh Snyder for reproduction details & patch.

    Warning
    This fixes a security flaw! If you are running Paramiko on 32-bit systems with low entropy (such as any 32-bit Python 2, or a 32-bit Python 3 which is running with PYTHONHASHSEED=0) it is possible for an attacker to craft a new keypair from an exfiltrated public key, which Paramiko would consider equal to the original key.

    This could enable attacks such as, but not limited to, the following:

    Paramiko server processes would incorrectly authenticate the attacker (using their generated private key) as if they were the victim. We see this as the most plausible attack using this flaw.
    Paramiko client processes would incorrectly validate a connected server (when host key verification is enabled) while subjected to a man-in-the-middle attack. This impacts more users than the server-side version, but also carries higher requirements for the attacker, namely successful DNS poisoning or other MITM techniques.
    [Bug] 1257: (also 1266) Update RSA and ECDSA key decoding subroutines to correctly catch exception types thrown by modern versions of Cryptography (specifically TypeError and its internal UnsupportedAlgorithm). These exception classes will now become SSHException instances instead of bubbling up. Thanks to Ignat Semenov for the report and @tylergarcianet for an early patch.
    [Bug] 1024: Deleting items from HostKeys would incorrectly raise KeyError even for valid keys, due to a logic bug. This has been fixed. Report & patch credit: Jia Zhang.
    [Bug] 985: (via 992) Fix listdir failure when server uses a locale. Now on Python 2.7 SFTPAttributes will decode abbreviated month names correctly rather than raise UnicodeDecodeError`. Patch courtesy of Martin Packman.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/py-paramiko'
  unixtime: '1638178399'
  user: adam