Mon Nov 29 09:33:19 2021 UTC ()
py-paramiko: updated to 2.8.1

2.8.1 2021-11-28
[Bug]: (also 908) Update PKey and subclasses to compare (__eq__) via direct field/attribute comparison instead of hashing (while retaining the existing behavior of __hash__ via a slight refactor). Big thanks to Josh Snyder and Jun Omae for the reports, and to Josh Snyder for reproduction details & patch.

Warning
This fixes a security flaw! If you are running Paramiko on 32-bit systems with low entropy (such as any 32-bit Python 2, or a 32-bit Python 3 which is running with PYTHONHASHSEED=0) it is possible for an attacker to craft a new keypair from an exfiltrated public key, which Paramiko would consider equal to the original key.

This could enable attacks such as, but not limited to, the following:

Paramiko server processes would incorrectly authenticate the attacker (using their generated private key) as if they were the victim. We see this as the most plausible attack using this flaw.
Paramiko client processes would incorrectly validate a connected server (when host key verification is enabled) while subjected to a man-in-the-middle attack. This impacts more users than the server-side version, but also carries higher requirements for the attacker, namely successful DNS poisoning or other MITM techniques.
[Bug] 1257: (also 1266) Update RSA and ECDSA key decoding subroutines to correctly catch exception types thrown by modern versions of Cryptography (specifically TypeError and its internal UnsupportedAlgorithm). These exception classes will now become SSHException instances instead of bubbling up. Thanks to Ignat Semenov for the report and @tylergarcianet for an early patch.
[Bug] 1024: Deleting items from HostKeys would incorrectly raise KeyError even for valid keys, due to a logic bug. This has been fixed. Report & patch credit: Jia Zhang.
[Bug] 985: (via 992) Fix listdir failure when server uses a locale. Now on Python 2.7 SFTPAttributes will decode abbreviated month names correctly rather than raise UnicodeDecodeError`. Patch courtesy of Martin Packman.


(adam)
diff -r1.41 -r1.42 pkgsrc/security/py-paramiko/Makefile
diff -r1.27 -r1.28 pkgsrc/security/py-paramiko/distinfo
cvs diff -r1.41 -r1.42 pkgsrc/security/py-paramiko/Makefile (expand / switch to unified diff)

--- pkgsrc/security/py-paramiko/Makefile 2021/10/11 09:34:52 1.41
+++ pkgsrc/security/py-paramiko/Makefile 2021/11/29 09:33:19 1.42
@@ -1,26 +1,26 @@ @@ -1,26 +1,26 @@
1# $NetBSD: Makefile,v 1.41 2021/10/11 09:34:52 adam Exp $ 1# $NetBSD: Makefile,v 1.42 2021/11/29 09:33:19 adam Exp $
2 2
3DISTNAME= paramiko-2.8.0 3DISTNAME= paramiko-2.8.1
4PKGNAME= ${PYPKGPREFIX}-${DISTNAME} 4PKGNAME= ${PYPKGPREFIX}-${DISTNAME}
5CATEGORIES= security python 5CATEGORIES= security python
6MASTER_SITES= ${MASTER_SITE_PYPI:=p/paramiko/} 6MASTER_SITES= ${MASTER_SITE_PYPI:=p/paramiko/}
7 7
8MAINTAINER= pkgsrc-users@NetBSD.org 8MAINTAINER= pkgsrc-users@NetBSD.org
9HOMEPAGE= https://www.paramiko.org/ 9HOMEPAGE= https://www.paramiko.org/
10COMMENT= SSH2 protocol library 10COMMENT= SSH2 protocol library
11LICENSE= gnu-lgpl-v2.1 11LICENSE= gnu-lgpl-v2.1
12 12
13DEPENDS+= ${PYPKGPREFIX}-bcrypt>=3.1.3:../../security/py-bcrypt 13DEPENDS+= ${PYPKGPREFIX}-bcrypt>=3.1.3:../../security/py-bcrypt
14DEPENDS+= ${PYPKGPREFIX}-cryptography>=2.5:../../security/py-cryptography 14DEPENDS+= ${PYPKGPREFIX}-cryptography>=2.5:../../security/py-cryptography
15DEPENDS+= ${PYPKGPREFIX}-nacl>=1.0.1:../../security/py-nacl 15DEPENDS+= ${PYPKGPREFIX}-nacl>=1.0.1:../../security/py-nacl
16TEST_DEPENDS+= ${PYPKGPREFIX}-mock-[0-9]*:../../devel/py-mock 16TEST_DEPENDS+= ${PYPKGPREFIX}-mock-[0-9]*:../../devel/py-mock
17TEST_DEPENDS+= ${PYPKGPREFIX}-test-relaxed-[0-9]*:../../devel/py-test-relaxed 17TEST_DEPENDS+= ${PYPKGPREFIX}-test-relaxed-[0-9]*:../../devel/py-test-relaxed
18 18
19PYTHON_VERSIONED_DEPENDENCIES= test:test 19PYTHON_VERSIONED_DEPENDENCIES= test:test
20 20
21do-test: 21do-test:
22 cd ${WRKSRC} && pytest-${PYVERSSUFFIX} tests 22 cd ${WRKSRC} && ${SETENV} ${TEST_ENV} pytest-${PYVERSSUFFIX} tests
23 23
24.include "../../lang/python/egg.mk" 24.include "../../lang/python/egg.mk"
25.include "../../lang/python/versioned_dependencies.mk" 25.include "../../lang/python/versioned_dependencies.mk"
26.include "../../mk/bsd.pkg.mk" 26.include "../../mk/bsd.pkg.mk"
cvs diff -r1.27 -r1.28 pkgsrc/security/py-paramiko/distinfo (expand / switch to unified diff)

--- pkgsrc/security/py-paramiko/distinfo 2021/10/26 11:17:48 1.27
+++ pkgsrc/security/py-paramiko/distinfo 2021/11/29 09:33:19 1.28
@@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
1$NetBSD: distinfo,v 1.27 2021/10/26 11:17:48 nia Exp $ 1$NetBSD: distinfo,v 1.28 2021/11/29 09:33:19 adam Exp $
2 2
3BLAKE2s (paramiko-2.8.0.tar.gz) = bccf92abda36cf9f580ff70c3083e4c9046f1d22bdd5de21e97cb5b104ce962e 3BLAKE2s (paramiko-2.8.1.tar.gz) = 9e888506771d21939211445998131c75d6e402f7d4c53254fa606e8c41506963
4SHA512 (paramiko-2.8.0.tar.gz) = e989c922c66606abe103a8bad581d80e04847eaa64e9c7f819a87d099658ae723009840cc24e32048c81eec01de2d72fdc859d91fd618988c9b241e17ea11af7 4SHA512 (paramiko-2.8.1.tar.gz) = 6514a4eb415f0745bea5640e263b2db18422b1ded933ae55dae1693ea574258e26f5629b44b585b86180cc31e27a24bfeaf7f8530599bbc5c522727aba70ec1f
5Size (paramiko-2.8.0.tar.gz) = 1063170 bytes 5Size (paramiko-2.8.1.tar.gz) = 1057497 bytes