PaulHowarth/Blog/2018-03-16

Friday 16th March 2018

Fedora Project

  • Updated python-paramiko to 2.4.1 in F-28 and Rawhide, to 2.3.2 in F-27, and to 2.2.3 in F-26:

    • CVE-2018-7750: A flaw was found in the implementation of transport.py in Paramiko, which did not properly check whether authentication was completed before processing other requests. A customized SSH client could simply skip the authentication step. This flaw is a user authentication bypass in the SSH Server functionality of Paramiko. Where Paramiko is used only for its client-side functionality (e.g. paramiko.SSHClient), the vulnerability is not exposed and thus cannot be exploited.

Local Packages

  • Updated curl (7.59.0) to run the test suite using Python 3 from Fedora 28 onwards

  • Updated moin (1.9.9) to handle properly the upgrade from the Fedora moin package with a bundled passlib, which requires some lua trickery to deal with a directory to symlink transition

  • Updated python-passlib (1.7.1) to fix FTBFS in Fedora 28 and Rawhide due to crypt() via libxcrypt having bsdi_crypt and sha1_crypt support in Linux, which glibc crypt() did not have, and to add support for a Python 3.4 build for EL-7


Recent