Friday 16th March 2018
Fedora Project
Updated python-paramiko to 2.4.1 in F-28 and Rawhide, to 2.3.2 in F-27, and to 2.2.3 in F-26:
CVE-2018-7750: A flaw was found in the implementation of transport.py in Paramiko, which did not properly check whether authentication was completed before processing other requests. A customized SSH client could simply skip the authentication step. This flaw is a user authentication bypass in the SSH Server functionality of Paramiko. Where Paramiko is used only for its client-side functionality (e.g. paramiko.SSHClient), the vulnerability is not exposed and thus cannot be exploited.
Local Packages
Updated curl (7.59.0) to run the test suite using Python 3 from Fedora 28 onwards
Updated moin (1.9.9) to handle properly the upgrade from the Fedora moin package with a bundled passlib, which requires some lua trickery to deal with a directory to symlink transition
Updated python-passlib (1.7.1) to fix FTBFS in Fedora 28 and Rawhide due to crypt() via libxcrypt having bsdi_crypt and sha1_crypt support in Linux, which glibc crypt() did not have, and to add support for a Python 3.4 build for EL-7