Monday 29th November 2021
Fedora Project
Updated python-paramiko to 2.8.1 in Rawhide:
Fix listdir failure when server uses a locale (GH#985, GH#992); now on Python 2.7 SFTPAttributes will decode abbreviated month names correctly rather than raise 'UnicodeDecodeError'
Deleting items from '~paramiko.hostkeys.HostKeys' would incorrectly raise 'KeyError' even for valid keys, due to a logic bug (GH#1024)
Update RSA and ECDSA key decoding subroutines to correctly catch exception types thrown by modern versions of Cryptography (specifically 'TypeError' and its internal 'UnsupportedAlgorithm') (GH#1257, GH#1266); these exception classes will now become '~paramiko.ssh_exception.SSHException' instances instead of bubbling up
Update '~paramiko.pkey.PKey' and subclasses to compare ('__eq__') via direct field/attribute comparison instead of hashing (while retaining the existing behaviour of '__hash__' via a slight refactor) (GH#908)
Warning:
This fixes a security flaw! If you are running Paramiko on 32-bit systems with low entropy (such as any 32-bit Python 2, or a 32-bit Python 3 that is running with 'PYTHONHASHSEED=0') it is possible for an attacker to craft a new keypair from an exfiltrated public key, which Paramiko would consider equal to the original key; this could enable attacks such as, but not limited to, the following:
- Paramiko server processes would incorrectly authenticate the attacker (using their generated private key) as if they were the victim; we see this as the most plausible attack using this flaw
- Paramiko client processes would incorrectly validate a connected server (when host key verification is enabled) while subjected to a man-in-the-middle attack; this impacts more users than the server-side version, but also carries higher requirements for the attacker, namely successful DNS poisoning or other MITM techniques
Local Packages
Updated perl-PPIx-Regexp to 0.082:
Add --version to eg/predump, and document all options with double dashes
Silence 'uninitialized' warning generated by /(?<=.{35})/
Try to quell weird Win32 test failures that seem to occur only in tests where I am using 'use open' to put the standard handles into UTF-8 mode; the fix (I hope) is to do this to the Test::Harness handles at run time instead of to the standard handles at compile time
Add file CONTRIBUTING