#acl PaulHowarth:read,write,admin,revert,delete All:read === Monday 29th November 2021 === ==== Fedora Project ==== * Updated `python-paramiko` to 2.8.1 in Rawhide: * Fix `listdir` failure when server uses a locale ([[https://github.com/paramiko/paramiko/issues/985|GH#985]], [[https://github.com/paramiko/paramiko/pull/992|GH#992]]); now on Python 2.7 `SFTPAttributes` will decode abbreviated month names correctly rather than raise '`UnicodeDecodeError`' * Deleting items from '`~paramiko.hostkeys.HostKeys`' would incorrectly raise '`KeyError`' even for valid keys, due to a logic bug ([[https://github.com/paramiko/paramiko/pull/1024|GH#1024]]) * Update RSA and ECDSA key decoding subroutines to correctly catch exception types thrown by modern versions of Cryptography (specifically '`TypeError`' and its internal '`UnsupportedAlgorithm`') ([[https://github.com/paramiko/paramiko/issues/1257|GH#1257]], [[https://github.com/paramiko/paramiko/pull/1266|GH#1266]]); these exception classes will now become '`~paramiko.ssh_exception.SSHException`' instances instead of bubbling up * Update '`~paramiko.pkey.PKey`' and subclasses to compare ('`__eq__`') via direct field/attribute comparison instead of hashing (while retaining the existing behaviour of '`__hash__`' via a slight refactor) ([[https://github.com/paramiko/paramiko/issues/908|GH#908]]) . '''Warning:''' . This fixes a security flaw! If you are running Paramiko on 32-bit systems with low entropy (such as any 32-bit Python 2, or a 32-bit Python 3 that is running with '`PYTHONHASHSEED=0`') it is possible for an attacker to craft a new keypair from an exfiltrated public key, which Paramiko would consider equal to the original key; this could enable attacks such as, but not limited to, the following: * Paramiko server processes would incorrectly authenticate the attacker (using their generated private key) as if they were the victim; we see this as the most plausible attack using this flaw * Paramiko client processes would incorrectly validate a connected server (when host key verification is enabled) while subjected to a man-in-the-middle attack; this impacts more users than the server-side version, but also carries higher requirements for the attacker, namely successful DNS poisoning or other MITM techniques ==== Local Packages ==== * Updated `perl-PPIx-Regexp` to 0.082: * Add `--version` to `eg/predump`, and document all options with double dashes * Silence 'uninitialized' warning generated by `/(?<=.{35})/` * Try to quell weird Win32 test failures that seem to occur only in tests where I am using '`use open`' to put the standard handles into UTF-8 mode; the fix (I hope) is to do this to the `Test::Harness` handles at run time instead of to the standard handles at compile time * Add file `CONTRIBUTING` ----