#acl PaulHowarth:read,write,admin,revert,delete All:read === Friday 24th December 2021 === ==== Fedora Project ==== * Updated `perl-DateTime` to 1.55 in Rawhide: * Another documentation fix release; this fixes some mistakes, fixes some broken links, and removes all references to the long-dead `datetime.perl.org` site * Updated `python-paramiko` to 2.9.0 in Rawhide: * Add support for SHA-2 variants of RSA key verification algorithms (as described in RFC 8332) as well as limited SSH extension negotiation (RFC 8308) ([[https://github.com/paramiko/paramiko/pull/1326|GH#1326]], [[https://github.com/paramiko/paramiko/pull/1643|GH#1643]], [[https://github.com/paramiko/paramiko/pull/1644|GH#1644]], [[https://github.com/paramiko/paramiko/pull/1925|GH#1925]]) . How SSH servers/clients decide when and how to use this functionality can be complicated; Paramiko's support is as follows: * Client verification of server host key during key exchange will now prefer `rsa-sha2-512`, `rsa-sha2-256`, and legacy `ssh-rsa` algorithms, in that order, instead of just `ssh-rsa` * Note that the preference order of other algorithm families such as `ed25519` and `ecdsa` has not changed; for example, those two groups are still preferred over RSA * Server mode will now offer all 3 RSA algorithms for host key verification during key exchange, similar to client mode, if it has been configured with an RSA host key * Client mode key exchange now sends the `ext-info-c` flag, signalling support for `MSG_EXT_INFO`, and support for parsing the latter (specifically, its `server-sig-algs` flag) has been added * Client mode, when performing public key authentication with an RSA key or cert, will act as follows: * In all cases, the list of algorithms to consider is based on the new `preferred_pubkeys` list and `disabled_algorithms`; this list, like with host keys, prefers `SHA2-512`, `SHA2-256` and `SHA1`, in that order * When the server does not send `server-sig-algs`, Paramiko will attempt the first algorithm in the above list; clients connecting to legacy servers should thus use `disabled_algorithms` to turn off `SHA2` * When the server does send `server-sig-algs`, the first algorithm supported by both ends is used, or if there is none, it falls back to the previous behaviour * SSH agent support grew the ability to specify algorithm flags when requesting private key signatures; this is now used to forward `SHA2` algorithms when appropriate * Server mode is now capable of pubkey auth involving `SHA-2` signatures from clients, provided one's server implementation actually provides for doing so; this includes basic support for sending `MSG_EXT_INFO` (containing `server-sig-algs` only) to clients advertising `ext-info-c` in their key exchange list . In order to implement the above, the following API additions were made: * '`PKey.sign_ssh_data `': Grew an extra, optional '`algorithm`' keyword argument (defaulting to '`None`' for most subclasses, and to "`ssh-rsa`" for '`~paramiko.rsakey.RSAKey`') * A new '`~paramiko.ssh_exception.SSHException`' subclass was added, '`~paramiko.ssh_exception.IncompatiblePeer`', and is raised in all spots where key exchange aborts due to algorithmic incompatibility; like all other exceptions in that module, it inherits from '`SSHException`', and as nothing else was changed about the raising (i.e. the attributes and message text are the same) this change is backwards compatible * '`~paramiko.transport.Transport`' grew a '`_preferred_pubkeys`' attribute and matching '`preferred_pubkeys`' property to match the other, kex-focused, such members; this allows client pubkey authentication to honour the '`disabled_algorithms`' feature * Branched and built `perl-Class-Load` (0.25) for EPEL-9 * Branched and built `perl-Class-Load-XS` (0.10) for EPEL-9 * Branched and built `perl-Module-CPANTS-Analyse` (1.01) for EPEL-9 * Branched and built `perl-Test-Kwalitee` (1.28) for EPEL-9 ==== Local Packages ==== * Updated `perl-DateTime` to 1.55 as per the Fedora version ----