Sunday 13th March 2022
Fedora Project
Updated python-paramiko to 2.10.1 in F-34, F-35, F-36 and Rawhide:
CVE-2022-24302: Creation of new private key files using '~paramiko.pkey.PKey' subclasses was subject to a race condition between file creation and mode modification, which could be exploited by an attacker with knowledge of where the Paramiko-using code would write out such files; this has been patched by using 'os.open' and 'os.fdopen' to ensure new files are opened with the correct mode immediately (we've left the subsequent explicit 'chmod' in place to minimize any possible disruption, though it may get removed in future backwards-incompatible updates)
Add support for the '%C' token when parsing SSH config files (GH#1976)
Add support for OpenSSH's Windows agent as a fallback when Putty/WinPageant isn't available or functional (GH#1509, GH#1837, GH#1868)
Significantly speed up low-level read/write actions on '~paramiko.sftp_file.SFTPFile' objects by using 'bytearray'/'memoryview' (GH#892); this is unlikely to change anything for users of the higher level methods like 'SFTPClient.get' or 'SFTPClient.getfo', but users of 'SFTPClient.open' will likely see orders of magnitude improvements for files larger than a few megabytes in size
Add 'six' explicitly to install-requires; it snuck into active use at some point but has only been indicated by transitive dependency on 'bcrypt' until they somewhat-recently dropped it (GH#1985); this will be short-lived until we drop Python 2 support
Updated python-paramiko (2.4.3) in EPEL-8 with back-ported fix (and tests) for CVE-2022-24302 from version 2.10.1