#acl PaulHowarth:read,write,admin,revert,delete All:read === Sunday 13th March 2022 === ==== Fedora Project ==== * Updated `python-paramiko` to 2.10.1 in F-34, F-35, F-36 and Rawhide: * [[CVE:2022-24302|CVE-2022-24302]]: Creation of new private key files using '`~paramiko.pkey.PKey`' subclasses was subject to a race condition between file creation and mode modification, which could be exploited by an attacker with knowledge of where the Paramiko-using code would write out such files; this has been patched by using '`os.open`' and '`os.fdopen`' to ensure new files are opened with the correct mode immediately (we've left the subsequent explicit '`chmod`' in place to minimize any possible disruption, though it may get removed in future backwards-incompatible updates) * Add support for the '`%C`' token when parsing SSH config files ([[https://github.com/paramiko/paramiko/issues/1976|GH#1976]]) * Add support for OpenSSH's Windows agent as a fallback when Putty/WinPageant isn't available or functional ([[https://github.com/paramiko/paramiko/issues/1509|GH#1509]], [[https://github.com/paramiko/paramiko/pull/1837|GH#1837]], [[https://github.com/paramiko/paramiko/pull/1868|GH#1868]]) * Significantly speed up low-level read/write actions on '`~paramiko.sftp_file.SFTPFile`' objects by using '`bytearray`'/'`memoryview`' ([[https://github.com/paramiko/paramiko/issues/892|GH#892]]); this is unlikely to change anything for users of the higher level methods like '`SFTPClient.get`' or '`SFTPClient.getfo`', but users of '`SFTPClient.open`' will likely see orders of magnitude improvements for files larger than a few megabytes in size * Add '`six`' explicitly to install-requires; it snuck into active use at some point but has only been indicated by transitive dependency on '`bcrypt`' until they somewhat-recently dropped it ([[https://github.com/paramiko/paramiko/pull/1985|GH#1985]]); this will be short-lived until we drop Python 2 support * Updated `python-paramiko` (2.4.3) in EPEL-8 with back-ported fix (and tests) for [[CVE:2022-24302|CVE-2022-24302]] from version 2.10.1 ----