PaulHowarth/Blog/2022-05-17

Tuesday 17th May 2022

Fedora Project

  • Updated python-paramiko to 2.11.0 in F-34, F-35, F-36 and Rawhide:

    • Align signature verification algorithm with OpenSSH re: zero-padding signatures that don't match their nominal size/length; this shouldn't affect most users, but will help Paramiko-implemented SSH servers handle poorly behaved clients such as PuTTY (GH#1933)

    • OpenSSH 7.7 and older has a bug preventing it from understanding how to perform SHA2 signature verification for RSA certificates (specifically certs - not keys), so when we added SHA2 support it broke all clients using RSA certificates with these servers; this has been fixed in a manner similar to what OpenSSH's own client does - a version check is performed and the algorithm used is downgraded if needed (GH#2017)

    • Recent versions of Cryptography have deprecated Blowfish algorithm support; in lieu of an easy method for users to remove it from the list of algorithms Paramiko tries to import and use, we've decided to remove it from our "preferred algorithms" list, which will both discourage use of a weak algorithm, and avoid warnings (GH#2038, GH#2039)

    • Windows-native SSH agent support as merged in 2.10 could encounter 'Errno 22' 'OSError' exceptions in some scenarios (e.g. server not cleanly closing a relevant named pipe); this has been worked around and should be less problematic (GH#2008, GH#2010)

    • Add SSH config token expansion (eg '%h', '%p') when parsing 'ProxyJump' directives (GH#1951)

    • Apply unittest 'skipIf' to tests currently using SHA1 in their critical path, to avoid failures on systems starting to disable SHA1 outright in their crypto backends (e.g. RHEL 9) (GH#2004, GH#2011)

Local Packages

  • More minor packaging tweaks for ansible-collection-community-libvirt (1.1.0):

    • Add COPYING as a %license file

    • Unconditionally use dynamic buildrequires to ensure expansion of %{ansible_collection_url} in SRPM

  • Updated perl-XML-LibXSLT to 2.002000:


Recent