-------------------------------------------------------------------------------- Fedora EPEL Update Notification FEDORA-EPEL-2018-86171fce03 2018-04-10 18:06:59.887703 --------------------------------------------------------------------------------
Name : python-paramiko Product : Fedora EPEL 7 Version : 2.1.1 Release : 0.4.el7 URL : https://github.com/paramiko/paramiko Summary : SSH2 protocol library for python Description :
Paramiko (a combination of the esperanto words for "paranoid" and "friend") is a module for python 2.3 or greater that implements the SSH2 protocol for secure (encrypted and authenticated) connections to remote machines. Unlike SSL (aka TLS), the SSH2 protocol does not require heirarchical certificates signed by a powerful central authority. You may know SSH2 as the protocol that replaced telnet and rsh for secure access to remote shells, but the protocol also includes the ability to open arbitrary channels to remote services across an encrypted tunnel. (This is how sftp works, for example.)
-------------------------------------------------------------------------------- Update Information:
A flaw was found in the implementation of `transport.py` in Paramiko, which did not properly check whether authentication was completed before processing other requests. A customized SSH client could simply skip the authentication step. This flaw is a user authentication bypass in the SSH Server functionality of Paramiko. Where Paramiko is used only for its client-side functionality (e.g. `paramiko.SSHClient`), the vulnerability is not exposed and thus cannot be exploited. -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1557130 - CVE-2018-7750 python-paramiko: Authentication bypass in transport.py https://bugzilla.redhat.com/show_bug.cgi?id=1557130 --------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use su -c 'yum update python-paramiko' at the command line. For more information, refer to "YUM", available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
All packages are signed with the Fedora EPEL GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
epel-package-announce@lists.fedoraproject.org