(https://nvd.nist.gov/vuln/detail/CVE-2018-7750): transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step. (http://www.paramiko.org/changelog.html): "Additionally, pyasn1 has been removed from setup.py and its imports in the GSSAPI code made optional." @maintainer(s): 2.4.1 is in tree, as is vulnerable 2.3.1. are we dropping vulnerable version(s)? Gentoo Security Padawan (domhnall)
We will have to stabilize alpha first, which depends on bug 647562. Because it could take a while, maybe we should mask 2.1.2 (the current stable version for alpha). I don't see, in revdep, any version constraint that would require us to keep anything below 2.4.1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef708bfa3da9a5d0ffa1485e16292723d4664e6b commit ef708bfa3da9a5d0ffa1485e16292723d4664e6b Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-23 12:13:25 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-23 12:14:48 +0000 profiles: mask vulnerable versions of dev-python/paramiko Bug: https://bugs.gentoo.org/664346 profiles/arch/alpha/package.use.mask | 4 ++++ profiles/package.mask | 4 ++++ 2 files changed, 8 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2617dd4dd47aacc4bfed6787dc9b9c65ab6bb2b commit e2617dd4dd47aacc4bfed6787dc9b9c65ab6bb2b Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-23 13:09:02 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-23 13:10:38 +0000 dev-python/paramiko: remove old and vulnerable Bug: https://bugs.gentoo.org/664346 Package-Manager: Portage-2.3.48, Repoman-2.3.10 dev-python/paramiko/Manifest | 3 -- dev-python/paramiko/paramiko-2.2.1.ebuild | 45 -------------------------- dev-python/paramiko/paramiko-2.3.1.ebuild | 52 ----------------------------- dev-python/paramiko/paramiko-2.4.0.ebuild | 54 ------------------------------- 4 files changed, 154 deletions(-)
Now that alpha was keyworded, we can start stabilization. Alpha, please stabilize: =dev-python/paramiko-2.4.1 =dev-python/pynacl-1.2.1 Thanks!
An automated check of this bug failed - repoman reported dependency errors (2 lines truncated): > dependency.bad dev-python/pynacl/pynacl-1.2.1.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=dev-python/hypothesis-3.27.0[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]'] > dependency.bad dev-python/pynacl/pynacl-1.2.1.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-python/hypothesis-3.27.0[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]'] > dependency.bad dev-python/pynacl/pynacl-1.2.1.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-python/hypothesis-3.27.0[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]']
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Stable on alpha.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0e97bc46d463f386d48b2a26dccc9493407903a commit e0e97bc46d463f386d48b2a26dccc9493407903a Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-10-13 12:53:26 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-10-13 12:53:26 +0000 profiles: remove obsolete paramiko masks Bug: https://bugs.gentoo.org/664346 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> profiles/arch/alpha/package.use.mask | 4 ---- profiles/package.mask | 4 ---- 2 files changed, 8 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f212b2b47de2f73f65316a340f840d8bae8bd7c commit 6f212b2b47de2f73f65316a340f840d8bae8bd7c Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-10-13 12:51:57 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-10-13 12:51:57 +0000 dev-python/paramiko: remove old and vulnerable Bug: https://bugs.gentoo.org/664346 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 dev-python/paramiko/Manifest | 1 - dev-python/paramiko/paramiko-2.1.2.ebuild | 42 ------------------------------- 2 files changed, 43 deletions(-)
Stabilization complete, cleanup done.
Cleanup will happen in bug 668876
