Summary: | <dev-python/paramiko-2.4.1: Authentication Bypass Vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | alicef, python, vdupras |
Priority: | High | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/paramiko/paramiko/issues/1175 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=666619 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 647562 | ||
Bug Blocks: |
Description
D'juan McDonald (domhnall)
2018-08-23 08:01:27 UTC
We will have to stabilize alpha first, which depends on bug 647562. Because it could take a while, maybe we should mask 2.1.2 (the current stable version for alpha). I don't see, in revdep, any version constraint that would require us to keep anything below 2.4.1. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef708bfa3da9a5d0ffa1485e16292723d4664e6b commit ef708bfa3da9a5d0ffa1485e16292723d4664e6b Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-23 12:13:25 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-23 12:14:48 +0000 profiles: mask vulnerable versions of dev-python/paramiko Bug: https://bugs.gentoo.org/664346 profiles/arch/alpha/package.use.mask | 4 ++++ profiles/package.mask | 4 ++++ 2 files changed, 8 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2617dd4dd47aacc4bfed6787dc9b9c65ab6bb2b commit e2617dd4dd47aacc4bfed6787dc9b9c65ab6bb2b Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-23 13:09:02 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-23 13:10:38 +0000 dev-python/paramiko: remove old and vulnerable Bug: https://bugs.gentoo.org/664346 Package-Manager: Portage-2.3.48, Repoman-2.3.10 dev-python/paramiko/Manifest | 3 -- dev-python/paramiko/paramiko-2.2.1.ebuild | 45 -------------------------- dev-python/paramiko/paramiko-2.3.1.ebuild | 52 ----------------------------- dev-python/paramiko/paramiko-2.4.0.ebuild | 54 ------------------------------- 4 files changed, 154 deletions(-) Now that alpha was keyworded, we can start stabilization. Alpha, please stabilize: =dev-python/paramiko-2.4.1 =dev-python/pynacl-1.2.1 Thanks! An automated check of this bug failed - repoman reported dependency errors (2 lines truncated):
> dependency.bad dev-python/pynacl/pynacl-1.2.1.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=dev-python/hypothesis-3.27.0[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]']
> dependency.bad dev-python/pynacl/pynacl-1.2.1.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-python/hypothesis-3.27.0[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]']
> dependency.bad dev-python/pynacl/pynacl-1.2.1.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-python/hypothesis-3.27.0[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]']
An automated check of this bug succeeded - the previous repoman errors are now resolved. Stable on alpha. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0e97bc46d463f386d48b2a26dccc9493407903a commit e0e97bc46d463f386d48b2a26dccc9493407903a Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-10-13 12:53:26 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-10-13 12:53:26 +0000 profiles: remove obsolete paramiko masks Bug: https://bugs.gentoo.org/664346 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> profiles/arch/alpha/package.use.mask | 4 ---- profiles/package.mask | 4 ---- 2 files changed, 8 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f212b2b47de2f73f65316a340f840d8bae8bd7c commit 6f212b2b47de2f73f65316a340f840d8bae8bd7c Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-10-13 12:51:57 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-10-13 12:51:57 +0000 dev-python/paramiko: remove old and vulnerable Bug: https://bugs.gentoo.org/664346 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 dev-python/paramiko/Manifest | 1 - dev-python/paramiko/paramiko-2.1.2.ebuild | 42 ------------------------------- 2 files changed, 43 deletions(-) Stabilization complete, cleanup done. Cleanup will happen in bug 668876 |