Summary: | dev-python/paramiko: Patch out server functionality behind a masked USE flag | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Virgil Dupras (RETIRED) <vdupras> |
Component: | Current packages | Assignee: | Python Gentoo Team <python> |
Status: | IN_PROGRESS --- | ||
Severity: | normal | CC: | anton.kochkov, mgorny, rossi.f, vdupras |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Virgil Dupras (RETIRED)
2018-09-20 12:45:59 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5378291a91a7bd63b67cc9782bbb860abc69c75f commit 5378291a91a7bd63b67cc9782bbb860abc69c75f Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-09-26 14:02:09 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-09-26 14:02:09 +0000 profiles: hard-mask server USE flag on dev-python/paramiko For security reasons. Bug: https://bugs.gentoo.org/666619 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> profiles/base/package.use.mask | 6 ++++++ 1 file changed, 6 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28e7e2b6ccd187aa7850b3a9201b6d8b43898905 commit 28e7e2b6ccd187aa7850b3a9201b6d8b43898905 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-09-26 13:56:25 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-09-26 14:00:47 +0000 dev-python/paramiko: bump to 2.4.2 Also, disable the server feature by default for security reasons. It can be re-enabled with the 'server' USE flag, which is going to be hard-masked. Bug: https://bugs.gentoo.org/666619 Package-Manager: Portage-2.3.50, Repoman-2.3.11 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> dev-python/paramiko/Manifest | 1 + .../files/paramiko-2.4.2-disable-server.patch | 46 ++++++++++++++++ dev-python/paramiko/metadata.xml | 3 ++ dev-python/paramiko/paramiko-2.4.2.ebuild | 62 ++++++++++++++++++++++ 4 files changed, 112 insertions(+) Let's keep this bug open and see if a little while if paramiko's security status has improved so that we can unmask or remove that server USE flag. I am confused. This bug is quite old and CVE-2018-1000805 looks solved. Should we still use the server patch? (In reply to Fabio Rossi from comment #3) > I am confused. This bug is quite old and CVE-2018-1000805 looks solved. > Should we still use the server patch? Probably. Nobody has audited the code so far to the best of my knowledge, and paramiko isn't exactly a package giving much confidence. I don't really see the point in doing this unless the patch is trivial. We should instead make sure packages don't use this at all (the USE flag isn't helpful for that). |