* CVE-2018-1000805 https://github.com/paramiko/paramiko/issues/1283 Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity. -- Gentoo Security Scout Vladimir Krstulja
dev-python/paramiko: bump to 2.4.2 "disable the server feature by default for se4urity reasons." afaik, 2.4.1 doesn't enable this use flag. ping @security.
@maintainer, please let us know when you are ready for stable.
It's ready. Arches, please stabilize. Thanks.
amd64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24bb89247f7c13a9800df1d234d27bc9c67937c0 commit 24bb89247f7c13a9800df1d234d27bc9c67937c0 Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2018-11-27 20:57:01 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2018-11-27 20:57:01 +0000 dev-python/paramiko-2.4.2-r0: alpha stable Bug: http://bugs.gentoo.org/668876 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> dev-python/paramiko/paramiko-2.4.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Stable on alpha.
x86 stable
ia64 stable
ppc stable
ppc64 stable
hppa stable
arm and sparc, the remaining arches to stabilize, are not part of the Vulnerability Treatment Policy. We can move on.
(In reply to Virgil Dupras from comment #12) > arm and sparc, the remaining arches to stabilize, are not part of the > Vulnerability Treatment Policy. We can move on. Please drop 2.4.1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3345da15d6753f22de4075c82d5411e98a9a3101 commit 3345da15d6753f22de4075c82d5411e98a9a3101 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-12-03 21:45:05 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-12-03 21:45:05 +0000 dev-python/paramiko: security cleanup Bug: https://bugs.gentoo.org/668876 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 dev-python/paramiko/paramiko-2.4.1.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
(In reply to Larry the Git Cow from comment #14) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=3345da15d6753f22de4075c82d5411e98a9a3101 > > commit 3345da15d6753f22de4075c82d5411e98a9a3101 > Author: Virgil Dupras <vdupras@gentoo.org> > AuthorDate: 2018-12-03 21:45:05 +0000 > Commit: Virgil Dupras <vdupras@gentoo.org> > CommitDate: 2018-12-03 21:45:05 +0000 > > dev-python/paramiko: security cleanup > > Bug: https://bugs.gentoo.org/668876 > Signed-off-by: Virgil Dupras <vdupras@gentoo.org> > Package-Manager: Portage-2.3.51, Repoman-2.3.11 > > dev-python/paramiko/paramiko-2.4.1.ebuild | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Thank you. Bug will remain open for final arches to stabilize and cleanup of old ebuild.
arm stable
sparc stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8657180ba44be30767646d6f7ccf6d51393147b1 commit 8657180ba44be30767646d6f7ccf6d51393147b1 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-12-15 18:02:19 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-12-15 18:02:19 +0000 dev-python/paramiko: remove old and vulnerable Bug: https://bugs.gentoo.org/668876 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 dev-python/paramiko/Manifest | 1 - dev-python/paramiko/paramiko-2.4.1.ebuild | 54 ------------------------------- 2 files changed, 55 deletions(-)
GLSA Vote: No