CVS commit: pkgsrc/security/py-paramiko

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/py-paramiko
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Mon, 29 Nov 2021 09:33:19 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Mon Nov 29 09:33:19 UTC 2021

Modified Files:
        pkgsrc/security/py-paramiko: Makefile distinfo

Log Message:
py-paramiko: updated to 2.8.1

2.8.1 2021-11-28
[Bug]: (also 908) Update PKey and subclasses to compare (__eq__) via direct field/attribute comparison instead of hashing (while retaining the existing behavior of __hash__ via a slight refactor). 
Big thanks to Josh Snyder and Jun Omae for the reports, and to Josh Snyder for reproduction details & patch.

Warning
This fixes a security flaw! If you are running Paramiko on 32-bit systems with low entropy (such as any 32-bit Python 2, or a 32-bit Python 3 which is running with PYTHONHASHSEED=0) it is possible 
for an attacker to craft a new keypair from an exfiltrated public key, which Paramiko would consider equal to the original key.

This could enable attacks such as, but not limited to, the following:

Paramiko server processes would incorrectly authenticate the attacker (using their generated private key) as if they were the victim. We see this as the most plausible attack using this flaw.
Paramiko client processes would incorrectly validate a connected server (when host key verification is enabled) while subjected to a man-in-the-middle attack. This impacts more users than the 
server-side version, but also carries higher requirements for the attacker, namely successful DNS poisoning or other MITM techniques.
[Bug] 1257: (also 1266) Update RSA and ECDSA key decoding subroutines to correctly catch exception types thrown by modern versions of Cryptography (specifically TypeError and its internal 
UnsupportedAlgorithm). These exception classes will now become SSHException instances instead of bubbling up. Thanks to Ignat Semenov for the report and @tylergarcianet for an early patch.
[Bug] 1024: Deleting items from HostKeys would incorrectly raise KeyError even for valid keys, due to a logic bug. This has been fixed. Report & patch credit: Jia Zhang.
[Bug] 985: (via 992) Fix listdir failure when server uses a locale. Now on Python 2.7 SFTPAttributes will decode abbreviated month names correctly rather than raise UnicodeDecodeError`. Patch 
courtesy of Martin Packman.


To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 pkgsrc/security/py-paramiko/Makefile
cvs rdiff -u -r1.27 -r1.28 pkgsrc/security/py-paramiko/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/py-paramiko/Makefile
diff -u pkgsrc/security/py-paramiko/Makefile:1.41 pkgsrc/security/py-paramiko/Makefile:1.42
--- pkgsrc/security/py-paramiko/Makefile:1.41   Mon Oct 11 09:34:52 2021
+++ pkgsrc/security/py-paramiko/Makefile        Mon Nov 29 09:33:19 2021
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.41 2021/10/11 09:34:52 adam Exp $
+# $NetBSD: Makefile,v 1.42 2021/11/29 09:33:19 adam Exp $
 
-DISTNAME=      paramiko-2.8.0
+DISTNAME=      paramiko-2.8.1
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    security python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=p/paramiko/}
@@ -19,7 +19,7 @@ TEST_DEPENDS+=        ${PYPKGPREFIX}-test-relax
 PYTHON_VERSIONED_DEPENDENCIES= test:test
 
 do-test:
-       cd ${WRKSRC} && pytest-${PYVERSSUFFIX} tests
+       cd ${WRKSRC} && ${SETENV} ${TEST_ENV} pytest-${PYVERSSUFFIX} tests
 
 .include "../../lang/python/egg.mk"
 .include "../../lang/python/versioned_dependencies.mk"

Index: pkgsrc/security/py-paramiko/distinfo
diff -u pkgsrc/security/py-paramiko/distinfo:1.27 pkgsrc/security/py-paramiko/distinfo:1.28
--- pkgsrc/security/py-paramiko/distinfo:1.27   Tue Oct 26 11:17:48 2021
+++ pkgsrc/security/py-paramiko/distinfo        Mon Nov 29 09:33:19 2021
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.27 2021/10/26 11:17:48 nia Exp $
+$NetBSD: distinfo,v 1.28 2021/11/29 09:33:19 adam Exp $
 
-BLAKE2s (paramiko-2.8.0.tar.gz) = bccf92abda36cf9f580ff70c3083e4c9046f1d22bdd5de21e97cb5b104ce962e
-SHA512 (paramiko-2.8.0.tar.gz) = e989c922c66606abe103a8bad581d80e04847eaa64e9c7f819a87d099658ae723009840cc24e32048c81eec01de2d72fdc859d91fd618988c9b241e17ea11af7
-Size (paramiko-2.8.0.tar.gz) = 1063170 bytes
+BLAKE2s (paramiko-2.8.1.tar.gz) = 9e888506771d21939211445998131c75d6e402f7d4c53254fa606e8c41506963
+SHA512 (paramiko-2.8.1.tar.gz) = 6514a4eb415f0745bea5640e263b2db18422b1ded933ae55dae1693ea574258e26f5629b44b585b86180cc31e27a24bfeaf7f8530599bbc5c522727aba70ec1f
+Size (paramiko-2.8.1.tar.gz) = 1057497 bytes

Prev by Date: CVS commit: pkgsrc/devel/py-setuptools
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/devel/py-setuptools
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index