Your message dated Tue, 11 Dec 2018 15:16:06 +0000
with message-id <e1gwjlw-0006hs...@fasolo.debian.org>
and subject line Bug#892859: fixed in paramiko 2.4.2-0.1
has caused the Debian Bug report #892859,
regarding paramiko: CVE-2018-7750: Server implementation does not check for
auth before serving later requests
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
892859: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892859
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: paramiko
Version: 1.15.1-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/paramiko/paramiko/issues/1175
Hi,
the following vulnerability was published for paramiko.
CVE-2018-7750[0]:
| transport.py in the SSH server implementation of Paramiko before
| 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5,
| 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not
| properly check whether authentication is completed before processing
| other requests, as demonstrated by channel-open. A customized SSH
| client can simply skip the authentication step.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7750
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7750
[1] https://github.com/paramiko/paramiko/issues/1175
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: paramiko
Source-Version: 2.4.2-0.1
We believe that the bug you reported is fixed in the latest version of
paramiko, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 892...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gaudenz Steinlin <gaud...@debian.org> (supplier of updated paramiko package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 01 Dec 2018 14:30:29 +0100
Source: paramiko
Binary: paramiko-doc python-paramiko python3-paramiko
Architecture: source all
Version: 2.4.2-0.1
Distribution: unstable
Urgency: medium
Maintainer: Jeremy T. Bouse <jbo...@debian.org>
Changed-By: Gaudenz Steinlin <gaud...@debian.org>
Description:
paramiko-doc - Make ssh v2 connections with Python (Documentation)
python-paramiko - Make ssh v2 connections (Python 2)
python3-paramiko - Make ssh v2 connections (Python 3)
Closes: 892859 904635
Changes:
paramiko (2.4.2-0.1) unstable; urgency=medium
.
* New upstream version 2.4.2 (Closes: #892859)
* Fix autopkgtests (switch to pytest) (Closes: #904635)
Checksums-Sha1:
82081108fd00b101967a9ab5f496acfea88f7fc4 2397 paramiko_2.4.2-0.1.dsc
7ab1e9aaf0b6eedb2098661d283f4d6f6d9c8963 1207299 paramiko_2.4.2.orig.tar.gz
856d2eb12d4f326cf7e39c463552abb8ac4e450b 455 paramiko_2.4.2.orig.tar.gz.asc
081a0df6221497691018b32cd02eb623cb646e1e 7516 paramiko_2.4.2-0.1.debian.tar.xz
079cfeb44daabb6b2a0f69118ff959c44a56c46c 23196 paramiko-doc_2.4.2-0.1_all.deb
fcf6669fa93fef0d1071c2293edf169c25a8f17b 8013
paramiko_2.4.2-0.1_amd64.buildinfo
94414af3560251b86b96e6d72cb56b2bab5e8214 120068
python-paramiko_2.4.2-0.1_all.deb
7e6f99d12ddd101183082bed289d719867df046e 120164
python3-paramiko_2.4.2-0.1_all.deb
Checksums-Sha256:
d1f70c364d5ddae1508f47669ad21bfc94dcee7bd756ae99bcfe32abc370f8ff 2397
paramiko_2.4.2-0.1.dsc
a8975a7df3560c9f1e2b43dc54ebd40fd00a7017392ca5445ce7df409f900fcb 1207299
paramiko_2.4.2.orig.tar.gz
572a99af43a17cbd53bf5a56e1ab1cbeef2ea46a71e04d544282f96d69cd3f31 455
paramiko_2.4.2.orig.tar.gz.asc
6d3580171c81829593c5dee45310c6e87d2a5b239f46fe0aa124efbebc6a947f 7516
paramiko_2.4.2-0.1.debian.tar.xz
762c7cb1611e60eb34cc7abd59f919dabbb52908130efd4c83a538d1716c1817 23196
paramiko-doc_2.4.2-0.1_all.deb
65e616219f71a143e0cb9ff0962588e4f86735b2cedc884cfc0a262e636b727d 8013
paramiko_2.4.2-0.1_amd64.buildinfo
a7850329d12f23389b643cae9a0d790dff6541a7108440157a66741947edd70f 120068
python-paramiko_2.4.2-0.1_all.deb
dff1b8f7c1614e8833104832b0c257538b720710af6750cf16bde178104e55ad 120164
python3-paramiko_2.4.2-0.1_all.deb
Files:
f1c6c18a70e7c581708622c1f15fa037 2397 python optional paramiko_2.4.2-0.1.dsc
a476ea106177fe22e797428d54811aed 1207299 python optional
paramiko_2.4.2.orig.tar.gz
95b71d53960359b70511c7eb5cc7f32e 455 python optional
paramiko_2.4.2.orig.tar.gz.asc
25e7a17c327741b4724723fdcc24b1ad 7516 python optional
paramiko_2.4.2-0.1.debian.tar.xz
6f0f1ae824afc8215e840c3f09eebb99 23196 doc optional
paramiko-doc_2.4.2-0.1_all.deb
9eef7ce26f50cd36e9b0a1343068d5c1 8013 python optional
paramiko_2.4.2-0.1_amd64.buildinfo
fdc263890ac7f815827e2fdf1f58845c 120068 python optional
python-paramiko_2.4.2-0.1_all.deb
f4796e62908ccd3f28c85b2cd52b565e 120164 python optional
python3-paramiko_2.4.2-0.1_all.deb
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEXtjbd32AqFIO1HzsOrL5guAQm9UFAlwClQUACgkQOrL5guAQ
m9VFdgf8CDa8vZIGEkVRbjY/72yFJoPktjhgaD+ijBLPOXvAgMfMmTTm14UTvO27
TRVVZf4jaHLH+ulvI4b0kIzFZrhdr3U6/9edATbN16IxJ54IAtRGTDvI48s7DLU5
RWvYDBLSVcV21Nl61L1Gix0O68pJZmeTQ6u2sZf7bTS/4g1+8khdEwxbdwpGPKdC
pj7STmV1v14Ro6WG1y0iIOHIMS6jgHk1XvFYvU85Agz4v+2aB5bg4d1fHhFNuTsT
lS16GSjR9sQOEm7gvyAAkVM1OBGoKPzD2duKKHaXUPv299pypbHw0seP/rIUCAmh
yuyC0i/395SC9zt2lECDhbbQEpiMJw==
=KLy9
-----END PGP SIGNATURE-----
--- End Message ---
