Your message dated Fri, 16 Mar 2018 11:42:24 +0100
with message-id <[email protected]>
and subject line Re: Bug#892787: python-asyncssh: CVE-2018-7749
has caused the Debian Bug report #892787,
regarding python-asyncssh: CVE-2018-7749
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
892787: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892787
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-asyncssh
Version: 1.11.1-1
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerability was published for python-asyncssh,
although there should be not "servers" implemented in Debian
depending on python3-asyncssh, still chosed an RC severity to have the
fix certain included in next stable release (but expect that 1.12.1
land soon anyhow in unstable).
CVE-2018-7749[0]:
| The SSH server implementation of AsyncSSH before 1.12.1 does not
| properly check whether authentication is completed before processing
| other requests. A customized SSH client can simply skip the
| authentication step.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7749
[1]
https://github.com/ronf/asyncssh/commit/c161e26cdc0d41b745b63d9f17b437f073bf7ba4
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-asyncssh
Source-Version: 1.12.1-1
> the following vulnerability was published for python-asyncssh,
> although there should be not "servers" implemented in Debian
> depending on python3-asyncssh, still chosed an RC severity to have the
> fix certain included in next stable release (but expect that 1.12.1
> land soon anyhow in unstable).
>
> CVE-2018-7749[0]:
> | The SSH server implementation of AsyncSSH before 1.12.1 does not
> | properly check whether authentication is completed before processing
> | other requests. A customized SSH client can simply skip the
> | authentication step.
This issue was fixed now with the 1.12.1-1 upload.
--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
