↵ Return to the main page of python-paramiko-doc
View build
Search for updates
Package Info
🠗 Changelog
🠗 Provides
🠗 Files
Date | Author | Change |
---|---|---|
2023-12-29 | Paul Howarth <paul at city dash fan dot org> - 2.12.0-2 | - Address CVE 2023-48795 (a.k.a. the "Terrapin Attack", a vulnerability found in the SSH protocol re: treatment of packet sequence numbers) as follows: - The vulnerability only impacts encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko currently only implements ``hmac-sha2-(256|512)-etm`` in tandem with 'AES-CBC' - As the fix for the vulnerability requires both ends of the connection to cooperate, the below changes will only take effect when the remote end is OpenSSH ≥ 9.6 (or equivalent, such as Paramiko in server mode, as of this patch version) and configured to use the new "strict kex" mode - Paramiko will always attempt to use "strict kex" mode if offered by the server, unless you override this by specifying 'strict_kex=False' in 'Transport.__init__' - Paramiko will now raise an 'SSHException' subclass ('MessageOrderError') when protocol messages are received in unexpected order; this includes situations like receiving 'MSG_DEBUG' or 'MSG_IGNORE' during initial key exchange, which are no longer allowed during strict mode - Key (re)negotiation, i.e. 'MSG_NEWKEYS', whenever it is encountered, now resets packet sequence numbers (this should be invisible to users during normal operation, only causing exceptions if the exploit is encountered, which will usually result in, again, 'MessageOrderError') - Sequence number rollover will now raise 'SSHException' if it occurs during initial key exchange (regardless of strict mode status) - Tweak 'ext-info-(c|s)' detection during KEXINIT protocol phase; the original implementation made assumptions based on an OpenSSH implementation detail - 'Transport' grew a new 'packetizer_class' kwarg for overriding the packet-handler class used internally; this is mostly for testing, but advanced users may find this useful when doing deep hacks - A handful of lower-level classes (notably 'paramiko.message.Message' and 'paramiko.pkey.PKey') previously returned 'bytes' objects from their implementation of '__str__', even under Python 3, and there was never any '__bytes__' method; these issues have been fixed by renaming '__str__' to '__bytes__' and relying on Python's default "stringification returns the output of '__repr__'" behavior re: any real attempts to 'str()' such objects |
2022-11-06 | Paul Howarth <paul at city dash fan dot org> - 2.12.0-1 | - Update to 2.12.0 (rhbz#2140281) - Add a 'transport_factory' kwarg to 'SSHClient.connect' for advanced users to gain more control over early Transport setup and manipulation (GH#2054, GH#2125) - Update '~paramiko.client.SSHClient' so it explicitly closes its wrapped socket object upon encountering socket errors at connection time; this should help somewhat with certain classes of memory leaks, resource warnings, and/or errors (though we hasten to remind everyone that Client and Transport have their own '.close()' methods for use in non-error situations!) (GH#1822) - Raise '~paramiko.ssh_exception.SSHException' explicitly when blank private key data is loaded, instead of the natural result of 'IndexError'; this should help more bits of Paramiko or Paramiko-adjacent codebases to correctly handle this class of error (GH#1599, GH#1637) - Use SPDX-format license tag |
2022-07-22 | Fedora Release Engineering <releng at fedoraproject dot org> - 2.11.0-3 | - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild |
2022-06-14 | Python Maint <python dash maint at redhat dot com> - 2.11.0-2 | - Rebuilt for Python 3.11 |
2022-05-17 | Paul Howarth <paul at city dash fan dot org> - 2.11.0-1 | - Update to 2.11.0 - Align signature verification algorithm with OpenSSH re: zero-padding signatures that don't match their nominal size/length; this shouldn't affect most users, but will help Paramiko-implemented SSH servers handle poorly behaved clients such as PuTTY (GH#1933) - OpenSSH 7.7 and older has a bug preventing it from understanding how to perform SHA2 signature verification for RSA certificates (specifically certs - not keys), so when we added SHA2 support it broke all clients using RSA certificates with these servers; this has been fixed in a manner similar to what OpenSSH's own client does - a version check is performed and the algorithm used is downgraded if needed (GH#2017) - Recent versions of Cryptography have deprecated Blowfish algorithm support; in lieu of an easy method for users to remove it from the list of algorithms Paramiko tries to import and use, we've decided to remove it from our "preferred algorithms" list, which will both discourage use of a weak algorithm, and avoid warnings (GH#2038, GH#2039) - Windows-native SSH agent support as merged in 2.10 could encounter 'Errno 22' 'OSError' exceptions in some scenarios (e.g. server not cleanly closing a relevant named pipe); this has been worked around and should be less problematic (GH#2008, GH#2010) - Add SSH config token expansion (eg '%h', '%p') when parsing 'ProxyJump' directives (GH#1951) - Apply unittest 'skipIf' to tests currently using SHA1 in their critical path, to avoid failures on systems starting to disable SHA1 outright in their crypto backends (e.g. RHEL 9) (GH#2004, GH#2011) |
2022-04-26 | Paul Howarth <paul at city dash fan dot org> - 2.10.4-1 | - Update to 2.10.4 - Update 'camelCase' method calls against the 'threading' module to be 'snake_case'; this and related tweaks should fix some deprecation warnings under Python 3.10 (GH#1838, GH#1870, GH#2028) - '~paramiko.pkey.PKey' instances' '__eq__' did not have the usual safety guard in place to ensure they were being compared to another 'PKey' object, causing occasional spurious 'BadHostKeyException', among other things (GH#1964, GH#2023, GH#2024) - Servers offering certificate variants of hostkey algorithms (e.g. 'ssh-rsa-cert-v01@openssh.com') could not have their host keys verified by Paramiko clients, as it only ever considered non-cert key types for that part of connection handshaking (GH#2035) |
2022-03-21 | Paul Howarth <paul at city dash fan dot org> - 2.10.3-2 | - Skip tests that would fail without SHA-1 signing support in backend, such as on EL-9 (GH#2011) |
2022-03-19 | Paul Howarth <paul at city dash fan dot org> - 2.10.3-1 | - Update to 2.10.3 - Certificate-based pubkey auth was inadvertently broken when adding SHA2 support in version 2.9.0 (GH#1963, GH#1977) - Switch from module-global to thread-local storage when recording thread IDs for a logging helper; this should avoid one flavor of memory leak for long-running processes (GH#2002, GH#2003) |
2022-03-15 | Paul Howarth <paul at city dash fan dot org> - 2.10.2-1 | - Update to 2.10.2 - Fix Python 2 compatibility breakage introduced in 2.10.1 (GH#2001) - Re-enable sftp tests, no longer failing under mock |
2022-03-13 | Paul Howarth <paul at city dash fan dot org> - 2.10.1-1 | - Update to 2.10.1 - CVE-2022-24302: Creation of new private key files using '~paramiko.pkey.PKey' subclasses was subject to a race condition between file creation and mode modification, which could be exploited by an attacker with knowledge of where the Paramiko-using code would write out such files; this has been patched by using 'os.open' and 'os.fdopen' to ensure new files are opened with the correct mode immediately (we've left the subsequent explicit 'chmod' in place to minimize any possible disruption, though it may get removed in future backwards-incompatible updates) - Add support for the '%C' token when parsing SSH config files (GH#1976) - Add support for OpenSSH's Windows agent as a fallback when Putty/WinPageant isn't available or functional (GH#1509, GH#1837, GH#1868) - Significantly speed up low-level read/write actions on '~paramiko.sftp_file.SFTPFile' objects by using 'bytearray'/'memoryview' (GH#892); this is unlikely to change anything for users of the higher level methods like 'SFTPClient.get' or 'SFTPClient.getfo', but users of 'SFTPClient.open' will likely see orders of magnitude improvements for files larger than a few megabytes in size - Add 'six' explicitly to install-requires; it snuck into active use at some point but has only been indicated by transitive dependency on 'bcrypt' until they somewhat-recently dropped it (GH#1985); this will be short-lived until we drop Python 2 support |