|
|
|
|
Changelog for python310-paramiko-3.4.0-1.5.noarch.rpm :
* Wed Dec 20 2023 Steve Kowalik - Update to 3.4.0: (CVE-2023-48795, bsc#1218168) * Transport grew a new packetizer_class kwarg for overriding the packet-handler class used internally. * Address CVE 2023-48795 (aka the \"Terrapin Attack\", a vulnerability found in the SSH protocol re: treatment of packet sequence numbers) as follows: + The vulnerability only impacts encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko currently only implements hmac-sha2-(256|512)-etm in tandem with AES-CBC. + As the fix for the vulnerability requires both ends of the connection to cooperate, the below changes will only take effect when the remote end is OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode, as of this patch version) and configured to use the new \"strict kex\" mode. + Paramiko will now raise an SSHException subclass (MessageOrderError) when protocol messages are received in unexpected order. This includes situations like receiving MSG_DEBUG or MSG_IGNORE during initial key exchange, which are no longer allowed during strict mode. + Key (re)negotiation -- i.e. MSG_NEWKEYS, whenever it is encountered -- now resets packet sequence numbers. (This should be invisible to users during normal operation, only causing exceptions if the exploit is encountered, which will usually result in, again, MessageOrderError.) + Sequence number rollover will now raise SSHException if it occurs during initial key exchange (regardless of strict mode status). * Tweak ext-info-(c|s) detection during KEXINIT protocol phase; the original implementation made assumptions based on an OpenSSH implementation detail.- Add patch use-64-bit-maxsize-everywhere.patch: * Use the 64-bit value of sys.maxsize. * Fri Sep 29 2023 Ondřej Súkup - refresh remove-icecream-dep.patch- update to 3.3.1 detailed changelog: https://www.paramiko.org/changelog.html# * Fri May 12 2023 Daniel Garcia - Delete paramiko-pr1665-remove-pytest-relaxed.patch- Add remove-icecream-dep.patch- Update to 3.1.0: * [Feature] #2173: Accept single tabs as field separators (in addition to single spaces) in for parity with OpenSSH’s KnownHosts parser. Patched by Alex Chavkin. * [Feature] #2013: (solving #2009, plus others) Add an explicit channel_timeout keyword argument to paramiko.client.SSHClient.connect, allowing users to configure the previously-hardcoded default value of 3600 seconds. Thanks to AATTVakarisZ and AATTilija-lazoroski for the report and patch, with credit to Mike Salvatore for patch review. * [Support] #2178: Apply codespell to the codebase, which found a lot of very old minor spelling mistakes in docstrings. Also modernize many instances of *largs vs *args and * *kwarg vs * *kwargs. Patch courtesy of Yaroslav Halchenko, with review from Brian Skinn.- 3.0.0: * [Bug]: A handful of lower-level classes (notably paramiko.message.Message and paramiko.pkey.PKey) previously returned bytes objects from their implementation of __str__, even under Python 3; and there was never any __bytes__ method. * These issues have been fixed by renaming __str__ to __bytes__ and relying on Python’s default “stringification returns the output of __repr__” behavior re: any real attempts to str() such objects. * [Bug] #2165: Streamline some redundant (and costly) byte conversion calls in the packetizer and the core SFTP module. This should lead to some SFTP speedups at the very least. Thanks to Alex Gaynor for the patch. * [Bug] #2110: Remove some unnecessary __repr__ calls when handling bytes-vs-str conversions. This was apparently doing a lot of unintentional data processing, which adds up in some use cases – such as SFTP transfers, which may now be significantly faster. Kudos to Shuhua Zhong for catch & patch. * [Support]: Drop support for Python versions less than 3.6, including Python 2. So long and thanks for all the fish! * [Support]: Remove the now irrelevant paramiko.py3compat module. * [Support]: paramiko.common.asbytes has been moved to paramiko.util.asbytes. * [Support]: PKey.__cmp__ has been removed. Ordering-oriented comparison of key files is unlikely to have ever made sense (the old implementation attempted to order by the hashes of the key material) and so we have not bothered setting up __lt__ and friends at this time. The class continues to have its original __eq__ untouched. * [Support]: The behavior of private key classes’ (ie anything inheriting from PKey) private key writing methods used to perform a manual, extra chmod call after writing. This hasn’t been strictly necessary since the mid 2.x release line (when key writing started giving the mode argument to os.open), and has now been removed entirely. * This should only be observable if you were mocking Paramiko’s system calls during your own testing, or similar. * [Support] #732: (also re: #630) SSHConfig used to straight-up delete the proxycommand key from config lookup results when the source config said ProxyCommand none. This has been altered to preserve the key and give it the Python value None, thus making the Python representation more in line with the source config file. * [Support]: paramiko.util.retry_on_signal (and any internal uses of same, and also any internal retries of EINTR on eg socket operations) has been removed. As of Python 3.5, per PEP 475, this functionality (and retrying EINTR generally) is now part of the standard library. * Sun Apr 23 2023 Matej Cepl - Move documentation into main package for SLE15 * Fri Apr 21 2023 Dirk Müller - add sle15_python_module_pythons (jsc#PED-68) * Sun Nov 20 2022 Ben Greiner - Update to 2.12.0 * [Feature] #2125: (also re: #2054) Add a transport_factory kwarg to SSHClient.connect for advanced users to gain more control over early Transport setup and manipulation. Thanks to Noah Pederson for the patch.- Release 2.11.1 * [Bug]: bug:1637 (via #1599) Raise SSHException explicitly when blank private key data is loaded, instead of the natural result of IndexError. This should help more bits of Paramiko or Paramiko-adjacent codebases to correctly handle this class of error. Credit: Nicholas Dietz. * [Bug] #1822: (via, and relating to, far too many other issues to mention here) Update SSHClient so it explicitly closes its wrapped socket object upon encountering socket errors at connection time. This should help somewhat with certain classes of memory leaks, resource warnings, and/or errors (though we hasten to remind everyone that Client and Transport have their own .close() methods for use in non-error situations!). Patch courtesy of AATTYoavCohen.- Rename and refresh: - paramiko-pr1655-remove-pytest-relaxed.patch + paramiko-pr1665-remove-pytest-relaxed.patch * gh#paramiko/paramiko#1665 * Thu May 26 2022 Michael Ströder - update to 2.11.0 * [Feature] #1951: Add SSH config token expansion (eg %h, %p) when parsing ProxyJump directives. * [Support] #2004: (via #2011) Apply unittest skipIf to tests currently using SHA1 in their critical path, to avoid failures on systems starting to disable SHA1 outright in their crypto backends (eg RHEL 9). * [Support] #1838: (via #1870/#2028) Update camelCase method calls against the threading module to be snake_case; this and related tweaks should fix some deprecation warnings under Python 3.10. * [Support] #2038: (via #2039) Recent versions of Cryptography have deprecated Blowfish algorithm support; in lieu of an easy method for users to remove it from the list of algorithms Paramiko tries to import and use, we’ve decided to remove it from our “preferred algorithms” list. This will both discourage use of a weak algorithm, and avoid warnings.- update to 2.10.5 * [Bug] #2008: (via #2010) Windows-native SSH agent support as merged in 2.10 could encounter Errno 22 OSError exceptions in some scenarios (eg server not cleanly closing a relevant named pipe). This has been worked around and should be less problematic. * [Bug] #2017: OpenSSH 7.7 and older has a bug preventing it from understanding how to perform SHA2 signature verification for RSA certificates (specifically certs - not keys), so when we added SHA2 support it broke all clients using RSA certificates with these servers. This has been fixed in a manner similar to what OpenSSH’s own client does: a version check is performed and the algorithm used is downgraded if needed. * [Bug] #1933: Align signature verification algorithm with OpenSSH re: zero-padding signatures which don’t match their nominal size/length. This shouldn’t affect most users, but will help Paramiko-implemented SSH servers handle poorly behaved clients such as PuTTY. * Thu Apr 28 2022 Dirk Müller - update to 2.10.4: * Servers offering certificate variants of hostkey algorithms (eg ssh-rsa-cert-v01AATTopenssh.com) could not have their host keys verified by Paramiko clients, as it only ever considered non-cert key types for that part of connection handshaking. This has been fixed. * gq PKey instances’ __eq__ did not have the usual safety guard in place to ensure they were being compared to another PKey object, causing occasional spurious BadHostKeyException (among other things). This has been fixed. * Update camelCase method calls against the threading module to be snake_case; this and related tweaks should fix some deprecation warnings under Python 3.10. * Fri Apr 08 2022 pgajdosAATTsuse.com- do not require python-mock for build * Fri Mar 18 2022 Michael Ströder - Update to 2.10.3 (bsc#1197279, CVE-2022-24302) Too many changes to be listed here: https://www.paramiko.org/changelog.html * Tue Oct 12 2021 ecsos - Update to 2.8.0 - [Feature] #1846: Add a prefetch keyword argument to SFTPClient.get/SFTPClient.getfo so users who need to skip SFTP prefetching are able to conditionally turn it off. - [Bug] #1462: (via #1882) Newer server-side key exchange algorithms not intended to use SHA1 (diffie-hellman-group14-sha256, diffie-hellman-group16-sha512) were incorrectly using SHA1 after all, due to a bug causing them to ignore the hash_algo class attribute. This has been corrected. - [Support] #1722: Remove leading whitespace from OpenSSH RSA test suite static key fixture, to conform better to spec. - [Support] #1727: Add missing test suite fixtures directory to MANIFEST.in, reinstating the ability to run Paramiko’s tests from an sdist tarball. - [Support]: Update our CI to catch issues with sdist generation, installation and testing. - [Support]: Administrivia overhaul, including but not limited to: - Migrate CI to CircleCI - Primary dev branch is now main (renamed) - Many README edits for clarity, modernization etc; including a bunch more (and consistent) status badges & unification with main project site index - PyPI page much more fleshed out (long_description is now filled in with the README; sidebar links expanded; etc) - flake8, pytest configs split out of setup.cfg into their own files - Invoke/invocations (used by maintainers/contributors) upgraded to modern versions- Skip python2 to fix build errors for Leap.- Rebase paramiko-pr1655-remove-pytest-relaxed.patch.
|
|
|