|
|
|
|
Changelog for python311-asyncssh-2.14.2-1.3.noarch.rpm :
* Mon Dec 18 2023 Dirk Müller - update to 2.14.2 (bsc#1218165, CVE-2023-48795): * Implemented \"strict kex\" support and other countermeasures to * protect against the Terrapin Attack described in CVE-2023-48795 * Fixed config parser to properly an optional equals delimiter in all config arguments. * Fixed TCP send error handling to avoid race condition when receiving incoming disconnect message. * Improved type signature in SSHConnection async context manager. * Fri Nov 10 2023 Dirk Müller - update to 2.14.1 (bsc#1217028, CVE-2023-46445): * Hardened AsyncSSH state machine against potential message injection attacks, described in more detail in `CVE-2023-46445 and CVE-2023-46446 * Added support for passing in a regex in readuntil in SSHReader, * Added support for get_addresses() and get_port() methods on * SSHAcceptor. * Fixed an issue with AsyncFileWriter potentially writing data * out of order. * Updated testing to include Python 3.12. * Updated readthedocs integration to use YAML config file. * Thu Oct 05 2023 Dirk Müller - update to 2.14.0: * Added support for a new accept_handler argument when setting up local port forwarding, allowing the client host and port to be validated and/or logged for each new forwarded connection. * Added an option to disable expensive RSA private key checks when using OpenSSL 3.x. Functions that read private keys have been modified to include a new unsafe_skip_rsa_key_validation argument which can be used to avoid these additional checks, if you are loading keys from a trusted source. * Added host information into AsyncSSH exceptions when host key validation fails, and a few other improvements related to X.509 certificate validation errors. * Fixed a regression which prevented keys loaded into an SSH agent with a certificate from working correctly beginning in AsyncSSH after version 2.5.0. * Fixed an issue which was triggering an internal exception when shutting down server sessions with the line editor enabled which could cause some output to be lost on exit, especially when running on Windows. * Fixed a documentation error in SSHClientConnectionOptions and SSHServerConnectionOptions. * Sat Jul 01 2023 Dirk Müller - update to 2.13.2: * Fixed an issue with host-based authentication when using proxy_command, allowing it to be used if the caller explicitly specifies client_host. * Improved handling of signature algorithms for OpenSSH certificates so that RSA SHA-2 signatures will work with both older and newer versions of OpenSSH. * Worked around an issue with some Cisco SSH implementations generating invalid \"ignore\" packets. * Fixed unit tests to avoid errors when cryptography\'s version of * OpenSSL disables support for SHA-1 signatures. * Fixed unit tests to avoid errors when the filesystem enforces that filenames be valid UTF-8 strings. * Added documentation about which config options apply when passing a string as a tunnel argument. * Mon Mar 06 2023 Dirk Müller - update to 2.13.1: * Updated type definitions for mypy 1.0.0, removing a dependency on implicit Optional types, and working around an issue that could trigger a mypy internal error. * Updated unit tests to avoid calculation of SHA-1 signatures, which are no longer allowed in cryptography 39.0.0.- drop remove-sha1.patch (upstream) * Wed Jan 25 2023 Daniel Garcia - Add remove-sha1.patch to make it compatible with latests versions of cryptography gh#ronf/asyncsshAATTfae5a9e8baad * Thu Jan 05 2023 Dirk Müller - update to 2.13.0: * Updated testing and coverage to drop Python 3.6 and add Python 3.11. * Added new \"recv_eof\" option to not pass an EOF from a channel to a redirected target, allowing output from multiple SSH sessions to be sent and mixed with other direct output to that target. * Added new methods to make it easy to perform forwarding between TCP ports and UNIX domain sockets. * Added a workaround for a problem seen on a Huawei SFTP server where it sends an invalid combination of file attribute flags. * Fixed an issue with copying files to SFTP servers that don\'t support random access I/O. * Fixed an issue when requesting remote port forwarding on a dynamically allocated port. * Fixed an issue where readexactly could block indefinitely when a signal is delivered in the stream before the requested number of bytes are available. * Fixed an interoperability issue with OpenSSH when using SSH certificates with RSA keys with a SHA-2 signature. * Fixed an issue with handling \"None\" in ProxyCommand, GlobalKnownHostsFile, and UserKnownHostsFile config file options. * Fri Sep 23 2022 Yogalakshmi Arunachalam - Update to 2.12.0 * Fix an issue with SFTP servers which don\'t support random access I/O * Fix \"Recceived window change\" in log message (#509) * Fix forwarding a dynamically allocated port in the server (#512) * Fix type of SSHServerProcessFactory * Bump version number up to 2.12.0 and update change log * Thu Aug 04 2022 Otto Hollmann - Update to 2.11.0: * Made a number of improvements in SFTP glob support, with thanks to Github user LuckyDams for all the help working out these changes! * Added a new glob_sftpname() method which returns glob matches together with attribute information, avoiding the need for a caller to make separate calls to stat() on the returned results. * Switched from listdir() to scandir() to reduce the number of stat() operations required while finding matches. * Added code to remove duplicates when glob() is called with multiple patterns that match the same path. * Added a cache of directory listing and stat results to improve performance when matching patterns with overlapping paths. * Fixed an \"index out of range\" bug in recursive glob matching and aligned it better with results reeturned by UNIX shells. * Changed matching to ignore inaccessible or non-existent paths in a glob pattern, to allow accessible paths to be fully explored before returning an error. The error handler will now be called only if a pattern results in no matches, or if a more serious error occurs while scanning. * Changed SFTP makedirs() method to work better cases where parts of requested path already exist but don\'t allow read access. As long as the entire path can be created, makedirs() will succeed, even if some directories on the path don\'t allow their contents to be read. Thanks go to Peter Rowlands for providing this fix. * Replaced custom Diffie Hellman implementation in AsyncSSH with the one in the cryptography package, resulting in an over 10x speedup. Thanks go to Github user iwanb for suggesting this change. * Fixed AsyncSSH to re-acquire GSS credentials when performing key renegotiation to avoid expired credentials on long-lived connections. Thanks go to Github user PromyLOPh for pointing out this issue and suggesting a fix. * Fixed GSS MIC to work properly with GSS key exchange when AsyncSSH is running as a server. This was previously fixed on the client side, but a similar fix for the server was missed. * Changed connection timeout unit tests to work better in environments where a firewall is present. Thanks go to Stefano Rivera for reporting this issue. * Improved unit tests of Windows SSPI GSSAPI module. * Improved speed of unit tests by reducing the number of key generation calls. RSA key generation in particular has gotten much more expensive in OpenSSL 3.- Changes from 2.10.1: * Added a workaround for a bug in dropbear which can improperly reject full-sized data packets when compression is enabled. Thanks go to Matti Niemenmaa for reporting this issue and helping to reproduce it. * Added support for \"Match Exec\" in config files and updated AsyncSSH API calls to do config parsing in an executor to avoid blocking the event loop if a \"Match Exec\" command doesn\'t return immediately. * Fixed an issue where settings associated with server channels set when creating a listener rather than at the time a new channel is opened were not always being applied correctly. * Fixed config file handling to be more consistent with OpenSSH, making all relative paths be evaluated relative to ~/.ssh and allowing references to config file patterns which don\'t match anything to only trigger a debug message rather than an error. Thanks go to Caleb Ho for reporting this issue! * Updated minimum required version of cryprography package to 3.1, to allow calls to it to be made without passing in a \"backend\" argument. This was missed back in the 2.9 release. Thanks go to Github users sebby97 and JavaScriptDude for reporting this issue!- Changes from 2.10.0: * Added new get_server_auth_methods() function which returns the set of auth methods available for a given user and SSH server. * Added support for new line_echo argument when creating a server channel which controls whether input in the line editor is echoed to the output immediately or under the control of the application, allowing more control over the ordering of input and output. * Added explicit support for RSA SHA-2 certificate algorithms. Previously SHA-2 signatures were supported using the original ssh-rsa-cert-v01AATTopenssh.com algorithm name, but recent versions of SSH now disable this algorithm by default, so the new SHA-2 algorithm names need to be advertised for SHA-2 signatures to work when using OpenSSH certificates. * Improved handling of config file loading when options argument is used allowing config loading to be overridden at connect() time even if the options passed in referenced a config file. * Improved speed of unit tests by avoiding some network timeouts when connecting to invalid addresses. * Merged GitHub workflows contributed by GitHub user hexchain to run unit tests and collect code coverage information on multiple platforms and Python versions. Thanks so much for this work! * Fixed issue with GSS auth unit tests hanging on Windows. * Fixed issue with known_hosts matching when ProxyJump is being used. Thanks go to GitHub user velavokr for reporting this and helping to debug it. * Fixed type annotations for SFTP client and server open methods. Thanks go to Marat Sharafutdinov for reporting this! * Mon Jan 31 2022 Steve Kowalik - Skip more tests that are unstable. * Fri Jan 28 2022 Matej Cepl - Update to 2.9.0: - Added mypy-compatible type annotations to all AsyncSSH modules, and a \"py.typed\" file to signal that annotations are now available for this package. - Added experimental support for SFTP versions 4-6. While AsyncSSH still defaults to only advertising version 3 when acting as both a client and a server, applications can explicitly enable support for later versions, which will be used if both ends of the connection agree. Not all features are fully supported, but a number of useful enhancements are now available, including as users and groups specified by name, higher resolution timestamps, and more granular error reporting. - Updated documentation to make it clear that keys from a PKCS11 provider or ssh-agent will be used even when client_keys is specified, unless those sources are explicitly disabled. - Improved handling of task cancellation in AsyncSSH to avoid triggering an error of \"Future exception was never retrieved\". Thanks go to Krzysztof Kotlenga for reporting this issue and providing test code to reliably reproduce it. - Changed implementation of OpenSSH keepalive handler to improve interoperability with servers which don\'t expect a \"success\" response when this message is sent. * Fri Dec 17 2021 Michael Ströder - Update to v2.8.1 Way too many changes to be listed here.- use pytest to exclude test_connect_timeout_exceeded_ * due to OBS network restrictions * Fri Sep 17 2021 Dominique Leuenberger - Do not build for python 3.6: the required dependency uvloop does no longer support Python 3.6 since version 0.16. * Mon Feb 22 2021 John Vandenberg - Update URL- Add missing test dependencis fido2 and libnettle8- Recommend libnettle8- Update to v2.5.0 * Added support for limiting which identities in an SSH agent will be used when making a connection, via a new \"agent_identities\" config option. This change also adds compatibility with the OpenSSL config file option \"IdentitiesOnly\". * Added support for including Subject Key Identifier and Authority Key Identifier extensions in generated X.509 certificates to better comply with RFC 5280. * Added support for makedirs() and rmtree() methods in the AsyncSSH SFTP client, as well as a new scandir() method which returns an async iterator to more efficiently process very large directories. * Significantly reworked AsyncSSH line editor support to improve its performance by several orders of magnitude on long input lines, and added a configurable maximum line length when the editor is in use to avoid potential denial-of-service attacks. This limit defaults to 1024 bytes, but with the improvements it can reasonably handle lines which are megabytes in size if needed. * Changed AsyncSSH to allow SSH agent identities to still be used when an explicit list of client keys is specified, for better compatibility with OpenSSH. The previous behavior can still be achieved by explicitly setting the agent_path option to None when setting client_keys. * Changed AsyncSSH to enforce a limit of 1024 characters on usernames when acting as a server to avoid a potential denial-of-service issue related to SASLprep username normalization. * Changed SCP implementation to explicitly yield to other coroutines when sending a large file to better share an event loop. * Fixed a few potential race conditions related to cleanup of objects during connection close. * Re-applied a previous fix which was unintentionally lost to allow Pageant to be used by default on Windows.- from v2.4.2 * Fixed a potential race condition when receiving EOF right after a channel is opened. * Fixed a couple of issues related to the error_handler and progress_handler callbacks in AsyncSSH SFTP/SCP. * Fixed a couple of issues related to using pathlib objects with AsyncSSH SCP.- from v2.4.1 * Fixed SCP server to send back an exit status when closing the SSH channel, since the OpenSSH scp client returns this status to the shell which executed it. * Fixed listeners created by forward_local_port(), forward_local_path(), and forward_socks() to automatically close when the SSH connection closes, unblocking any wait_closed() calls which are in progress. * Fixed a potential exception that could trigger when the SSH connection is closed while authentication is in progress. * Fixed tunnel connect code to properly clean up an implicitly created tunnel when a failure occurs in trying to open a connection over that tunnel.- from v2.4.0 * Added support for accessing keys through a PKCS#11 provider, allowing keys on PIV security tokens to be used directly by AsyncSSH without the need to run an SSH agent. X.509 certificates can also be retrieved from the security token and used with SSH servers which support that. * Added support for using Ed25519 and Ed448 keys in X.509 certificates, and the corresponding SSH certificate and signature algorithms. Certificates can use these keys as either subject keys or signing keys, and certificates can be generated by either AsyncSSH or by OpenSSL version 1.1.1 or later. * Added support for feed_data() and feed_eof() methods in SSHReader, mirroring methods of the same name in asyncio\'s StreamReader to improve interoperability between the two APIs. * Updated unit tests to test interoperability with OpenSSL 1.1.1 when reading and writing Ed25519 and Ed448 public and private key files. Previously, due to lack of support in OpenSSL, AsyncSSH could only test against OpenSSH, and only in OpenSSH key formats. With OpenSSL 1.1.1, testing is now also done using PKCS#8 format. * Fixed config file parser to properly ignore all comment lines, even if the lines contain unbalanced quotes. * Removed a note about the lack of a timeout parameter in the AsyncSSH connect() method, now that it supports a login_timeout argument.
|
|
|