Changelog for
python-paramiko-doc-2.12.0-3.el9.noarch.rpm :
* Thu Sep 19 2024 Paul Howarth
- 2.12.0-3- Add support for AES-GCM ciphers (rhbz#2311864)- Remove cache Sphinx build folder \".doctrees\"
* Fri Dec 29 2023 Paul Howarth - 2.12.0-2- Address CVE 2023-48795 (a.k.a. the \"Terrapin Attack\", a vulnerability found in the SSH protocol re: treatment of packet sequence numbers) as follows: - The vulnerability only impacts encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko currently only implements ``hmac-sha2-(256|512)-etm`` in tandem with \'AES-CBC\' - As the fix for the vulnerability requires both ends of the connection to cooperate, the below changes will only take effect when the remote end is OpenSSH ≥ 9.6 (or equivalent, such as Paramiko in server mode, as of this patch version) and configured to use the new \"strict kex\" mode - Paramiko will always attempt to use \"strict kex\" mode if offered by the server, unless you override this by specifying \'strict_kex=False\' in \'Transport.__init__\' - Paramiko will now raise an \'SSHException\' subclass (\'MessageOrderError\') when protocol messages are received in unexpected order; this includes situations like receiving \'MSG_DEBUG\' or \'MSG_IGNORE\' during initial key exchange, which are no longer allowed during strict mode - Key (re)negotiation, i.e. \'MSG_NEWKEYS\', whenever it is encountered, now resets packet sequence numbers (this should be invisible to users during normal operation, only causing exceptions if the exploit is encountered, which will usually result in, again, \'MessageOrderError\') - Sequence number rollover will now raise \'SSHException\' if it occurs during initial key exchange (regardless of strict mode status)- Tweak \'ext-info-(c|s)\' detection during KEXINIT protocol phase; the original implementation made assumptions based on an OpenSSH implementation detail- \'Transport\' grew a new \'packetizer_class\' kwarg for overriding the packet-handler class used internally; this is mostly for testing, but advanced users may find this useful when doing deep hacks- A handful of lower-level classes (notably \'paramiko.message.Message\' and \'paramiko.pkey.PKey\') previously returned \'bytes\' objects from their implementation of \'__str__\', even under Python 3, and there was never any \'__bytes__\' method; these issues have been fixed by renaming \'__str__\' to \'__bytes__\' and relying on Python\'s default \"stringification returns the output of \'__repr__\'\" behavior re: any real attempts to \'str()\' such objects
* Sun Nov 06 2022 Paul Howarth - 2.12.0-1- Update to 2.12.0 (rhbz#2140281) - Add a \'transport_factory\' kwarg to \'SSHClient.connect\' for advanced users to gain more control over early Transport setup and manipulation (GH#2054, GH#2125) - Update \'~paramiko.client.SSHClient\' so it explicitly closes its wrapped socket object upon encountering socket errors at connection time; this should help somewhat with certain classes of memory leaks, resource warnings, and/or errors (though we hasten to remind everyone that Client and Transport have their own \'.close()\' methods for use in non-error situations!) (GH#1822) - Raise \'~paramiko.ssh_exception.SSHException\' explicitly when blank private key data is loaded, instead of the natural result of \'IndexError\'; this should help more bits of Paramiko or Paramiko-adjacent codebases to correctly handle this class of error (GH#1599, GH#1637)- Use SPDX-format license tag