Skip to content
Commit 42af7d01 authored by Javier Marcet's avatar Javier Marcet
Browse files

python3-paramiko: update to version 3.4.0 



 - [Feature]: Transport grew a new packetizer_class kwarg for
 overriding the packet-handler class used internally. Mostly for
 testing, but advanced users may find this useful when doing deep
 hacks.

 - [Bug]: Tweak ext-info-(c|s) detection during KEXINIT protocol
 phase; the original implementation made assumptions based on an
 OpenSSH implementation detail.

 - [Bug]: Address CVE 2023-48795 (aka the “Terrapin Attack”, a
 vulnerability found in the SSH protocol re: treatment of packet
 sequence numbers) as follows:

   - The vulnerability only impacts encrypt-then-MAC digest
   algorithms in tandem with CBC ciphers, and ChaCha20-poly1305;
   of these, Paramiko currently only implements
   hmac-sha2-(256|512)-etm in tandem with AES-CBC. If you are
   unable to upgrade to Paramiko versions containing the below
   fixes right away, you may instead use the disabled_algorithms
   connection option to disable the ETM MACs and/or the CBC
   ciphers (this option is present in Paramiko >=2.6).

   - As the fix for the vulnerability requires both ends of the
   connection to cooperate, the below changes will only take effect
   when the remote end is OpenSSH >= 9.6 (or equivalent, such as
   Paramiko in server mode, as of this patch version) and configured
   to use the new “strict kex” mode. Paramiko will always attempt to
   use “strict kex” mode if offered by the server, unless you
   override this by specifying strict_kex=False in Transport.__init__.

   - Paramiko will now raise an SSHException subclass
   (MessageOrderError) when protocol messages are received in
   unexpected order. This includes situations like receiving MSG_DEBUG
   or MSG_IGNORE during initial key exchange, which are no longer
   allowed during strict mode.

   - Key (re)negotiation – i.e. MSG_NEWKEYS, whenever it is
   encountered – now resets packet sequence numbers. (This should be
   invisible to users during normal operation, only causing exceptions
   if the exploit is encountered, which will usually result in, again,
   MessageOrderError.)

   - Sequence number rollover will now raise SSHException if it occurs
   during initial key exchange (regardless of strict mode status).

Signed-off-by: default avatarJavier Marcet <javier@marcet.info>
parent 7c3d31c1
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment