RedHat has issued an advisory on March 26: https://access.redhat.com/errata/RHSA-2018:0591 The issue is fixed upstream in 2.0.8. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the Python stack maintainers, CC'ing the registered maintainer.
Assignee: bugsquad => pythonCC: (none) => makowski.mageia, marja11
openSUSE and Fedora have issued advisories for this on March 24 and 30: https://lists.opensuse.org/opensuse-updates/2018-03/msg00089.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LARLVBNA4RSS6S3OV3KVS5PZKZPSW6O5/
cauldron have 2.0.8 and mga6 too, seems that shlomif is taking care of this one
Hmm, I never saw these on pkgsubmit. This is the second time this has happened recently. Advisory: ======================== Updated python-paramiko packages fix security vulnerability: A flaw was found in the implementation of `transport.py` in Paramiko, which did not properly check whether authentication was completed before processing other requests. A customized SSH client could simply skip the authentication step (CVE-2018-7750). This flaw is a user authentication bypass in the SSH Server functionality of Paramiko. Where Paramiko is used only for its client-side functionality (e.g. `paramiko.SSHClient`), the vulnerability is not exposed and thus cannot be exploited. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7750 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LARLVBNA4RSS6S3OV3KVS5PZKZPSW6O5/ ======================== Updated packages in core/updates_testing: ======================== python-paramiko-2.0.8-1.mga6 python3-paramiko-2.0.8-1.mga6 from python-paramiko-2.0.8-1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Assignee: python => qa-bugsVersion: Cauldron => 6
Background for starters python-paramiko : SSH2 protocol for Python $ urpmq --whatrequires python-paramiko | uniq ansible : SH-based configuration management, deployment, and task execution system bzrtools : A collection of utilities and plugins for Bazaar-NG (= bzr: Next-generation distributed version control) cloud-utils : Cloud image management utilities duplicity : see https://bugs.mageia.org/show_bug.cgi?id=20249 fwbackups : Feature-rich user backup program [Easiest?] mysql-workbench : A MySQL visual database modeling, administration, development and migration tool noethys : Software to handle "multi activity" centers patator : Multi-purpose brute-forcer python-x2go : A client-side X2go API for the Python programming language reviewboard : Web-based code review tool Plenty of choice! No PoC. The references talk about SSH2, so having that looks rather necessary.
Keywords: (none) => advisory
Thanks for the pointers Lewis. Testing this as soon as.
CC: (none) => tarazed25
Mageia 6, x86_64 This report is a bit lengthy - please bear with me. $ rpm -qa | grep ssh2 lib64ssh2-devel-1.7.0-2.mga6 lib64ssh2_1-1.7.0-2.mga6 $ rpm -q python-paramiko python-paramiko-2.0.0-1.mga6 duplicity, python-x2go and fwbackups installed. Using python-x2go requires some x2go infrastructure including PyHoca-GUI, PyHoca-CLI and probably an x2go client/server setup so it would be best (aka easier) to follow the comment 5 suggestion and run backup software to test this. The packages updated cleanly. Although there are 57 packages on this machine which require python3 they do not include any of those listed in comment 5. Furthermore $ urpmq --whatrequires-recursive python3-paramiko returns only python3-paramiko. For instance, $ urpmq --requires-recursive duplicity mentions only python/python2 packages. Hence we can assume that the following tests apply only to python-paramiko. The python3 version is in place for whenever (if ever) python2.7 is dropped. Everything is installed under /usr/lib/python3.5/site-packages/paramiko/. It includes an extra subdirectory __pycache__ not seen under /usr/lib/python2.7... Functionality test using duplicity ================================== duplicity backs up directories using encrypted tar files. Referred to the Ubuntu documentation for duplicity/ftp at https://help.ubuntu.com/community/DuplicityBackupHowto Created a backup script: export PASSPHRASE=itztuff4anewbie duplicity /home/lcl/ruby scp://lcl:1ciaroltur@vega//data unset PASSPHRASE $ ./paramiko.sh Local and Remote metadata are synchronized, no sync needed. Last full backup date: none No signatures found, switching to full backup. --------------[ Backup Statistics ]-------------- StartTime 1523663523.94 (Sat Apr 14 00:52:03 2018) EndTime 1523663526.07 (Sat Apr 14 00:52:06 2018) ElapsedTime 2.13 (2.13 seconds) SourceFiles 2197 SourceFileSize 61492839 (58.6 MB) NewFiles 2197 NewFileSize 61492839 (58.6 MB) DeletedFiles 0 ChangedFiles 0 ChangedFileSize 0 (0 bytes) ChangedDeltaSize 0 (0 bytes) DeltaEntries 2197 RawDeltaSize 60628525 (57.8 MB) TotalDestinationSizeChange 27165839 (25.9 MB) Errors 0 ------------------------------------------------- Recovered an individual file from the remote backup using the passphrase originally set in the paramiko.sh script: $ duplicity --file-to-restore musica/simpler.rb scp://lcl:1ciaroltur@vega//data tmp/simpler.rb Local and Remote metadata are synchronized, no sync needed. Last full backup date: Sat Apr 14 00:52:03 2018 GnuPG passphrase: [lcl@difda ~]$ ll tmp/simpler.rb -rwxr-xr-x 1 lcl lcl 26086 Oct 10 2016 tmp/simpler.rb* [lcl@difda ~]$ ll ruby/musica/simpler.rb -rwxr-xr-x 1 lcl lcl 26086 Oct 10 2016 ruby/musica/simpler.rb* $ du -hs ruby 65M ruby Backup directory ruby to a local data disk. $ duplicity /home/lcl/ruby file:///data/backups Local and Remote metadata are synchronized, no sync needed. Last full backup date: none GnuPG passphrase: Retype passphrase to confirm: No signatures found, switching to full backup. --------------[ Backup Statistics ]-------------- StartTime 1523660652.57 (Sat Apr 14 00:04:12 2018) EndTime 1523660654.69 (Sat Apr 14 00:04:14 2018) ElapsedTime 2.12 (2.12 seconds) SourceFiles 2197 SourceFileSize 61492839 (58.6 MB) NewFiles 2197 NewFileSize 61492839 (58.6 MB) DeletedFiles 0 ChangedFiles 0 ChangedFileSize 0 (0 bytes) ChangedDeltaSize 0 (0 bytes) DeltaEntries 2197 RawDeltaSize 60628525 (57.8 MB) TotalDestinationSizeChange 27165835 (25.9 MB) Errors 0 ------------------------------------------------- Logged in remotely to machine 'vega' and checked the /data directory. $ ssh lcl@vega Password: [lcl@vega ~]$ ls /data/duplicity* duplicity-full.20180413T235203Z.manifest.gpg duplicity-full.20180413T235203Z.vol1.difftar.gpg duplicity-full-signatures.20180413T235203Z.sigtar.gpg $ ll /data/backups/ total 27572 -rw------- 1 lcl lcl 11373 Apr 14 00:04 duplicity-full.20180413T230256Z.manifest.gpg -rw------- 1 lcl lcl 27165835 Apr 14 00:04 duplicity-full.20180413T230256Z.vol1.difftar.gpg -rw------- 1 lcl lcl 1052530 Apr 14 00:04 duplicity-full-signatures.20180413T230256Z.sigtar.gpg $ duplicity verify file:///data/backups ruby Local and Remote metadata are synchronized, no sync needed. Last full backup date: Sat Apr 14 00:02:56 2018 GnuPG passphrase: Verify complete: 2197 files compared, 0 differences found. The following outputs a long list of files - displaying the tail end. $ duplicity list-current-files file:///data/backups ............................... Thu Aug 15 19:50:55 2013 weather/wed.rb Tue Jul 23 22:28:38 2013 weather/wv.old Wed May 20 09:58:38 2015 weather/wv.rb Wed May 20 09:58:38 2015 weather/wv.rb~ Sun Feb 1 10:21:15 2009 weather/wv.tcl Thu Jul 25 10:54:08 2013 weather/wv_rgb.rb Wed May 20 09:50:30 2015 weather/wvtest.rb~ Wed Jan 28 13:04:47 2015 whisper.rb Fri Jul 8 17:25:31 2016 wrap.rb Mon Aug 23 11:16:54 2010 xosd Mon Aug 23 11:16:54 2010 xosd/test.rb $ duplicity list-current-files file:///data/backups | wc -l 2199 Don't know why there are more files there than quoted earlier (2157). Recover an individual file from the backup. $ duplicity --file-to-restore musica/simpler.rb file:///data/backups /tmp/simpler.rb Local and Remote metadata are synchronized, no sync needed. Last full backup date: Sat Apr 14 00:02:56 2018 GnuPG passphrase: $ ll /tmp/simpler.rb -rwxr-xr-x 1 lcl lcl 26086 Oct 10 2016 /tmp/simpler.rb* Dated backups not tested - that involves using a switch of the form '-t nD'. Example: '-t 4D' for the backup created four days ago. Reckon this is OK.
Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0204.html
Status: NEW => RESOLVEDResolution: (none) => FIXED