Debian-LTS has issued an advisory today (March 21): https://www.debian.org/lts/security/2022/dla-2959 The issue is fixed upstream in 2.10.1. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 2.10.1
Many different people have maintained this, so have to assign it globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure. (CVE-2022-24302) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24302 https://www.debian.org/lts/security/2022/dla-2959 ======================== Updated package in core/updates_testing: ======================== python3-paramiko-2.7.2-1.1.mga8 from SRPM: python-paramiko-2.7.2-1.1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsSource RPM: python-paramiko-2.7.2-3.mga9.src.rpm => python-paramiko-2.7.2-1.mga8.src.rpmCVE: (none) => CVE-2022-24302Version: Cauldron => 8Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 2.10.1 => (none)Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salguero
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. Ref bug 25904 for testing, but I have no idea (well, only a little) what this is about. Leaving for others.
CC: (none) => herman.viaene
Ubuntu has issued an advisory for this today (March 28): https://ubuntu.com/security/notices/USN-5351-1
Fedora has issued an advisory for this on March 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U63MJ2VOLLQ35R7CYNREUHSXYLWNPVSB/
mga8, x64 Installed python-paramiko before updating. That dragged in a lot of extra packages. Found a script at stackoverflow which exercises python-paramiko. Modified it for local use and tried to run it. It is supposed to run a couple of commands on a machine elsewhere on the LAN but I could not get past the passphrase stage for SSL - forgotten what it was but accepted that the script was working as far as paramiko is concerned and backed out. After updating I tried out duplicity, one of the few applications which use paramiko. Not sure if I was running it correctly but it appeared to be performing a direct backup (file copies). Ran the restore command under strace for a subdirectory of the data. In both cases the user has to enter the passphrase for the key - it seems to use the GNOME keyring - .gpg files. $ duplicity full /data/images file:///run/media/lcl/gemma/ $ strace -o duplicity.trace duplicity restore Bournemouth file:///run/media/lcl/gemma/images $ grep paramiko duplicity.trace stat("/usr/lib64/python3.8/site-packages/duplicity/backends/ssh_paramiko_backend.py", {st_mode=S_IFREG|0644, st_size=19122, ...}) = 0 stat("/usr/lib64/python3.8/site-packages/duplicity/backends/ssh_paramiko_backend.py", {st_mode=S_IFREG|0644, st_size=19122, ...}) = 0 openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/duplicity/backends/__pycache__/ssh_paramiko_backend.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 3 That is as far as I can take this - all a bit above my pay grade. Giving it an OK for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
A good effort, guys. Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0132.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED