mirror
/
openwrt-packages
mirror of https://git.openwrt.org/feed/packages.git
1
0
Fork 0
Code Releases Activity

python3-paramiko: update to version 3.4.0 

- [Feature]: Transport grew a new packetizer_class kwarg for
 overriding the packet-handler class used internally. Mostly for
 testing, but advanced users may find this useful when doing deep
 hacks.

 - [Bug]: Tweak ext-info-(c|s) detection during KEXINIT protocol
 phase; the original implementation made assumptions based on an
 OpenSSH implementation detail.

 - [Bug]: Address CVE 2023-48795 (aka the “Terrapin Attack”, a
 vulnerability found in the SSH protocol re: treatment of packet
 sequence numbers) as follows:

   - The vulnerability only impacts encrypt-then-MAC digest
   algorithms in tandem with CBC ciphers, and ChaCha20-poly1305;
   of these, Paramiko currently only implements
   hmac-sha2-(256|512)-etm in tandem with AES-CBC. If you are
   unable to upgrade to Paramiko versions containing the below
   fixes right away, you may instead use the disabled_algorithms
   connection option to disable the ETM MACs and/or the CBC
   ciphers (this option is present in Paramiko >=2.6).

   - As the fix for the vulnerability requires both ends of the
   connection to cooperate, the below changes will only take effect
   when the remote end is OpenSSH >= 9.6 (or equivalent, such as
   Paramiko in server mode, as of this patch version) and configured
   to use the new “strict kex” mode. Paramiko will always attempt to
   use “strict kex” mode if offered by the server, unless you
   override this by specifying strict_kex=False in Transport.__init__.

   - Paramiko will now raise an SSHException subclass
   (MessageOrderError) when protocol messages are received in
   unexpected order. This includes situations like receiving MSG_DEBUG
   or MSG_IGNORE during initial key exchange, which are no longer
   allowed during strict mode.

   - Key (re)negotiation – i.e. MSG_NEWKEYS, whenever it is
   encountered – now resets packet sequence numbers. (This should be
   invisible to users during normal operation, only causing exceptions
   if the exploit is encountered, which will usually result in, again,
   MessageOrderError.)

   - Sequence number rollover will now raise SSHException if it occurs
   during initial key exchange (regardless of strict mode status).

Signed-off-by: Javier Marcet <javier@marcet.info>
This commit is contained in:
Javier Marcet 2024-01-01 12:11:34 +01:00
parent d26e7f31de
commit 9a586e465f
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lang/python/python-paramiko/Makefile
View File

@ -1,11 +1,11 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=python-paramiko
PKG_VERSION:=3.3.1
PKG_VERSION:=3.4.0
PKG_RELEASE:=1
PYPI_NAME:=paramiko
PKG_HASH:=6a3777a961ac86dbef375c5f5b8d50014a1a96d0fd7f054a43bc880134b0ff77
PKG_HASH:=aac08f26a31dc4dffd92821527d1682d99d52f9ef6851968114a8728f3c274d3
PKG_MAINTAINER:=Javier Marcet <javier@marcet.info>
PKG_LICENSE:=LGPL-2.1-or-later