Merge branch '2.0' into 2.1

author: Jeff Forcier <jeff@bitprophet.org> 2018-03-12 17:30:59 -0700
committer: Jeff Forcier <jeff@bitprophet.org> 2018-03-12 17:30:59 -0700
commit: 493a60d54b40f51e165fe75ab8b6935f15e98f1a (patch)
tree: ea1b54a4b2c4a53059a10859d8cdbd81ef69f503 /sites/www
parent: 9af068b55d123149a62aabf59e42465295c37e72 (diff)
parent: aefd28a7f00c4250d113d375e96abf5da3eb89f9 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
index 73085451..97d1b492 100644
--- a/sites/www/changelog.rst
+++ b/sites/www/changelog.rst
@@ -2,6 +2,11 @@
 Changelog
 =========
 
+* :bug:`1175 (1.17+)` Fix a security flaw (CVE-2018-7750) in Paramiko's server
+  mode (emphasis on **server** mode; this does **not** impact *client* use!)
+  where authentication status was not checked before processing channel-open
+  and other requests typically only sent after authenticating. Big thanks to
+  Matthijs Kooijman for the report.
 * :bug:`1108 (1.17+)` Rename a private method keyword argument (which was named
   ``async``) so that we're compatible with the upcoming Python 3.7 release
   (where ``async`` is a new keyword.) Thanks to ``@vEpiphyte`` for the report.
author	Jeff Forcier <jeff@bitprophet.org>	2018-03-12 17:30:59 -0700
committer	Jeff Forcier <jeff@bitprophet.org>	2018-03-12 17:30:59 -0700
commit	493a60d54b40f51e165fe75ab8b6935f15e98f1a (patch)
tree	ea1b54a4b2c4a53059a10859d8cdbd81ef69f503 /sites/www
parent	9af068b55d123149a62aabf59e42465295c37e72 (diff)
parent	aefd28a7f00c4250d113d375e96abf5da3eb89f9 (diff)