diff options
| author | Jeff Forcier <jeff@bitprophet.org> | 2018-09-18 19:59:28 -0700 |
|---|---|---|
| committer | Jeff Forcier <jeff@bitprophet.org> | 2018-09-18 19:59:28 -0700 |
| commit | 3ae4971b5f85144ef5899c3d1fb0a4c1b350ee3e (patch) | |
| tree | 766674b071ad07d2ee4c1940354ad906304d0d85 /sites | |
| parent | 1157252f8c4e94d5aebad02a620c6abf983055e1 (diff) | |
| parent | 56c96a659658acdbb873aef8809a7b508434dcce (diff) | |
Merge branch '2.0' into 2.1
Diffstat (limited to 'sites')
| -rw-r--r-- | sites/www/changelog.rst | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index b50c22cc..5a13957d 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,23 @@ Changelog ========= +- :bug:`-` Modify protocol message handling such that ``Transport`` does not + respond to ``MSG_UNIMPLEMENTED`` with its own ``MSG_UNIMPLEMENTED`` message. + This behavior probably didn't cause any outright errors, but it doesn't seem + to conform to the RFCs and could cause (non-infinite) feedback loops in some + scenarios (usually those involving Paramiko on both ends). +- :bug:`1283 (1.17+)` Fix exploit (CVE pending) in Paramiko's server mode + (**not** client mode) where hostile clients could trick the server into + thinking they were authenticated without actually submitting valid + authentication. + + Specifically, steps have been taken to start separating client and server + related message types in the message handling tables within ``Transport`` and + ``AuthHandler``; this work is not complete but enough has been performed to + close off this particular exploit (which was the only obvious such exploit + for this particular channel). + + Thanks to Daniel Hoffman for the detailed report. - :support:`1292 backported` Backport changes from :issue:`979` (added in Paramiko 2.3) to Paramiko 2.0-2.2, using duck-typing to preserve backwards compatibility. This allows these older versions to use newer Cryptography |