Merge branch '2.4'

author: Jeff Forcier <jeff@bitprophet.org> 2018-03-12 17:31:35 -0700
committer: Jeff Forcier <jeff@bitprophet.org> 2018-03-12 17:31:35 -0700
commit: 06c21e35a0ee6b637fb0f6ca09aed6b2a9d71e57 (patch)
tree: 281dd66ab176a4d59db0c3aaa2ae83701cef50a4 /sites
parent: 11a5ccf2f0856aaaf58318441d0db261694de0b2 (diff)
parent: fe7e3036def7df35b3e1207fceb19ce742354eb3 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
index 3faf7d0e..3672e532 100644
--- a/sites/www/changelog.rst
+++ b/sites/www/changelog.rst
@@ -2,6 +2,11 @@
 Changelog
 =========
 
+* :bug:`1175 (1.17+)` Fix a security flaw (CVE-2018-7750) in Paramiko's server
+  mode (emphasis on **server** mode; this does **not** impact *client* use!)
+  where authentication status was not checked before processing channel-open
+  and other requests typically only sent after authenticating. Big thanks to
+  Matthijs Kooijman for the report.
 * :bug:`1168` Add newer key classes for Ed25519 and ECDSA to
   ``paramiko.__all__`` so that code introspecting that attribute, or using
   ``from paramiko import *`` (such as some IDEs) sees them. Thanks to
author	Jeff Forcier <jeff@bitprophet.org>	2018-03-12 17:31:35 -0700
committer	Jeff Forcier <jeff@bitprophet.org>	2018-03-12 17:31:35 -0700
commit	06c21e35a0ee6b637fb0f6ca09aed6b2a9d71e57 (patch)
tree	281dd66ab176a4d59db0c3aaa2ae83701cef50a4 /sites
parent	11a5ccf2f0856aaaf58318441d0db261694de0b2 (diff)
parent	fe7e3036def7df35b3e1207fceb19ce742354eb3 (diff)