summaryrefslogtreecommitdiffhomepage
path: root/sites/www/changelog.rst
diff options
context:
space:
mode:
Diffstat (limited to 'sites/www/changelog.rst')
-rw-r--r--sites/www/changelog.rst12
1 files changed, 12 insertions, 0 deletions
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
index 207bfe59..d6845e8e 100644
--- a/sites/www/changelog.rst
+++ b/sites/www/changelog.rst
@@ -7,6 +7,18 @@ Changelog
This behavior probably didn't cause any outright errors, but it doesn't seem
to conform to the RFCs and could cause (non-infinite) feedback loops in some
scenarios (usually those involving Paramiko on both ends).
+- :bug:`1283 (1.17+)` Fix exploit (CVE pending) in Paramiko's server mode
+ (**not** client mode) where hostile clients could trick the server into
+ thinking they were authenticated without actually submitting valid
+ authentication.
+
+ Specifically, steps have been taken to start separating client and server
+ related message types in the message handling tables within ``Transport`` and
+ ``AuthHandler``; this work is not complete but enough has been performed to
+ close off this particular exploit (which was the only obvious such exploit
+ for this particular channel).
+
+ Thanks to Daniel Hoffman for the detailed report.
- :support:`1292 backported` Backport changes from :issue:`979` (added in
Paramiko 2.3) to Paramiko 2.0-2.2, using duck-typing to preserve backwards
compatibility. This allows these older versions to use newer Cryptography