From 56c96a659658acdbb873aef8809a7b508434dcce Mon Sep 17 00:00:00 2001 From: Jeff Forcier Date: Tue, 18 Sep 2018 19:59:16 -0700 Subject: Fix and changelog re #1283 --- sites/www/changelog.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'sites/www/changelog.rst') diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index 207bfe59..d6845e8e 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -7,6 +7,18 @@ Changelog This behavior probably didn't cause any outright errors, but it doesn't seem to conform to the RFCs and could cause (non-infinite) feedback loops in some scenarios (usually those involving Paramiko on both ends). +- :bug:`1283 (1.17+)` Fix exploit (CVE pending) in Paramiko's server mode + (**not** client mode) where hostile clients could trick the server into + thinking they were authenticated without actually submitting valid + authentication. + + Specifically, steps have been taken to start separating client and server + related message types in the message handling tables within ``Transport`` and + ``AuthHandler``; this work is not complete but enough has been performed to + close off this particular exploit (which was the only obvious such exploit + for this particular channel). + + Thanks to Daniel Hoffman for the detailed report. - :support:`1292 backported` Backport changes from :issue:`979` (added in Paramiko 2.3) to Paramiko 2.0-2.2, using duck-typing to preserve backwards compatibility. This allows these older versions to use newer Cryptography -- cgit v1.2.3