Revisions of python-paramiko
Ana Guerrero (anag+factory)
accepted
request 1225317
from
Dirk Mueller (dirkmueller)
(revision 64)
- reenable python 313 build - Update to 3.5.0: * [Feature] #982: (via #2444, which was a rebase of #2157) Add support for AES-GCM encryption ciphers (128 and 256 bit variants). Thanks to Alex Gaynor for the report (& for cryptography review), Shen Cheng for the original PR, and Chris Mason for the updated PR; plus as usual to everyone who tested the patches and reported their results! This functionality has been tested in client mode against OpenSSH 9.0, 9.2, and 9.6, as well as against a number of proprietary appliance SSH servers.
Dominique Leuenberger (dimstar_suse)
accepted
request 1197924
from
Robert Schweikert (rjschwei)
(revision 63)
Ana Guerrero (anag+factory)
accepted
request 1173814
from
Steve Kowalik (StevenK)
(revision 62)
- Add patch support-pytest-8.patch: * Use non-deprecated setup method to support pytest >= 8.
Ana Guerrero (anag+factory)
accepted
request 1134140
from
Steve Kowalik (StevenK)
(revision 61)
- Update to 3.4.0: (CVE-2023-48795, bsc#1218168) * Transport grew a new packetizer_class kwarg for overriding the packet-handler class used internally. * Address CVE 2023-48795 (aka the "Terrapin Attack", a vulnerability found in the SSH protocol re: treatment of packet sequence numbers) as follows: + The vulnerability only impacts encrypt-then-MAC digest algorithms in tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko currently only implements hmac-sha2-(256|512)-etm in tandem with AES-CBC. + As the fix for the vulnerability requires both ends of the connection to cooperate, the below changes will only take effect when the remote end is OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode, as of this patch version) and configured to use the new "strict kex" mode. + Paramiko will now raise an SSHException subclass (MessageOrderError) when protocol messages are received in unexpected order. This includes situations like receiving MSG_DEBUG or MSG_IGNORE during initial key exchange, which are no longer allowed during strict mode. + Key (re)negotiation -- i.e. MSG_NEWKEYS, whenever it is encountered -- now resets packet sequence numbers. (This should be invisible to users during normal operation, only causing exceptions if the exploit is encountered, which will usually result in, again, MessageOrderError.) + Sequence number rollover will now raise SSHException if it occurs during initial key exchange (regardless of strict mode status). * Tweak ext-info-(c|s) detection during KEXINIT protocol phase; the original implementation made assumptions based on an OpenSSH implementation detail. - Add patch use-64-bit-maxsize-everywhere.patch: * Use the 64-bit value of sys.maxsize.
Ana Guerrero (anag+factory)
accepted
request 1116019
from
Dirk Mueller (dirkmueller)
(revision 60)
* [Feature] #1951: Add SSH config token expansion (eg %h, %p) when * [Support] #2004: (via #2011) Apply unittest skipIf to tests currently using SHA1 in their critical path, to avoid failures on systems starting * [Support] #1838: (via #1870/#2028) Update camelCase method calls against the threading module to be snake_case; this and related tweaks * [Support] #2038: (via #2039) Recent versions of Cryptography have deprecated Blowfish algorithm support; in lieu of an easy method for users to remove it from the list of algorithms Paramiko tries to import and use, we’ve decided to remove it from our “preferred algorithms” list. This will both discourage use of a weak algorithm, and avoid warnings. * [Bug] #2017: OpenSSH 7.7 and older has a bug preventing it from understanding how to perform SHA2 signature verification for RSA certificates (specifically certs - not keys), so when we added SHA2 support it broke all clients using RSA certificates with these servers. This has been fixed in a manner similar to what OpenSSH’s own client does: a version check is performed and the algorithm used is downgraded * [Bug] #1933: Align signature verification algorithm with OpenSSH re: zero-padding signatures which don’t match their nominal size/length. This shouldn’t affect most users, but will help Paramiko-implemented SSH - Update to 2.10.3 (bsc#1197279, CVE-2022-24302) - [Feature] #1846: Add a prefetch keyword argument to - [Support] #1727: Add missing test suite fixtures directory to - Set environment to utf-8 to allow tests to pass on Python 2. (bsc#1178341) * gh#paramiko/paramiko#1655 - update to 2.7.2 (bsc#1166758, bsc#1166758, bsc#1205132) - update to 2.6.0 (bsc#1200603) - update to 2.5.0 extend timeout in testsuite to pass on ppc64le key-decryption passphrases from password-auth passwords. * Certificate support broke the no-certificate case for Ed25519 keys
Dominique Leuenberger (dimstar_suse)
accepted
request 1086711
from
Daniel Garcia (dgarcia)
(revision 58)
- Delete paramiko-pr1665-remove-pytest-relaxed.patch - Add remove-icecream-dep.patch - Update to 3.1.0: * [Feature] #2173: Accept single tabs as field separators (in addition to single spaces) in <paramiko.hostkeys.HostKeyEntry.from_line> for parity with OpenSSH’s KnownHosts parser. Patched by Alex Chavkin. * [Feature] #2013: (solving #2009, plus others) Add an explicit channel_timeout keyword argument to paramiko.client.SSHClient.connect, allowing users to configure the previously-hardcoded default value of 3600 seconds. Thanks to @VakarisZ and @ilija-lazoroski for the report and patch, with credit to Mike Salvatore for patch review. * [Support] #2178: Apply codespell to the codebase, which found a lot of very old minor spelling mistakes in docstrings. Also modernize many instances of *largs vs *args and **kwarg vs **kwargs. Patch courtesy of Yaroslav Halchenko, with review from Brian Skinn. - 3.0.0: * [Bug]: A handful of lower-level classes (notably paramiko.message.Message and paramiko.pkey.PKey) previously returned bytes objects from their implementation of __str__, even under Python 3; and there was never any __bytes__ method. * These issues have been fixed by renaming __str__ to __bytes__ and relying on Python’s default “stringification returns the output of __repr__” behavior re: any real attempts to str() such objects. * [Bug] #2165: Streamline some redundant (and costly) byte conversion calls in the packetizer and the core SFTP module. This should lead to some SFTP speedups at the very least. Thanks to Alex Gaynor for the patch. * [Bug] #2110: Remove some unnecessary __repr__ calls when handling bytes-vs-str conversions. This was apparently doing a lot of unintentional data processing, which adds up in some use cases – such as SFTP transfers, which may now be significantly faster. Kudos to Shuhua Zhong for catch & patch. * [Support]: Drop support for Python versions less than 3.6, including Python 2. So long and thanks for all the fish! * [Support]: Remove the now irrelevant paramiko.py3compat module. * [Support]: paramiko.common.asbytes has been moved to paramiko.util.asbytes. * [Support]: PKey.__cmp__ has been removed. Ordering-oriented comparison of key files is unlikely to have ever made sense (the old implementation attempted to order by the hashes of the key material) and so we have not bothered setting up __lt__ and friends at this time. The class continues to have its original __eq__ untouched. * [Support]: The behavior of private key classes’ (ie anything inheriting from PKey) private key writing methods used to perform a manual, extra chmod call after writing. This hasn’t been strictly necessary since the mid 2.x release line (when key writing started giving the mode argument to os.open), and has now been removed entirely. * This should only be observable if you were mocking Paramiko’s system calls during your own testing, or similar. * [Support] #732: (also re: #630) SSHConfig used to straight-up delete the proxycommand key from config lookup results when the source config said ProxyCommand none. This has been altered to preserve the key and give it the Python value None, thus making the Python representation more in line with the source config file. * [Support]: paramiko.util.retry_on_signal (and any internal uses of same, and also any internal retries of EINTR on eg socket operations) has been removed. As of Python 3.5, per PEP 475, this functionality (and retrying EINTR generally) is now part of the standard library.
Dominique Leuenberger (dimstar_suse)
accepted
request 1083119
from
Dirk Mueller (dirkmueller)
(revision 57)
- Move documentation into main package for SLE15 - add sle15_python_module_pythons (jsc#PED-68)
Dominique Leuenberger (dimstar_suse)
accepted
request 973836
from
Dirk Mueller (dirkmueller)
(revision 54)
- update to 2.10.4: * Servers offering certificate variants of hostkey algorithms (eg ssh-rsa-cert-v01@openssh.com) could not have their host keys verified by Paramiko clients, as it only ever considered non-cert key types for that part of connection handshaking. This has been fixed. * gq PKey instances’ __eq__ did not have the usual safety guard in place to ensure they were being compared to another PKey object, causing occasional spurious BadHostKeyException (among other things). This has been fixed. * Update camelCase method calls against the threading module to be snake_case; this and related tweaks should fix some deprecation warnings under Python 3.10.
Dominique Leuenberger (dimstar_suse)
accepted
request 967774
from
Markéta Machová (mcalabkova)
(revision 53)
Dominique Leuenberger (dimstar_suse)
accepted
request 925623
from
Dirk Mueller (dirkmueller)
(revision 51)
Dominique Leuenberger (dimstar_suse)
accepted
request 853510
from
Steve Kowalik (StevenK)
(revision 50)
- Set environment to utf-8 to allow tests to pass on Python 2. (bsc#1178341)
Dominique Leuenberger (dimstar_suse)
accepted
request 841523
from
Tomáš Chvátal (scarabeus_iv)
(revision 49)
Dominique Leuenberger (dimstar_suse)
accepted
request 832015
from
Ondřej Súkup (mimi_vx)
(revision 48)
- update to 2.7.2 - drop configs.tar.gz * Add missing test suite fixtures directory to MANIFEST.in * Remove leading whitespace from OpenSSH RSA test suite static key fixture, * Fix incorrect string formatting causing unhelpful error message annotation when using Kerberos/GSSAPI. * Fix incorrectly swapped order of p and q numbers when loading OpenSSH-format RSA private keys.
Dominique Leuenberger (dimstar_suse)
accepted
request 758748
from
Ondřej Súkup (mimi_vx)
(revision 47)
- update to 2.7.1 - add configs.tar.gz with missing test data * full changelog at http://www.paramiko.org/changelog.html
Dominique Leuenberger (dimstar_suse)
accepted
request 711850
from
Ondřej Súkup (mimi_vx)
(revision 46)
- update to 2.6.0 - drop relaxed.patch and 1311.patch * add a new keyword argument to SSHClient.connect <paramiko.client.SSHClient.connect> and paramiko.transport.Transport -> disabled_algorithms * Fix Ed25519 key handling so certain key comment lengths don't cause SSHException("Invalid key") * Add backwards-compatible support for the gssapi
Dominique Leuenberger (dimstar_suse)
accepted
request 709720
from
Ondřej Súkup (mimi_vx)
(revision 45)
- update to 2.5.0 - dropped 1379.patch - refreshed patches: paramiko-test_extend_timeout.patch relaxed.patch 1311.patch * Add support for encrypt-then-MAC (ETM) schemes (hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com) and two newer Diffie-Hellman group key exchange algorithms (group14, using SHA256; and group16, using SHA512). * Add support for Curve25519 key exchange. * Raise Cryptography dependency requirement to version 2.5 * Add support for the modern (as of Python 3.3) import location of MutableMapping
Displaying revisions 1 - 20 of 64