Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

paramiko: CVE-2018-7750: Server implementation does not check for auth before serving later requests

Related Vulnerabilities: CVE-2018-7750  

Source

Debian Bug report logs - #892859
paramiko: CVE-2018-7750: Server implementation does not check for auth before serving later requests

version graph

Package: src:paramiko; Maintainer for src:paramiko is Jeremy T. Bouse <jbouse@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 13 Mar 2018 21:21:01 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version paramiko/1.15.1-1

Fixed in version paramiko/2.4.2-0.1

Done: Gaudenz Steinlin <gaudenz@debian.org>

Forwarded to https://github.com/paramiko/paramiko/issues/1175

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Jeremy T. Bouse <jbouse@debian.org>:
Bug#892859; Package src:paramiko. (Tue, 13 Mar 2018 21:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Jeremy T. Bouse <jbouse@debian.org>. (Tue, 13 Mar 2018 21:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: paramiko: CVE-2018-7750: Server implementation does not check for auth before serving later requests
Date: Tue, 13 Mar 2018 22:17:54 +0100
Source: paramiko
Version: 1.15.1-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/paramiko/paramiko/issues/1175

Hi,

the following vulnerability was published for paramiko.

CVE-2018-7750[0]:
| transport.py in the SSH server implementation of Paramiko before
| 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5,
| 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not
| properly check whether authentication is completed before processing
| other requests, as demonstrated by channel-open. A customized SSH
| client can simply skip the authentication step.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7750
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7750
[1] https://github.com/paramiko/paramiko/issues/1175

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Mon, 19 Mar 2018 17:54:10 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Jeremy T. Bouse <jbouse@debian.org>:
Bug#892859; Package src:paramiko. (Sat, 01 Dec 2018 14:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Gaudenz Steinlin <gaudenz@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeremy T. Bouse <jbouse@debian.org>. (Sat, 01 Dec 2018 14:51:03 GMT) (full text, mbox, link).

Message #12 received at 892859@bugs.debian.org (full text, mbox, reply):

From: Gaudenz Steinlin <gaudenz@debian.org>
To: 904635@bugs.debian.org, 892859@bugs.debian.org
Subject: NMU for 2.4.2-0.1
Date: Sat, 01 Dec 2018 15:36:09 +0100
[Message part 1 (text/plain, inline)]
Hi Jeremy and Guido

I created an NMU to fix #904635 and #892859 by uploading the new 
upstream version 2.4.2 and fixing the autopkgtests to run the new 
pytest based testsuite. This also contains a patch to remove a 
dependency on pytest-relaxed from the tests. This dependency is 
not packaged in Debian and does not work with the pytest release 
in Debian. It's only used for 2 tests. I replaced the utility 
function used by the equivalent from pytest.

I uploaded the packaged to delayed-10 so you have some time to 
review the changes and abort the upload if you disagree.

I used your git repository on github to create the NMU. I created 
3 pull requests which you can merge. If you prefer a traditional 
NMU diff just tell me.

Gaudenz
-- 
PGP: 836E 4F81 EFBB ADA7 0852 79BF A97A 7702 BAF9 1EF5

[signature.asc (application/pgp-signature, inline)]

Reply sent to Gaudenz Steinlin <gaudenz@debian.org>:
You have taken responsibility. (Tue, 11 Dec 2018 15:18:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 11 Dec 2018 15:18:06 GMT) (full text, mbox, link).

Message #17 received at 892859-close@bugs.debian.org (full text, mbox, reply):

From: Gaudenz Steinlin <gaudenz@debian.org>
To: 892859-close@bugs.debian.org
Subject: Bug#892859: fixed in paramiko 2.4.2-0.1
Date: Tue, 11 Dec 2018 15:16:06 +0000
Source: paramiko
Source-Version: 2.4.2-0.1

We believe that the bug you reported is fixed in the latest version of
paramiko, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 892859@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gaudenz Steinlin <gaudenz@debian.org> (supplier of updated paramiko package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 01 Dec 2018 14:30:29 +0100
Source: paramiko
Binary: paramiko-doc python-paramiko python3-paramiko
Architecture: source all
Version: 2.4.2-0.1
Distribution: unstable
Urgency: medium
Maintainer: Jeremy T. Bouse <jbouse@debian.org>
Changed-By: Gaudenz Steinlin <gaudenz@debian.org>
Description:
 paramiko-doc - Make ssh v2 connections with Python (Documentation)
 python-paramiko - Make ssh v2 connections (Python 2)
 python3-paramiko - Make ssh v2 connections (Python 3)
Closes: 892859 904635
Changes:
 paramiko (2.4.2-0.1) unstable; urgency=medium
 .
   * New upstream version 2.4.2 (Closes: #892859)
   * Fix autopkgtests (switch to pytest) (Closes: #904635)
Checksums-Sha1:
 82081108fd00b101967a9ab5f496acfea88f7fc4 2397 paramiko_2.4.2-0.1.dsc
 7ab1e9aaf0b6eedb2098661d283f4d6f6d9c8963 1207299 paramiko_2.4.2.orig.tar.gz
 856d2eb12d4f326cf7e39c463552abb8ac4e450b 455 paramiko_2.4.2.orig.tar.gz.asc
 081a0df6221497691018b32cd02eb623cb646e1e 7516 paramiko_2.4.2-0.1.debian.tar.xz
 079cfeb44daabb6b2a0f69118ff959c44a56c46c 23196 paramiko-doc_2.4.2-0.1_all.deb
 fcf6669fa93fef0d1071c2293edf169c25a8f17b 8013 paramiko_2.4.2-0.1_amd64.buildinfo
 94414af3560251b86b96e6d72cb56b2bab5e8214 120068 python-paramiko_2.4.2-0.1_all.deb
 7e6f99d12ddd101183082bed289d719867df046e 120164 python3-paramiko_2.4.2-0.1_all.deb
Checksums-Sha256:
 d1f70c364d5ddae1508f47669ad21bfc94dcee7bd756ae99bcfe32abc370f8ff 2397 paramiko_2.4.2-0.1.dsc
 a8975a7df3560c9f1e2b43dc54ebd40fd00a7017392ca5445ce7df409f900fcb 1207299 paramiko_2.4.2.orig.tar.gz
 572a99af43a17cbd53bf5a56e1ab1cbeef2ea46a71e04d544282f96d69cd3f31 455 paramiko_2.4.2.orig.tar.gz.asc
 6d3580171c81829593c5dee45310c6e87d2a5b239f46fe0aa124efbebc6a947f 7516 paramiko_2.4.2-0.1.debian.tar.xz
 762c7cb1611e60eb34cc7abd59f919dabbb52908130efd4c83a538d1716c1817 23196 paramiko-doc_2.4.2-0.1_all.deb
 65e616219f71a143e0cb9ff0962588e4f86735b2cedc884cfc0a262e636b727d 8013 paramiko_2.4.2-0.1_amd64.buildinfo
 a7850329d12f23389b643cae9a0d790dff6541a7108440157a66741947edd70f 120068 python-paramiko_2.4.2-0.1_all.deb
 dff1b8f7c1614e8833104832b0c257538b720710af6750cf16bde178104e55ad 120164 python3-paramiko_2.4.2-0.1_all.deb
Files:
 f1c6c18a70e7c581708622c1f15fa037 2397 python optional paramiko_2.4.2-0.1.dsc
 a476ea106177fe22e797428d54811aed 1207299 python optional paramiko_2.4.2.orig.tar.gz
 95b71d53960359b70511c7eb5cc7f32e 455 python optional paramiko_2.4.2.orig.tar.gz.asc
 25e7a17c327741b4724723fdcc24b1ad 7516 python optional paramiko_2.4.2-0.1.debian.tar.xz
 6f0f1ae824afc8215e840c3f09eebb99 23196 doc optional paramiko-doc_2.4.2-0.1_all.deb
 9eef7ce26f50cd36e9b0a1343068d5c1 8013 python optional paramiko_2.4.2-0.1_amd64.buildinfo
 fdc263890ac7f815827e2fdf1f58845c 120068 python optional python-paramiko_2.4.2-0.1_all.deb
 f4796e62908ccd3f28c85b2cd52b565e 120164 python optional python3-paramiko_2.4.2-0.1_all.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEXtjbd32AqFIO1HzsOrL5guAQm9UFAlwClQUACgkQOrL5guAQ
m9VFdgf8CDa8vZIGEkVRbjY/72yFJoPktjhgaD+ijBLPOXvAgMfMmTTm14UTvO27
TRVVZf4jaHLH+ulvI4b0kIzFZrhdr3U6/9edATbN16IxJ54IAtRGTDvI48s7DLU5
RWvYDBLSVcV21Nl61L1Gix0O68pJZmeTQ6u2sZf7bTS/4g1+8khdEwxbdwpGPKdC
pj7STmV1v14Ro6WG1y0iIOHIMS6jgHk1XvFYvU85Agz4v+2aB5bg4d1fHhFNuTsT
lS16GSjR9sQOEm7gvyAAkVM1OBGoKPzD2duKKHaXUPv299pypbHw0seP/rIUCAmh
yuyC0i/395SC9zt2lECDhbbQEpiMJw==
=KLy9
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:44:43 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started