Advisories » MGASA-2018-0204

Updated python-paramiko packages fix security vulnerability

Publication date: 15 Apr 2018
Modification date: 15 Apr 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-7750

Description

A flaw was found in the implementation of `transport.py` in Paramiko,
which did not properly check whether authentication was completed before
processing other requests. A customized SSH client could simply skip the
authentication step (CVE-2018-7750).

This flaw is a user authentication bypass in the SSH Server
functionality of Paramiko. Where Paramiko is used only for its
client-side functionality (e.g. `paramiko.SSHClient`), the vulnerability
is not exposed and thus cannot be exploited.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=22837
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LARLVBNA4RSS6S3OV3KVS5PZKZPSW6O5/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7750

SRPMS

6/core

• python-paramiko-2.0.8-1.mga6