[USN-3796-1] Paramiko vulnerability


This is an OpenPGP/MIME signed message (RFC 4880 and 3156)

protocol=”application/pgp-signature”;
boundary=”Xl408OUi6c1pD1QRkOovzd34Je8aufttu”

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
–Xl408OUi6c1pD1QRkOovzd34Je8aufttu

protected-headers=”v1″
From: Marc Deslauriers
Reply-To: Ubuntu Security
To: “ubuntu-security-announce@lists.ubuntu.com”

Message-ID:
Subject: [USN-3796-1] Paramiko vulnerability

–kmmKcHHxKYnckdK4zRLSEcpMssSs6wxfi

Content-Language: en-CA
Content-Transfer-Encoding: quoted-printable

=
=

Ubuntu Security Notice USN-3796-1
October 17, 2018

paramiko vulnerability
=
=

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 18.04 LTS
– Ubuntu 16.04 LTS
– Ubuntu 14.04 LTS

Summary:

Paramiko could allow unintended access to network services.

Software Description:
– paramiko: Python SSH2 library

Details:

Daniel Hoffman discovered that Paramiko incorrectly handled authenticatio=
n
when being used as a server. A remote attacker could use this issue to
bypass authentication without any credentials.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
python-paramiko 2.0.0-1ubuntu1.1
python3-paramiko 2.0.0-1ubuntu1.1

Ubuntu 16.04 LTS:
python-paramiko 1.16.0-1ubuntu0.2
python3-paramiko 1.16.0-1ubuntu0.2

Ubuntu 14.04 LTS:
python-paramiko 1.10.1-1git1ubuntu0.2

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3796-1
CVE-2018-1000805

Package Information:
https://launchpad.net/ubuntu/+source/paramiko/2.0.0-1ubuntu1.1
https://launchpad.net/ubuntu/+source/paramiko/1.16.0-1ubuntu0.2
https://launchpad.net/ubuntu/+source/paramiko/1.10.1-1git1ubuntu0.2

–kmmKcHHxKYnckdK4zRLSEcpMssSs6wxfi–

–Xl408OUi6c1pD1QRkOovzd34Je8aufttu

Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename=”signature.asc”

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvHQpcACgkQZWnYVadE
vpMH5xAAkg0mihneHeodk1eKC73Nm0Qz1TpZwf5xRw1Ixx+PB2miGkUiyjfEznNq
0h5ceB/wIpd4VvOBUlK+oR95w97/2nBq2yuSVxSb1u4BwkE+wIXvbnMEwqwvW41C
McTbOrIMqdNdSO5mzROzq4PA2LyaWEWwkMbGZ9RkHM+64rr58OwACwx0GeFLXcQT
I8vxDbUrfdcJvI6jZmKzOcQzrs6ZP5PAEqQ6o7WBkmOA2bfh/SIDUY1eqEDc+qap
JkqgQJoWhfxxAbrZ7mKVxRgM9+CSMFeC+s37910qpQux2M72RlIh3HRFY+9HFzdz
m9RMJujZ6Jg/XT0C6EKq/fyIO7C8XKZQPdVfC54jrS7ucGF4mfRXuMsYTV0i+WXU
VEicejVnr8Gk55OXEwuQ0xeBWWzcJOWxZcdwfeG1cLqq78EQp/GIQkpxzanKkes3
WL/CQu96lFQFPjt6QJ2cbKDbWvGEQJEHYTwJzzNJfyaZ6pCLYgMCW04njnPEZStx
ZABjIj0uEOfwsY1elGPZ0thSdZgLcJSj12nDBTZj6/Wnh5rMCd6onijBHhrFQQuc
2oxs7f+wZICXJ1w8Vu79CC61JyGWYFmOyrNwJaPrHK2KJCw069TgxEGpVOJsjPUW
ZX070+l9Do/JFyxME03rkVdYfJWLab+ZuEhQrtcs3xKNB5jDbvs=
=R5+W
—–END PGP SIGNATURE—–

–Xl408OUi6c1pD1QRkOovzd34Je8aufttu–

MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK