[USN-3796-3] Paramiko vulnerability


This is an OpenPGP/MIME signed message (RFC 4880 and 3156)

protocol=”application/pgp-signature”;
boundary=”u90guS1Rq84rrZwknU3jhhs0RF3lQTbyn”

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
–u90guS1Rq84rrZwknU3jhhs0RF3lQTbyn

protected-headers=”v1″
From: Marc Deslauriers
Reply-To: Ubuntu Security
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID:
Subject: [USN-3796-3] Paramiko vulnerability

–Bu5o2eoaJMf2lGcOeea9fkUW54VS7vGp5

Content-Language: en-CA
Content-Transfer-Encoding: quoted-printable

=
=

Ubuntu Security Notice USN-3796-3
October 22, 2018

paramiko vulnerability
=
=

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 18.10

Summary:

Paramiko could allow unintended access to network services.

Software Description:
– paramiko: Python SSH2 library

Details:

USN-3796-1 fixed a vulnerability in Paramiko. This update provides the
corresponding update for Ubuntu 18.10.

Original advisory details:

Daniel Hoffman discovered that Paramiko incorrectly handled authenticati=
on
when being used as a server. A remote attacker could use this issue to
bypass authentication without any credentials.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
python-paramiko 2.4.1-0ubuntu3.1
python3-paramiko 2.4.1-0ubuntu3.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3796-3
https://usn.ubuntu.com/usn/usn-3796-1
CVE-2018-1000805

Package Information:
https://launchpad.net/ubuntu/+source/paramiko/2.4.1-0ubuntu3.1

–Bu5o2eoaJMf2lGcOeea9fkUW54VS7vGp5–

–u90guS1Rq84rrZwknU3jhhs0RF3lQTbyn

Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename=”signature.asc”

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvOE8kACgkQZWnYVadE
vpNQnQ//bSvyhy8Ozb2HEz50/Ow7BaWJjWCZyV+OmDtXR4lJKtuJ4Jm5Uh0Nrd3m
gnxQPndFYcn4+l7uJ9+/UHPXOgCp+w61TTlkWG4L3iF6Vqmds3j/m/z2orwsDBoF
vb0n+QhN+pOZ3bwOAeJwG42jJcxcTmKjHI9LpkdyjkHe0b9wQH/e4N+bAjHzaaOH
BgvVxfdTJTlxnSz/WSlba1glwO/TX5XPEkYqQN2F00EJJi+ZP3Lyrco3nF7OTgtD
ietwF8oOdmuEBvyRugXz8/3Qf54yGBN5ttYIzWC52nAHpG4C8uOOEO1UkyggPVnF
GXt+c/RoJ4x41M1uFYUo1RO5F99nNonEx0OZ/eqYWxS8X6zviNEZqVDS+qETN7pa
Yr+JJfx4mUAsNoLZy7KMcf6vLeoFLo1mNx8ZLtzkbg1lIXfXeqS4KS9a/XWaUyRI
lVaNe6mnFGfbMRobIrSxITRVNSeMK8t4+XbOv3JlVZGZkM4oGltI0eP/6acKAZcN
mcta0RKa+T8L+afSmrbh86OZjG+5CLF91Uz+F+CvlCaeNBkn+Y0SONcZGBlEaSie
gBPVgAgMHAEfaOv+AhoPSyhFmF0CSkQOvwGeMJ5k8TFeT7A18fcojaQNViRho4dC
rRfs8q6fbpOTo/xU9OJHqSvGJUVagq3dYtGfd8lE0/A9GvdK0z4=
=bKUE
—–END PGP SIGNATURE—–

–u90guS1Rq84rrZwknU3jhhs0RF3lQTbyn–

MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK