-
Tue May 17 2022 Paul Howarth <paul@city-fan.org> - 2.11.0-1
- Update to 2.11.0
- Align signature verification algorithm with OpenSSH re: zero-padding
signatures that don't match their nominal size/length; this shouldn't
affect most users, but will help Paramiko-implemented SSH servers handle
poorly behaved clients such as PuTTY (GH#1933)
- OpenSSH 7.7 and older has a bug preventing it from understanding how to
perform SHA2 signature verification for RSA certificates (specifically
certs - not keys), so when we added SHA2 support it broke all clients using
RSA certificates with these servers; this has been fixed in a manner similar
to what OpenSSH's own client does - a version check is performed and the
algorithm used is downgraded if needed (GH#2017)
- Recent versions of Cryptography have deprecated Blowfish algorithm support;
in lieu of an easy method for users to remove it from the list of
algorithms Paramiko tries to import and use, we've decided to remove it
from our "preferred algorithms" list, which will both discourage use of a
weak algorithm, and avoid warnings (GH#2038, GH#2039)
- Windows-native SSH agent support as merged in 2.10 could encounter
'Errno 22' 'OSError' exceptions in some scenarios (e.g. server not cleanly
closing a relevant named pipe); this has been worked around and should be
less problematic (GH#2008, GH#2010)
- Add SSH config token expansion (eg '%h', '%p') when parsing 'ProxyJump'
directives (GH#1951)
- Apply unittest 'skipIf' to tests currently using SHA1 in their critical
path, to avoid failures on systems starting to disable SHA1 outright in
their crypto backends (e.g. RHEL 9) (GH#2004, GH#2011)
-
Tue Apr 26 2022 Paul Howarth <paul@city-fan.org> - 2.10.4-1
- Update to 2.10.4
- Update 'camelCase' method calls against the 'threading' module to be
'snake_case'; this and related tweaks should fix some deprecation warnings
under Python 3.10 (GH#1838, GH#1870, GH#2028)
- '~paramiko.pkey.PKey' instances' '__eq__' did not have the usual safety
guard in place to ensure they were being compared to another 'PKey' object,
causing occasional spurious 'BadHostKeyException', among other things
(GH#1964, GH#2023, GH#2024)
- Servers offering certificate variants of hostkey algorithms (e.g.
'ssh-rsa-cert-v01@openssh.com') could not have their host keys verified by
Paramiko clients, as it only ever considered non-cert key types for that
part of connection handshaking (GH#2035)
-
Mon Mar 21 2022 Paul Howarth <paul@city-fan.org> - 2.10.3-2
- Skip tests that would fail without SHA-1 signing support in backend, such as
on EL-9 (GH#2011)
-
Sat Mar 19 2022 Paul Howarth <paul@city-fan.org> - 2.10.3-1
- Update to 2.10.3
- Certificate-based pubkey auth was inadvertently broken when adding SHA2
support in version 2.9.0 (GH#1963, GH#1977)
- Switch from module-global to thread-local storage when recording thread IDs
for a logging helper; this should avoid one flavor of memory leak for
long-running processes (GH#2002, GH#2003)
-
Tue Mar 15 2022 Paul Howarth <paul@city-fan.org> - 2.10.2-1
- Update to 2.10.2
- Fix Python 2 compatibility breakage introduced in 2.10.1 (GH#2001)
- Re-enable sftp tests, no longer failing under mock
-
Sun Mar 13 2022 Paul Howarth <paul@city-fan.org> - 2.10.1-1
- Update to 2.10.1
- CVE-2022-24302: Creation of new private key files using
'~paramiko.pkey.PKey' subclasses was subject to a race condition between
file creation and mode modification, which could be exploited by an
attacker with knowledge of where the Paramiko-using code would write out
such files; this has been patched by using 'os.open' and 'os.fdopen' to
ensure new files are opened with the correct mode immediately (we've left
the subsequent explicit 'chmod' in place to minimize any possible
disruption, though it may get removed in future backwards-incompatible
updates)
- Add support for the '%C' token when parsing SSH config files (GH#1976)
- Add support for OpenSSH's Windows agent as a fallback when Putty/WinPageant
isn't available or functional (GH#1509, GH#1837, GH#1868)
- Significantly speed up low-level read/write actions on
'~paramiko.sftp_file.SFTPFile' objects by using 'bytearray'/'memoryview'
(GH#892); this is unlikely to change anything for users of the higher level
methods like 'SFTPClient.get' or 'SFTPClient.getfo', but users of
'SFTPClient.open' will likely see orders of magnitude improvements for
files larger than a few megabytes in size
- Add 'six' explicitly to install-requires; it snuck into active use at some
point but has only been indicated by transitive dependency on 'bcrypt'
until they somewhat-recently dropped it (GH#1985); this will be short-lived
until we drop Python 2 support
-
Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
Fri Jan 14 2022 Paul Howarth <paul@city-fan.org> - 2.9.2-2
- Avoid use of deprecated python-mock by using unittest.mock instead
https://github.com/paramiko/paramiko/pull/1666
-
Sat Jan 08 2022 Paul Howarth <paul@city-fan.org> - 2.9.2-1
- Update to 2.9.2
- Connecting to servers that support 'server-sig-algs' but which have no
overlap between that list and what a Paramiko client supports, now raise
an exception instead of defaulting to 'rsa-sha2-512' (since the use of
'server-sig-algs' allows us to know what the server supports)
- Enhanced log output when connecting to servers that do not support
'server-sig-algs' extensions, making the new-as-of-2.9 defaulting to SHA2
pubkey algorithms more obvious when it kicks in
-
Sat Dec 25 2021 Paul Howarth <paul@city-fan.org> - 2.9.1-1
- Update to 2.9.1
- Server-side support for 'rsa-sha2-256' and 'ssh-rsa' wasn't fully operable
after 2.9.0's release (signatures for RSA pubkeys were always run through
'rsa-sha2-512' instead) (GH#1935)