Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, jbouse@debian.org (Jeremy T. Bouse): Bug#460706; Package python-paramiko.
(full text, mbox, link).
Acknowledgement sent to Vincent Bernat <bernat@luffy.cx>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, jbouse@debian.org (Jeremy T. Bouse).
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python-paramiko: insecure use of RandomPool
Date: Mon, 14 Jan 2008 18:59:55 +0100
Package: python-paramiko
Version: 1.7.1-1
Severity: grave
Tags: security
Justification: user security hole
Hi !
Using paramiko with threads or multiple forking processes may lead to
data leak. You can find the explanation and a patch here:
http://www.lag.net/pipermail/paramiko/2008-January/000599.html
(look at the followup to fix an error in the patch proposed).
Thanks.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-686-bigmem (SMP w/2 CPU cores)
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages python-paramiko depends on:
ii python-crypto 2.0.1+dfsg1-2.1 cryptographic algorithms and proto
ii python-support 0.7.6 automated rebuilding support for p
python-paramiko recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, jbouse@debian.org (Jeremy T. Bouse): Bug#460706; Package python-paramiko.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to jbouse@debian.org (Jeremy T. Bouse).
(full text, mbox, link).
tags 460706 + patch
thanks
Hi,
attached is a patch that should fix this problem extracted
from the upstream thread on the mailinglist (including the
update).
it will be also archived on:
http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch
Please ping me in case you have no time to do an upload and
need this NMU.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 14 Jan 2008 19:03:02 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, jbouse@debian.org (Jeremy T. Bouse): Bug#460706; Package python-paramiko.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to jbouse@debian.org (Jeremy T. Bouse).
Your message did not contain a Subject field. They are recommended and
useful because the title of a Bug is determined using this field.
Please remember to include a Subject field in your messages in future.
Hi,
this bug got CVE-2008-0299 assigned, please reference it in
the changelog.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Changed Bug title to `python-paramiko: CVE-2008-0299 insecure use of RandomPool' from `python-paramiko: insecure use of RandomPool'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Thu, 17 Jan 2008 07:33:07 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, jbouse@debian.org (Jeremy T. Bouse): Bug#460706; Package python-paramiko.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to jbouse@debian.org (Jeremy T. Bouse).
(full text, mbox, link).
Hi Jeremy,
I know you wanted to take care about this but since this bug
is "fairly" old now and the patch is already included in the
new upstream release I am going to upload an NMU now
according to the 0-day NMU policy.
I hope you agree with that.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Source: paramiko
Source-Version: 1.6.4-1.1
We believe that the bug you reported is fixed in the latest version of
paramiko, which is due to be installed in the Debian FTP archive:
paramiko_1.6.4-1.1.diff.gz
to pool/main/p/paramiko/paramiko_1.6.4-1.1.diff.gz
paramiko_1.6.4-1.1.dsc
to pool/main/p/paramiko/paramiko_1.6.4-1.1.dsc
python-paramiko_1.6.4-1.1_all.deb
to pool/main/p/paramiko/python-paramiko_1.6.4-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 460706@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated paramiko package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 14 Jan 2008 19:36:40 +0100
Source: paramiko
Binary: python-paramiko
Architecture: source all
Version: 1.6.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Jeremy T. Bouse <jbouse@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
python-paramiko - make SSH2 connections with python
Closes: 460706
Changes:
paramiko (1.6.4-1.1) unstable; urgency=high
.
* Non-maintainer upload by security team.
* Fix insecure use of RandomPool if paramiko is used for threads or multiple
forked processes. This enables one session to predict random data of
another session using its own random data.
(CVE id pending; Closes: #460706).
Files:
6910ac18ef65835a3ede7bfad1a2a31a 697 python optional paramiko_1.6.4-1.1.dsc
09b6492c9bbdfd840353519b91fa8f7f 3210 python optional paramiko_1.6.4-1.1.diff.gz
acb2ea8576c1d9f78fb7f57ed565164f 117088 python optional python-paramiko_1.6.4-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHlox9HYflSXNkfP8RAjlRAJwOeaNoE/9IBAegmMiiMZ3e1ymz4ACgrip7
sehUiMfvpWQHpJO8zlOJbLg=
=FkGS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 20 Feb 2008 07:26:07 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.