Debian Bug report logs - #460706
python-paramiko: CVE-2008-0299 insecure use of RandomPool

version graph

Package: python-paramiko; Maintainer for python-paramiko is Jeremy T. Bouse <jbouse@debian.org>; Source for python-paramiko is src:paramiko.

Reported by: Vincent Bernat <bernat@luffy.cx>

Date: Mon, 14 Jan 2008 18:03:01 UTC

Severity: grave

Tags: patch, security

Found in version 1.7.1-1

Fixed in version paramiko/1.6.4-1.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, jbouse@debian.org (Jeremy T. Bouse):
Bug#460706; Package python-paramiko. Full text and rfc822 format available.

Acknowledgement sent to Vincent Bernat <bernat@luffy.cx>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, jbouse@debian.org (Jeremy T. Bouse). Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Vincent Bernat <bernat@luffy.cx>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python-paramiko: insecure use of RandomPool
Date: Mon, 14 Jan 2008 18:59:55 +0100
Package: python-paramiko
Version: 1.7.1-1
Severity: grave
Tags: security
Justification: user security hole

Hi !

Using paramiko with threads or multiple forking processes may lead to
data leak. You can find the explanation and a patch here:
 http://www.lag.net/pipermail/paramiko/2008-January/000599.html
(look at the followup to fix an error in the patch proposed).

Thanks.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-686-bigmem (SMP w/2 CPU cores)
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages python-paramiko depends on:
ii  python-crypto            2.0.1+dfsg1-2.1 cryptographic algorithms and proto
ii  python-support           0.7.6           automated rebuilding support for p

python-paramiko recommends no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, jbouse@debian.org (Jeremy T. Bouse):
Bug#460706; Package python-paramiko. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to jbouse@debian.org (Jeremy T. Bouse). Full text and rfc822 format available.

Message #10 received at 460706@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 460706@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#460706: python-paramiko: insecure use of RandomPool
Date: Mon, 14 Jan 2008 19:56:09 +0100
[Message part 1 (text/plain, inline)]
tags 460706 + patch
thanks

Hi,
attached is a patch that should fix this problem extracted 
from the upstream thread on the mailinglist (including the 
update).

it will be also archived on:
http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch

Please ping me in case you have no time to do an upload and 
need this NMU.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[paramiko-1.6.4-1_1.6.4-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 14 Jan 2008 19:03:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, jbouse@debian.org (Jeremy T. Bouse):
Bug#460706; Package python-paramiko. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to jbouse@debian.org (Jeremy T. Bouse).

Your message did not contain a Subject field. They are recommended and useful because the title of a Bug is determined using this field. Please remember to include a Subject field in your messages in future.

Full text and rfc822 format available.


Message #17 received at 460706@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 460706@bugs.debian.org
Date: Thu, 17 Jan 2008 08:29:10 +0100
[Message part 1 (text/plain, inline)]
Hi,
this bug got CVE-2008-0299 assigned, please reference it in 
the changelog.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `python-paramiko: CVE-2008-0299 insecure use of RandomPool' from `python-paramiko: insecure use of RandomPool'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 17 Jan 2008 07:33:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, jbouse@debian.org (Jeremy T. Bouse):
Bug#460706; Package python-paramiko. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to jbouse@debian.org (Jeremy T. Bouse). Full text and rfc822 format available.

Message #24 received at 460706@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 460706@bugs.debian.org
Subject: uploading NMU
Date: Wed, 23 Jan 2008 01:32:50 +0100
[Message part 1 (text/plain, inline)]
Hi Jeremy,
I know you wanted to take care about this but since this bug 
is "fairly" old now and the patch is already included in the 
new upstream release I am going to upload an NMU now 
according to the 0-day NMU policy.

I hope you agree with that.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Vincent Bernat <bernat@luffy.cx>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #29 received at 460706-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 460706-close@bugs.debian.org
Subject: Bug#460706: fixed in paramiko 1.6.4-1.1
Date: Wed, 23 Jan 2008 00:47:03 +0000
Source: paramiko
Source-Version: 1.6.4-1.1

We believe that the bug you reported is fixed in the latest version of
paramiko, which is due to be installed in the Debian FTP archive:

paramiko_1.6.4-1.1.diff.gz
  to pool/main/p/paramiko/paramiko_1.6.4-1.1.diff.gz
paramiko_1.6.4-1.1.dsc
  to pool/main/p/paramiko/paramiko_1.6.4-1.1.dsc
python-paramiko_1.6.4-1.1_all.deb
  to pool/main/p/paramiko/python-paramiko_1.6.4-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 460706@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated paramiko package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 14 Jan 2008 19:36:40 +0100
Source: paramiko
Binary: python-paramiko
Architecture: source all
Version: 1.6.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Jeremy T. Bouse <jbouse@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 python-paramiko - make SSH2 connections with python
Closes: 460706
Changes: 
 paramiko (1.6.4-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by security team.
   * Fix insecure use of RandomPool if paramiko is used for threads or multiple
     forked processes. This enables one session to predict random data of
     another session using its own random data.
     (CVE id pending; Closes: #460706).
Files: 
 6910ac18ef65835a3ede7bfad1a2a31a 697 python optional paramiko_1.6.4-1.1.dsc
 09b6492c9bbdfd840353519b91fa8f7f 3210 python optional paramiko_1.6.4-1.1.diff.gz
 acb2ea8576c1d9f78fb7f57ed565164f 117088 python optional python-paramiko_1.6.4-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHlox9HYflSXNkfP8RAjlRAJwOeaNoE/9IBAegmMiiMZ3e1ymz4ACgrip7
sehUiMfvpWQHpJO8zlOJbLg=
=FkGS
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 20 Feb 2008 07:26:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 09:54:01 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.