diff --git a/backport-CVE-2018-1000805.patch b/backport-CVE-2018-1000805.patch deleted file mode 100644 index faa6859b01c3d37436387a0d52037897d5ab986e..0000000000000000000000000000000000000000 --- a/backport-CVE-2018-1000805.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 56c96a659658acdbb873aef8809a7b508434dcce Mon Sep 17 00:00:00 2001 -From: Jeff Forcier -Date: Tue, 18 Sep 2018 19:59:16 -0700 -Subject: [PATCH] Fix and changelog re #1283 - -Conflict:NA -Reference:https://github.com/paramiko/paramiko/commit/56c96a65 ---- - paramiko/auth_handler.py | 36 ++++++++++++++++++++++++---- - tests/test_transport.py | 52 +++++++++++++++++++++++++++++++++++++--- - 2 files changed, 81 insertions(+), 7 deletions(-) - -diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py -index a1ce5e3..137330e 100644 ---- a/paramiko/auth_handler.py -+++ b/paramiko/auth_handler.py -@@ -664,17 +664,39 @@ Error Message: {} - self.auth_event.set() - return - -- _handler_table = { -+ # TODO: do the same to the other tables, in Transport. -+ # TODO 3.0: MAY make sense to make these tables into actual -+ # classes/instances that can be fed a mode bool or whatever. Or, -+ # alternately (both?) make the message types small classes or enums that -+ # embed this info within themselves (which could also then tidy up the -+ # current 'integer -> human readable short string' stuff in common.py). -+ # TODO: if we do that, also expose 'em publicly. -+ -+ # Messages which should be handled _by_ servers (sent by clients) -+ _server_handler_table = { - MSG_SERVICE_REQUEST: _parse_service_request, -- MSG_SERVICE_ACCEPT: _parse_service_accept, - MSG_USERAUTH_REQUEST: _parse_userauth_request, -+ MSG_USERAUTH_INFO_RESPONSE: _parse_userauth_info_response, -+ } -+ -+ # Messages which should be handled _by_ clients (sent by servers) -+ _client_handler_table = { -+ MSG_SERVICE_ACCEPT: _parse_service_accept, - MSG_USERAUTH_SUCCESS: _parse_userauth_success, - MSG_USERAUTH_FAILURE: _parse_userauth_failure, - MSG_USERAUTH_BANNER: _parse_userauth_banner, - MSG_USERAUTH_INFO_REQUEST: _parse_userauth_info_request, -- MSG_USERAUTH_INFO_RESPONSE: _parse_userauth_info_response, - } - -+ # NOTE: prior to the fix for #1283, this was a static dict instead of a -+ # property. Should be backwards compatible in most/all cases. -+ @property -+ def _handler_table(self): -+ if self.transport.server_mode: -+ return self._server_handler_table -+ else: -+ return self._client_handler_table -+ - - class GssapiWithMicAuthHandler(object): - """A specialized Auth handler for gssapi-with-mic -@@ -767,9 +789,15 @@ class GssapiWithMicAuthHandler(object): - self._restore_delegate_auth_handler() - return self._delegate._parse_userauth_request(m) - -- _handler_table = { -+ __handler_table = { - MSG_SERVICE_REQUEST: _parse_service_request, - MSG_USERAUTH_REQUEST: _parse_userauth_request, - MSG_USERAUTH_GSSAPI_TOKEN: _parse_userauth_gssapi_token, - MSG_USERAUTH_GSSAPI_MIC: _parse_userauth_gssapi_mic, - } -+ -+ @property -+ def _handler_table(self): -+ # TODO: determine if we can cut this up like we did for the primary -+ # AuthHandler class. -+ return self.__handler_table -diff --git a/tests/test_transport.py b/tests/test_transport.py -index 9474acf..17db1f4 100644 ---- a/tests/test_transport.py -+++ b/tests/test_transport.py -@@ -30,18 +30,19 @@ import threading - import random - from hashlib import sha1 - import unittest -+from mock import Mock - - from paramiko import ( - Transport, SecurityOptions, ServerInterface, RSAKey, DSSKey, SSHException, -- ChannelException, Packetizer, Channel, -+ ChannelException, Packetizer, Channel, AuthHandler, - ) - from paramiko import AUTH_FAILED, AUTH_SUCCESSFUL - from paramiko import OPEN_SUCCEEDED, OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED - from paramiko.common import ( - MSG_KEXINIT, cMSG_CHANNEL_WINDOW_ADJUST, MIN_PACKET_SIZE, MIN_WINDOW_SIZE, -- MAX_WINDOW_SIZE, DEFAULT_WINDOW_SIZE, DEFAULT_MAX_PACKET_SIZE, -+ MAX_WINDOW_SIZE, DEFAULT_WINDOW_SIZE, DEFAULT_MAX_PACKET_SIZE, MSG_NAMES, MSG_UNIMPLEMENTED, MSG_USERAUTH_SUCCESS, cMSG_UNIMPLEMENTED, - ) --from paramiko.py3compat import bytes -+from paramiko.py3compat import bytes, byte_chr - from paramiko.message import Message - - from .util import needs_builtin, _support, slow -@@ -974,3 +975,48 @@ class TransportTest(unittest.TestCase): - assert "forwarding request denied" in str(e) - else: - assert False, "Did not raise SSHException!" -+ -+ def _send_client_message(self, message_type): -+ self.setup_test_server(connect_kwargs={}) -+ self.ts._send_message = Mock() -+ # NOTE: this isn't 100% realistic (most of these message types would -+ # have actual other fields in 'em) but it suffices to test the level of -+ # message dispatch we're interested in here. -+ msg = Message() -+ # TODO: really not liking the whole cMSG_XXX vs MSG_XXX duality right -+ # now, esp since the former is almost always just byte_chr(the -+ # latter)...but since that's the case... -+ msg.add_byte(byte_chr(message_type)) -+ self.tc._send_message(msg) -+ # No good way to actually wait for server action (see above tests re: -+ # MSG_UNIMPLEMENTED). Grump. -+ time.sleep(0.1) -+ -+ def _expect_unimplemented(self): -+ # Ensure MSG_UNIMPLEMENTED was sent (implies it hit end of loop instead -+ # of truly handling the given message). -+ # NOTE: When bug present, this will actually be the first thing that -+ # fails (since in many cases actual message handling doesn't involve -+ # sending a message back right away). -+ assert self.ts._send_message.call_count == 1 -+ reply = self.ts._send_message.call_args[0][0] -+ reply.rewind() # Because it's pre-send, not post-receive -+ assert reply.get_byte() == cMSG_UNIMPLEMENTED -+ -+ def test_server_transports_reject_client_message_types(self): -+ # TODO: handle Transport's own tables too, not just its inner auth -+ # handler's table. See TODOs in auth_handler.py -+ for message_type in AuthHandler._client_handler_table: -+ self._send_client_message(message_type) -+ self._expect_unimplemented() -+ # Reset for rest of loop -+ self.tearDown() -+ self.setUp() -+ -+ def test_server_rejects_client_MSG_USERAUTH_SUCCESS(self): -+ self._send_client_message(MSG_USERAUTH_SUCCESS) -+ # Sanity checks -+ assert not self.ts.authenticated -+ assert not self.ts.auth_handler.authenticated -+ # Real fix's behavior -+ self._expect_unimplemented() --- -2.19.1 - diff --git a/paramiko-2.3.1-disable-gssapi-on-unsupported-version.patch b/paramiko-2.3.1-disable-gssapi-on-unsupported-version.patch deleted file mode 100644 index ee4815e8f2524f01b3371940c1dbad98d93eb16d..0000000000000000000000000000000000000000 --- a/paramiko-2.3.1-disable-gssapi-on-unsupported-version.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff -ru paramiko-2.3.1.orig/paramiko/ssh_gss.py paramiko-2.3.1/paramiko/ssh_gss.py ---- paramiko-2.3.1.orig/paramiko/ssh_gss.py 2017-09-22 21:15:16.000000000 +0100 -+++ paramiko-2.3.1/paramiko/ssh_gss.py 2017-10-29 21:16:08.071429184 +0100 -@@ -51,7 +51,12 @@ - - try: - import gssapi -- GSS_EXCEPTIONS = (gssapi.GSSException,) -+ try: -+ GSS_EXCEPTIONS = (gssapi.GSSException,) -+ except AttributeError: -+ # Unsupported GSS API -+ GSS_AUTH_AVAILABLE = False -+ _API = None - except (ImportError, OSError): - try: - import pywintypes diff --git a/paramiko-2.4.1.tar.gz b/paramiko-2.4.1.tar.gz deleted file mode 100644 index dca5aefaa4ecaca42cd5b3f338bb3310fe9c9c88..0000000000000000000000000000000000000000 Binary files a/paramiko-2.4.1.tar.gz and /dev/null differ diff --git a/paramiko-2.4.1-drop-pytest-relaxed.patch b/paramiko-2.7.2-drop-pytest-relaxed.patch similarity index 64% rename from paramiko-2.4.1-drop-pytest-relaxed.patch rename to paramiko-2.7.2-drop-pytest-relaxed.patch index d772e7da749c2e4b1b7a0bacef7ad4dab12085ff..2be787f61fe1a1c68a5b7332410aeeb29a565cbf 100644 --- a/paramiko-2.4.1-drop-pytest-relaxed.patch +++ b/paramiko-2.7.2-drop-pytest-relaxed.patch @@ -1,5 +1,14 @@ +From 953d9a1f1055de97e35c7060fcebc7283eff9e29 Mon Sep 17 00:00:00 2001 +From: zhaorenhai +Date: Fri, 29 Jan 2021 06:48:10 +0000 +Subject: [PATCH] drop pytest-relaxed + +--- + tests/test_client.py | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + diff --git a/tests/test_client.py b/tests/test_client.py -index 7163fdc..947e4b3 100644 +index 60ad310c..2d665cdd 100644 --- a/tests/test_client.py +++ b/tests/test_client.py @@ -33,7 +33,7 @@ import warnings @@ -8,35 +17,37 @@ index 7163fdc..947e4b3 100644 -from pytest_relaxed import raises +from pytest import raises + from mock import patch, Mock import paramiko - from paramiko.pkey import PublicBlob -@@ -656,10 +656,10 @@ class PasswordPassphraseTests(ClientTest): +@@ -684,10 +684,10 @@ class PasswordPassphraseTests(ClientTest): # TODO: more granular exception pending #387; should be signaling "no auth # methods available" because no key and no password - @raises(SSHException) def test_passphrase_kwarg_not_used_for_password_auth(self): - # Using the "right" password in the "wrong" field shouldn't work. -- self._test_connection(passphrase='pygmalion') +- self._test_connection(passphrase="pygmalion") + with raises(SSHException): + # Using the "right" password in the "wrong" field shouldn't work. + self._test_connection(passphrase='pygmalion') def test_passphrase_kwarg_used_for_key_passphrase(self): # Straightforward again, with new passphrase kwarg. -@@ -675,12 +675,12 @@ class PasswordPassphraseTests(ClientTest): - password='television', +@@ -705,14 +705,14 @@ class PasswordPassphraseTests(ClientTest): + password="television", ) -- @raises(AuthenticationException) # TODO: more granular - def test_password_kwarg_not_used_for_passphrase_when_passphrase_kwarg_given(self): # noqa +- @raises(AuthenticationException) # TODO: more granular + def test_password_kwarg_not_used_for_passphrase_when_passphrase_kwarg_given( # noqa + self + ): - # Sanity: if we're given both fields, the password field is NOT used as - # a passphrase. - self._test_connection( -- key_filename=_support('test_rsa_password.key'), -- password='television', -- passphrase='wat? lol no', +- key_filename=_support("test_rsa_password.key"), +- password="television", +- passphrase="wat? lol no", - ) + with raises(AuthenticationException): # TODO: more granular + # Sanity: if we're given both fields, the password field is NOT used as @@ -46,4 +57,6 @@ index 7163fdc..947e4b3 100644 + password='television', + passphrase='wat? lol no', + ) +-- +2.27.0 diff --git a/paramiko-2.7.2.tar.gz b/paramiko-2.7.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..1aea7d6ea3bcef1c8309c4e9ab200df89f885d4f Binary files /dev/null and b/paramiko-2.7.2.tar.gz differ diff --git a/python-paramiko.spec b/python-paramiko.spec index d424bd8819497d99f4b6fa8819b307a56b49a038..934aee0960def813b7df2df2938f2660efd14500 100644 --- a/python-paramiko.spec +++ b/python-paramiko.spec @@ -1,14 +1,12 @@ Name: python-paramiko -Version: 2.4.1 -Release: 9 +Version: 2.7.2 +Release: 1 Summary: Python SSH module License: LGPLv2+ URL: https://github.com/paramiko/paramiko Source0: https://github.com/paramiko/paramiko/archive/%{version}/paramiko-%{version}.tar.gz -Patch0: paramiko-2.3.1-disable-gssapi-on-unsupported-version.patch -Patch1: paramiko-2.4.1-drop-pytest-relaxed.patch -Patch6000: backport-CVE-2018-1000805.patch +Patch0: paramiko-2.7.2-drop-pytest-relaxed.patch BuildArch: noarch @@ -20,9 +18,10 @@ connections to remote machines. %package -n python3-paramiko Summary: Python SSH module BuildRequires: python3-devel python3-setuptools python3-bcrypt >= 3.1.3 python3-pytest -BuildRequires: python3-cryptography >= 1.5 python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.0.1 +BuildRequires: python3-cryptography >= 2.5 python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.0.1 +BuildRequires: python3-invoke >= 1.3 python3-mock >= 2.0 Requires: python3-bcrypt >= 3.1.3 python3-cryptography >= 1.5 -Requires: python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.0.1 +Requires: python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.0.1 python3-invoke >= 1.3 %{?python_provide:%python_provide python3-paramiko} %description -n python3-paramiko @@ -67,6 +66,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version} %doc html/ demos/ NEWS README.rst %changelog +* Fri Mar 19 2021 jinzhimin - 2.7.2-1 +- Upgrade to 2.7.2 + * Mon Feb 22 2021 jinzhimin - 2.4.1-9 - fix CVE-2018-1000805