Bugzilla – Bug 1111151
VUL-0: CVE-2018-1000805: python-paramiko: python-paramiko: Authentication bypass in auth_handler.py
Last modified: 2024-05-16 13:50:09 UTC
rh#1637263 Python Paramiko through versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 and 1.17.6 is vulnerable to an authentication bypass in paramiko/auth_handler.py. A remote attacker could exploit this vulnerability in paramiko SSH servers to execute arbitrary code. Upstream Issue: https://github.com/paramiko/paramiko/issues/1283 Upstream Patch: https://github.com/paramiko/paramiko/commit/56c96a65 References: https://bugzilla.redhat.com/show_bug.cgi?id=1637263 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000805
According to this bug and comment (https://bugzilla.suse.com/show_bug.cgi?id=1085276#c1) we are not using paramiko in server mode, so our products are not vulnerable to this. Still should be fixed eventually.
patching of 2.2.3 in SOC8 discussed in bug #1120531
This is an autogenerated message for OBS integration: This bug (1111151) was mentioned in https://build.opensuse.org/request/show/662763 Factory / python-paramiko
patch submitted for SOC 8 https://build.opensuse.org/request/show/662836 For SOC 7 https://build.opensuse.org/request/show/662868
patches accepted
Can we close this?
we will close the bug once everything is released
SUSE-SU-2019:0174-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 1111151,1115769,1121846 CVE References: CVE-2018-1000805 Sources used: SUSE Linux Enterprise Module for Public Cloud 15 (src): python-paramiko-2.4.2-3.3.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): python-paramiko-2.4.2-3.3.2 SUSE Linux Enterprise Module for Basesystem 15 (src): python-paramiko-2.4.2-3.3.2
openSUSE-SU-2019:0129-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 1111151,1115769,1121846 CVE References: CVE-2018-1000805 Sources used: openSUSE Leap 15.0 (src): python-paramiko-2.4.2-lp150.2.3.1
SUSE-SU-2019:0396-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1111151,1120531 CVE References: CVE-2018-1000805 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): python-paramiko-2.2.4-4.3.1 SUSE OpenStack Cloud 8 (src): python-paramiko-2.2.4-4.3.1 HPE Helion Openstack 8 (src): python-paramiko-2.2.4-4.3.1
This is an autogenerated message for OBS integration: This bug (1111151) was mentioned in https://build.opensuse.org/request/show/677415 15.1 / python-paramiko
SUSE-SU-2019:0481-1: An update that solves one vulnerability and has three fixes is now available. Category: security (important) Bug References: 1111151,1115099,1116437,1123054 CVE References: CVE-2018-1000805 Sources used: SUSE OpenStack Cloud 7 (src): python-amqp-1.4.9-3.3.1, python-oslo.messaging-5.10.2-3.9.1, python-ovs-2.5.0-3.3.1, python-paramiko-2.0.9-3.6.1, python-psql2mysql-0.5.0+git.1539592188.13e5d0f-1.9.1 SUSE Enterprise Storage 4 (src): python-paramiko-2.0.9-3.6.1 OpenStack Cloud Magnum Orchestration 7 (src): python-paramiko-2.0.9-3.6.1
@Tom,@Nathan: python-radosgw-agent is requiring that within its requirement chain. I have copied paramiko-2.0.9 to Devel:Storage:5.0 with a fix for this issue. Can one of you make sure this is working for SES5?
(In reply to Holger Sickenberg from comment #23) > @Tom,@Nathan: python-radosgw-agent is requiring that within its requirement > chain. I have copied paramiko-2.0.9 to Devel:Storage:5.0 with a fix for this > issue. Can one of you make sure this is working for SES5? @Holgi, It doesn't build. Tests are failing. @Nathan, do we have any CI for radosgw-agent ?
(In reply to Thomas Bechtold from comment #24) > (In reply to Holger Sickenberg from comment #23) > > @Tom,@Nathan: python-radosgw-agent is requiring that within its requirement > > chain. I have copied paramiko-2.0.9 to Devel:Storage:5.0 with a fix for this > > issue. Can one of you make sure this is working for SES5? > > @Holgi, It doesn't build. Tests are failing. > @Nathan, do we have any CI for radosgw-agent ? @Holgi @Tom @All "python-radosgw-agent" is an unused, unmaintained and undocumented tool which is only in SES5 for the purpose of deprecating it so it could be dropped in SES6. So there is no need to test it and the likelihood that any customers are using it is near zero. I think the python-paramiko package (which isn't building) could simply be removed from Devel:Storage:5.0. I'm sure the security fix that ends up being implemented will be just fine for all the current users of "python-radosgw-agent".
SUSE-SU-2020:1274-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1111151 CVE References: CVE-2018-1000805 Sources used: SUSE Enterprise Storage 5 (src): python-paramiko-2.0.9-3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Update has been released, this bug can be closed.
SUSE-SU-2021:0038-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1111151 CVE References: CVE-2018-1000805 JIRA References: Sources used: SUSE Linux Enterprise Module for Public Cloud 12 (src): python-paramiko-2.1.3-9.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3730-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1111151,1200603 CVE References: CVE-2018-1000805 JIRA References: Sources used: openSUSE Leap 15.4 (src): python-paramiko-2.4.3-150100.6.15.1 openSUSE Leap 15.3 (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Manager Server 4.1 (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Manager Retail Branch Server 4.1 (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Manager Proxy 4.1 (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Linux Enterprise Module for Python2 15-SP3 (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Enterprise Storage 7 (src): python-paramiko-2.4.3-150100.6.15.1 SUSE Enterprise Storage 6 (src): python-paramiko-2.4.3-150100.6.15.1 SUSE CaaS Platform 4.0 (src): python-paramiko-2.4.3-150100.6.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.