[3.8] py-paramiko: Authentication bypass in auth_handler.py (CVE-2018-1000805)
Python Paramiko through versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8,
1.18.5 and 1.17.6 is vulnerable to an authentication bypass in
paramiko/auth_handler.py. A remote attacker could exploit this
vulnerability in paramiko SSH servers to execute arbitrary code.
Fixed In Version:
python-paramiko 2.4.2, python-paramiko 2.3.3, python-paramiko 2.2.4, python-paramiko 2.1.6, python-paramiko 2.0.9
References:
https://github.com/paramiko/paramiko/issues/1283
https://nvd.nist.gov/vuln/detail/CVE-2018-1000805
Patch:
https://github.com/paramiko/paramiko/commit/56c96a65
(from redmine: issue id 10021, created on 2019-02-21, closed on 2019-03-05)
- Relations:
- parent #10020 (closed)
- Changesets:
- Revision d6448b76 on 2019-02-28T14:29:38Z:
main/py-paramiko: security upgrade to 2.4.2 (CVE-2018-1000805)
Fixes #10021