Recommended update for python-Whoosh, python-paramiko, python-pyOpenSSL

Announcement ID: SUSE-RU-2020:0830-1
Rating: moderate
References:
Affected Products:
  • Public Cloud Module 12
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP5
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server 12 SP5
  • SUSE Linux Enterprise Server for SAP Applications 12
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that contains one feature and has two fixes can now be installed.

Description:

This update for python-Whoosh, python-paramiko, python-pyOpenSSL fixes the following issues:

python-paramiko was updated to 2.1.3:

  • Make util.log_to_file append instead of replace.
  • SSHClient and Transport could cause a memory leak if there’s a connection problem or protocol error, even if Transport.close() is called.
  • Prior support for ecdsa-sha2-nistp(384|521) algorithms didn’t fully extend to covering host keys, preventing connection to hosts which only offer these key types and no others. This is now fixed.
  • Prefer newer ecdsa-sha2-nistp keys over RSA and DSA keys during host key selection. This improves compatibility with OpenSSH, both in terms of general behavior, and also re: ability to properly leverage OpenSSH-modified known_hosts files.
  • The RC4/arcfour family of ciphers has been broken since version 2.0; but since the algorithm is now known to be completely insecure, we are opting to remove support outright instead of fixing it.
  • Move sha1 above the now-arguably-broken md5 in the list of preferred MAC algorithms, as an incremental security improvement for users whose target systems offer both.
  • Writing encrypted/password-protected private key files was silently broken since 2.0 due to an incorrect API call Includes a directly related fix, namely adding the ability to read AES-256-CBC ciphered private keys (which is now what we tend to write out as it is Cryptography’s default private key cipher.)
  • Allow any type implementing the buffer API to be used with BufferedFile, Channel, and SFTPFile. This resolves a regression introduced in 1.13 with the Python 3 porting changes, when using types such as memoryview.
  • Enhance default cipher preference order such that aes(192|256)-cbc are preferred over blowfish-cbc.
  • SSHClient now requests the type of host key it has (e.g. from known_hosts) and does not consider a different type to be a “Missing” host key. This fixes a common case where an ECDSA key is in known_hosts and the server also has an RSA host key.

update to 2.1.2:

  • Fix a bug in server-mode concerning multiple interactive auth steps
  • SSHClient now gives its internal Transport a handle on itself, preventing garbage collection of the client until the session is closed. Without this, some code which returns stream or transport objects without the client that generated them, would result in premature session closure when the client was GCd
  • Avoid test suite exceptions on platforms lacking errno.ETIME
  • weak how RSAKey.str behaves so it doesn’t cause TypeError under Python 3.

update to 2.1.1:

  • A tweak to the original patch implementing gh#398 was not fully applied, causing calls to ~paramiko.client.SSHClient.invoke_shell to fail with AttributeError. This has been fixed.
  • Fix the implementation of PKey.write_private_key_file (this method is only publicly defined on subclasses; the fix was in the private real implementation) so it passes the correct params to open()
  • Add an optional timeout parameter to Transport.start_clienti <paramiko.transport.Transport.start_client> (and feed it the value of the configured connection timeout when used within SSHClient <paramiko.client.SSHClient>.)
  • Catch AssertionError thrown by Cryptography when attempting to load bad ECDSA keys, turning it into an SSHException.
  • Add a missing .closed attribute (plus ._closed because reasons) to ProxyCommand <paramiko.proxy.ProxyCommand>
  • Make the subprocess import in proxy.py lazy so users on platforms without it (such as Google App Engine) can import Paramiko successfully
  • Fix incorrect docstring/param-list for Transport.auth_gssapi_keyex <paramiko.transport.Transport.auth_gssapi_keyex> so it matches the real signature.
  • Add an environment dict argument to Client.exec_command

update to 2.0.2:

  • [Bug] #758: Apply type definitions to _winapi module from jaraco.windows 3.6.1. This should address issues on Windows platforms that often result in errors like ArgumentError: [...] int too long to convert. Thanks to @swohlerLL for the report and Jason R. Coombs for the patch.
  • [Bug] #774: Add a _closed private attribute to Channel objects so that they continue functioning when used as proxy sockets under Python 3 (e.g. as direct-tcpip gateways for other Paramiko connections.)
  • [Bug] #673: (via #681) Fix protocol banner read errors (SSHException) which would occasionally pop up when using ProxyCommand gatewaying. Thanks to @Depado for the initial report and Paul Kapp for the fix.

update to 2.0.1:

  • [Bug] #537: Fix a bug in BufferedPipe.set_event which could cause deadlocks/hangs when one uses select.select against Channel objects (or otherwise calls Channel.fileno after the channel has closed).
  • [Bug] #520: (Partial fix) Fix at least one instance of race condition driven threading hangs at end of the Python interpreter session. (Includes a docs update as well - always make sure to .close() your clients!)

update to 2.0.0:

  • Add support for 384- and 512-bit elliptic curve groups in ECDSA key types (aka ecdsa-sha2-nistp384 / ecdsa-sha2-nistp521).
  • Due to an earlier bugfix, less-specific Host blocks' ProxyCommand values were overriding ProxyCommand none in more-specific Host blocks. This has been fixed in a backwards compatible manner (i.e. ProxyCommand none continues to appear as a total lack of any proxycommand key in parsed config structures).
  • Fix a backwards incompatibility issue that cropped up in SFTPFile.prefetch <~paramiko.sftp_file.prefetch> re: the erroneously non-optional file_size parameter. Should only affect users who manually call prefetch.
  • Replace PyCrypto with the Python Cryptographic Authority (PyCA) 'Cryptography' library suite. This improves security, installability, and performance; adds PyPy support; and much more.
  • Fix stalled/hung SFTP downloads by cleaning up some threading lock issues.
  • Fix a Python 3 compatibility issue when handling two-factor authentication.
  • Clean up setup.py to always use setuptools, not doing so was a historical artifact from bygone days.
  • Update the module in charge of handling SSH moduli so it's consistent with OpenSSH behavior re: prime number selection.
  • Fix up ~paramiko.ssh_exception.NoValidConnectionsError so it pickles correctly, and fix a related Python 3 compatibility issue.
  • Update to jaraco.windows 3.4.1 to fix some errors related to ctypes on Windows platforms.
  • Annotate some public attributes on ~paramiko.channel.Channel such as .closed.
  • Fix logic bug in the SFTP client's callback-calling functionality; previously there was a chance the given callback would fire twice at the end of a transfer.
  • Identify & work around a race condition in the test for handshake timeouts, which was causing frequent test failures for a subset of contributors as well as Travis-CI (usually, but not always, limited to Python 3.5).
  • Remove whitespace in our setup.py's install_requires as it triggers occasional bugs in some versions of setuptools.
  • Strip trailing/leading whitespace from lines when parsing SSH config files - this brings things in line with OpenSSH behavior.
  • Fix behavior of gssapi-with-mic auth requests so they fail gracefully (allowing followup via other auth methods) instead of raising an exception.
  • Add missing file-like object methods for ~paramiko.file.BufferedFile and ~paramiko.sftp_file.SFTPFile.

update to version 1.16.0:

  • Streamline use of stat when downloading SFTP files via SFTPClient.get <paramiko.sftp_client.SFTPClient.get>; this avoids triggering bugs in some off-spec SFTP servers such as IBM Sterling. Thanks to @muraleee for the initial report and to Torkil Gustavsen for the patch.
  • Fully enable two-factor authentication (e.g. when a server requires AuthenticationMethods pubkey,keyboard-interactive). Thanks to @perryjrandall for the patch and to @nevins-b and Matt Robenolt for additional support.
  • Fix 'exec' requests in server mode to use get_string instead of get_text to avoid UnicodeDecodeError on non-UTF-8 input. Thanks to Anselm Kruis for the patch & discussion.
  • Fix line number reporting in log output regarding invalid known_hosts line entries. Thanks to Dylan Thacker-Smith for catch & patch.

update to version 1.15.2 (bsc#962291)

  • [Bug] #320: Update our win_pageant module to be Python 3 compatible
  • [Bug] #429: Server-level debug message logging was overlooked during the Python 3 compatibility update; Python 3 clients attempting to log SSH debug packets encountered type errors. This is now fixed
  • [Bug] #459: Tighten up agent connection closure behavior to avoid spurious ResourceWarning display in some situations
  • [Bug] #266: Change numbering of Transport channels to start at 0 instead of 1 for better compatibility with OpenSSH & certain server implementations which break on 1-indexed channels
  • [Support] #419: Modernize a bunch of the codebase internals to leverage decorators. Props to @beckjake for realizing we’re no longer on Python 2.2 :D
  • [Support] #421: Modernize threading calls to user newer API
  • [Support] #422: Clean up some unused imports
  • [Support] #431: Replace handrolled ssh_config parsing code with use of the shlex module
  • [Bug] #415: Fix ssh_config parsing to correctly interpret ProxyCommand none as the lack of a proxy command, instead of as a literal command string of "none"
  • [Bug] #428: Fix an issue in BufferedFile (primarily used in the SFTP modules) concerning incorrect behavior by readlines on files whose size exceeds the buffer size
  • [Bug] #455: Tweak packet size handling to conform better to the OpenSSH RFCs; this helps address issues with interactive program cursors
  • [Bug] #413: (also #414, #420, #454) Be significantly smarter about polling & timing behavior when running proxy commands, to avoid unnecessary (often 100%!) CPU usage

new upsteam version 1.15.1

  • fixed from previous version: [Bug] #399: SSH agent forwarding would hang due to incorrect values passed into the new window size arguments for Transport
  • detailed changelog available on pramiko website: http://paramiko-www.readthedocs.org/en/latest/changelog.html

python-pyOpenSSL was updated to version 17.1.0.

Backward-incompatible changes:

  • Removed the deprecated OpenSSL.rand.egd() function. Applications should prefer os.urandom() for random number generation. #630 &lt;https://github.com/pyca/pyopenssl/pull/630&gt;_
  • Removed the deprecated default digest argument to OpenSSL.crypto.CRL.export(). Callers must now always pass an explicit digest. #652 &lt;https://github.com/pyca/pyopenssl/pull/652&gt;_
  • Fixed a bug with ASN1_TIME casting in X509.set_notBefore(), X509.set_notAfter(), Revoked.set_rev_date(), Revoked.set_nextUpdate(), and Revoked.set_lastUpdate(). You must now pass times in the form YYYYMMDDhhmmssZ. YYYYMMDDhhmmss+hhmm and YYYYMMDDhhmmss-hhmm will no longer work. #612 &lt;https://github.com/pyca/pyopenssl/pull/612&gt;_

Deprecations:

  • Deprecated the legacy "Type" aliases: ContextType, ConnectionType, PKeyType, X509NameType, X509ExtensionType, X509ReqType, X509Type, X509StoreType, CRLType, PKCS7Type, PKCS12Type, NetscapeSPKIType. The names without the "Type"-suffix should be used instead.

Changes:

  • Added OpenSSL.crypto.X509.from_cryptography() and OpenSSL.crypto.X509.to_cryptography() for converting X.509 certificate to and from pyca/cryptography objects. #640 &lt;https://github.com/pyca/pyopenssl/pull/640&gt;_
  • Added OpenSSL.crypto.X509Req.from_cryptography(), OpenSSL.crypto.X509Req.to_cryptography(), OpenSSL.crypto.CRL.from_cryptography(), and OpenSSL.crypto.CRL.to_cryptography() for converting X.509 CSRs and CRLs to and from pyca/cryptography objects. #645 &lt;https://github.com/pyca/pyopenssl/pull/645&gt;_
  • Added OpenSSL.debug that allows to get an overview of used library versions (including linked OpenSSL) and other useful runtime information using python -m OpenSSL.debug. #620 &lt;https://github.com/pyca/pyopenssl/pull/620&gt;_
  • Added a fallback path to Context.set_default_verify_paths() to accommodate the upcoming release of cryptography manylinux1 wheels. #633 &lt;https://github.com/pyca/pyopenssl/pull/633&gt;_

python-Whoosh is shipped in version 2.7.4.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Public Cloud Module 12
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-830=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
    zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-830=1
  • SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-830=1

Package List:

  • Public Cloud Module 12 (noarch)
    • python3-paramiko-2.1.3-9.3.1
    • python-Whoosh-2.7.4-2.3.3
    • python3-Whoosh-2.7.4-2.3.3
    • python-paramiko-2.1.3-9.3.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1 (noarch)
    • python-pyOpenSSL-17.1.0-5.7.1
    • python3-pyOpenSSL-17.1.0-5.7.1
  • SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (noarch)
    • python-pyOpenSSL-17.1.0-5.7.1
    • python3-pyOpenSSL-17.1.0-5.7.1

References: