* [Buildroot] [PATCH 1/1] package/python-paramiko: security bump to version 2.10.3
@ 2022-03-30 20:58 Fabrice Fontaine
2022-03-31 15:53 ` Peter Korsgaard
2022-04-04 12:38 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-03-30 20:58 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine, Asaf Kahlon
Fix CVE-2022-24302: Creation of new private key files using PKey
subclasses was subject to a race condition between file creation & mode
modification, which could be exploited by an attacker with knowledge of
where the Paramiko-using code would write out such files.
https://github.com/paramiko/paramiko/blob/2.10.3/sites/www/changelog.rst
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/python-paramiko/python-paramiko.hash | 4 ++--
package/python-paramiko/python-paramiko.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python-paramiko/python-paramiko.hash b/package/python-paramiko/python-paramiko.hash
index b11acf1dbc..951bd8e114 100644
--- a/package/python-paramiko/python-paramiko.hash
+++ b/package/python-paramiko/python-paramiko.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/paramiko/json
-md5 44136d79da4cd7619e368018ad022619 paramiko-2.7.2.tar.gz
-sha256 7f36f4ba2c0d81d219f4595e35f70d56cc94f9ac40a6acdf51d6ca210ce65035 paramiko-2.7.2.tar.gz
+md5 6e47947882e2c1b81f35b4133e8e62b9 paramiko-2.10.3.tar.gz
+sha256 ddb1977853aef82804b35d72a0e597b244fa326c404c350bd00c5b01dbfee71a paramiko-2.10.3.tar.gz
# Locally computed sha256 checksums
sha256 5fa25bf5f395fd26e701c2e1de4ca7d162816986dc791c22f8f4226857ad1bb2 LICENSE
diff --git a/package/python-paramiko/python-paramiko.mk b/package/python-paramiko/python-paramiko.mk
index 3c135cf9b1..46209f5823 100644
--- a/package/python-paramiko/python-paramiko.mk
+++ b/package/python-paramiko/python-paramiko.mk
@@ -4,9 +4,9 @@
#
################################################################################
-PYTHON_PARAMIKO_VERSION = 2.7.2
+PYTHON_PARAMIKO_VERSION = 2.10.3
PYTHON_PARAMIKO_SOURCE = paramiko-$(PYTHON_PARAMIKO_VERSION).tar.gz
-PYTHON_PARAMIKO_SITE = https://files.pythonhosted.org/packages/cf/a1/20d00ce559a692911f11cadb7f94737aca3ede1c51de16e002c7d3a888e0
+PYTHON_PARAMIKO_SITE = https://files.pythonhosted.org/packages/d4/93/1a1eb7f214e6774099d56153db9e612f93cb8ffcdfd2eca243fcd5bb3a78
PYTHON_PARAMIKO_SETUP_TYPE = setuptools
PYTHON_PARAMIKO_LICENSE = LGPL-2.1+
PYTHON_PARAMIKO_LICENSE_FILES = LICENSE
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python-paramiko: security bump to version 2.10.3
2022-03-30 20:58 [Buildroot] [PATCH 1/1] package/python-paramiko: security bump to version 2.10.3 Fabrice Fontaine
@ 2022-03-31 15:53 ` Peter Korsgaard
2022-04-04 12:38 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-03-31 15:53 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Asaf Kahlon, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fix CVE-2022-24302: Creation of new private key files using PKey
> subclasses was subject to a race condition between file creation & mode
> modification, which could be exploited by an attacker with knowledge of
> where the Paramiko-using code would write out such files.
> https://github.com/paramiko/paramiko/blob/2.10.3/sites/www/changelog.rst
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python-paramiko: security bump to version 2.10.3
2022-03-30 20:58 [Buildroot] [PATCH 1/1] package/python-paramiko: security bump to version 2.10.3 Fabrice Fontaine
2022-03-31 15:53 ` Peter Korsgaard
@ 2022-04-04 12:38 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-04-04 12:38 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Asaf Kahlon, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fix CVE-2022-24302: Creation of new private key files using PKey
> subclasses was subject to a race condition between file creation & mode
> modification, which could be exploited by an attacker with knowledge of
> where the Paramiko-using code would write out such files.
> https://github.com/paramiko/paramiko/blob/2.10.3/sites/www/changelog.rst
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-04-04 12:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-30 20:58 [Buildroot] [PATCH 1/1] package/python-paramiko: security bump to version 2.10.3 Fabrice Fontaine
2022-03-31 15:53 ` Peter Korsgaard
2022-04-04 12:38 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.