Debian Security Advisory
DLA-2860-1 paramiko -- LTS security update
- Date Reported:
- 28 Dec 2021
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 892859, Bug 910760.
In Mitre's CVE dictionary: CVE-2018-7750, CVE-2018-1000805.
- More information:
A couple of vulnerabilities were found in paramiko, an implementation of SSHv2 protocol in Python.
Fix to prevent malicious clients to trick the Paramiko server into thinking an unauthenticated client is authenticated.
Fix check whether authentication is completed before processing other requests. A customized SSH client can simply skip the authentication step.
For Debian 9 stretch, these problems have been fixed in version 2.0.0-1+deb9u1.
We recommend that you upgrade your paramiko packages.
For the detailed security status of paramiko please refer to its security tracker page at: https://security-tracker.debian.org/tracker/paramiko
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS