Bump paramiko from 3.3.1 to 3.4.0#163
Conversation
Bumps [paramiko](https://github.com/paramiko/paramiko) from 3.3.1 to 3.4.0. - [Commits](paramiko/paramiko@3.3.1...3.4.0) --- updated-dependencies: - dependency-name: paramiko dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
the
dependencies
|
This is needed to resolve https://terrapin-attack.com/ |
Thanks for the information 👍🏻 😄 This vulnerability looks very interesting and I want to implement some tests - at least detection of vulnerable clients/servers and perhaps the PoC exploits for further tests. I need to test, if SSH-MITM is compatible with paramiko 3.4. The last minor update of paramiko had some breaking changes #143 #148 😞 This is the reason why SSH-MITM has a strict version definition in the requirements.in file: Line 4 in 4fc3ef4 |
|
The diff is pretty minimal, so hopefully there's no breakages: paramiko/paramiko@3.3.1...3.4.0 |
Thanks for the diff, this helped me a lot to find out what had changed since the last release. Sadly, there are more changes as expected 😞 and the fix for terrapin-attack changed the same code as my workarounds for SSH-MITM which are needed to intercept some ssh clients. |
|
I have done some tests and reviewed the changes in paramiko. paramikos fix for Terrapin-attck should have no conflicts with the changes done by my workarounds. SSH-MITM monkey patches 2 methods from paramikos Transport class. Only handling the packets in kex-init is affected by this update. ssh-mitm/sshmitm/workarounds/transport.py Lines 178 to 188 in 4fc3ef4 The same lines are changed by the terrapin-attack fix: if ptype not in self._expected_packet:
exc_class = SSHException
if self.agreed_on_strict_kex:
exc_class = MessageOrderError
raise exc_class(
"Expecting packet from {!r}, got {:d}".format(
self._expected_packet, ptype
)
) # noqa |
2 participants
Bumps paramiko from 3.3.1 to 3.4.0.
Commits
f0881baCut 3.4.03e4bdf9Changelog/comment updates30b447bLinting33508c9Expand MessageOrderError use to handle more packet types96db1e2Raise exception when sequence numbers rollover during initial kex58785d2Changelog tweak re: other new Transport kwarg8dcb237Test-suite-only bugfix: defer did not actually imply skip_verifyfa46de7Reset sequence numbers on rekey75e311dEnforce zero seqno on kexinit73f079fFill in CVE number for Terrapin attackDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.