python-paramiko-2.1.1-4.el7

The python-paramiko package provides a Python module that implements the SSH2
protocol for encrypted and authenticated connections to remote machines. Unlike
SSL, the SSH2 protocol does not require hierarchical certificates signed by a
powerful central authority. The protocol also includes the ability to open
arbitrary channels to remote services across an encrypted tunnel.

Security Fix(es):

* python-paramiko: Authentication bypass in transport.py (CVE-2018-7750)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in the
References section.

Bug Fix(es):

* python-paramiko has been using the python2-pyasn1 package, but did not depend
on it. With new versions of python2-cryptography, python2-pyasn1 was not getting
installed and this caused python-paramiko to malfunction. This bug was fixed by
making python-paramiko depend on python2-pyasn1 explicitly. (BZ#1559133)

CVE-2018-7750
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x
before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x
before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether
authentication is completed before processing other requests, as demonstrated by
channel-open. A customized SSH client can simply skip the authentication step.