[Bug 1728607] Re: weak preferred kex in 16.04 LTS

Launchpad Bug Tracker 1728607 at bugs.launchpad.net
Tue Mar 20 17:51:31 UTC 2018 

This bug was fixed in the package paramiko - 2.0.0-1ubuntu0.1

---------------
paramiko (2.0.0-1ubuntu0.1) artful-security; urgency=medium

  [Steve Beattie]
  * SECURITY UPDATE: customized clients can skip auth
    - 0004-Fixes-CVE-2018-7750-1175.patch: send message failure if not
      authenticated and message type is a service request
    - 0002-Allow-overriding-test-client-connect-kwargs-in-Trans.patch,
      0003-Initial-tests-proving-CVE-2018-7750-1175.patch:
      add testcases plus prereq
    - CVE-2018-7750

  [ Fabien Tassin ]
  * SECURITY UPDATE: weak diffie-hellman-group1-sha1 kex always preferred (LP: #1728607)
    - 0010-git-c1233679c44-change-order-of-preferred-kex-and-hmac-algorithms.patch
    - 0011-git-b395444062e-Reorder-cipher-and-key-preferences-to-make-more-sense.patch
    Backport of the upstream changes from 2.3.1, matching the OpenSSH 7
    deprecation of diffie-hellman-group1-sha1 (http://www.openssh.com/legacy.html).
    This patch doesn't remove the support of diffie-hellman-group1-sha1 but
    makes it the least preferred kex for backward compatibility

 -- Steve Beattie <sbeattie at ubuntu.com>  Fri, 16 Mar 2018 15:44:26 -0700

** Changed in: paramiko (Ubuntu)
       Status: New => Fix Released

** Changed in: paramiko (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1728607

Title:
  weak preferred kex in 16.04 LTS

Status in paramiko package in Ubuntu:
  Fix Released

Bug description:
  Paramiko 1.* uses diffie-hellman-group1-sha1 as its most preferred
  kex, but this kex is now considered weak. OpenSSH 7 dropped it from
  its defaults in 2015. Some devices start to complain or even to reject
  connections because of that (I'm experiencing it with routers and
  firewalls)

  This has been fixed upstream in paramiko 2.3.1:
  https://github.com/paramiko/paramiko/commit/c1233679c448b445ec991710d259eec0a9f64b61

  It would be nice to land that in the lastest LTS, probably as a security update.
  It shouldn't have any impact, as long as diffie-hellman-group1-sha1 remains in this list.

  (maybe
  https://github.com/paramiko/paramiko/commit/b395444062e82953d417a4da9157667c2e05d758
  should be considered too)

  Thoughts?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1728607/+subscriptions

More information about the Ubuntu-sponsors mailing list