Amazon Linux 1 Security Advisory: ALAS-2018-989
Advisory Release Date: 2018-04-05 16:41 Pacific
Advisory Updated Date: 2018-04-05 23:15 Pacific
Authentication bypass in transport.py
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step. (CVE-2018-7750 )
Affected Packages:
python-paramiko
Issue Correction:
Run yum update python-paramiko to update your system.
noarch:
python26-paramiko-1.15.1-2.6.amzn1.noarch
python27-paramiko-1.15.1-2.6.amzn1.noarch
src:
python-paramiko-1.15.1-2.6.amzn1.src