Package: release.debian.org Severity: normal X-Debbugs-Cc: param...@packages.debian.org Control: affects -1 + src:paramiko User: release.debian....@packages.debian.org Usertags: unblock
[ Reason ] Fix important bug https://bugs.debian.org/1108434 (does not correctly handle OpenSSH 10 version). [ Impact ] When using RSA certificates, paramiko misdetects the current version of OpenSSH as being earlier than 7.8 and uses inappropriate fallback code. [ Tests ] The history of https://github.com/paramiko/paramiko/pull/2516 suggests that it's at least somewhat covered (given that the first incorrect version of the PR caused a test failure), but tests aren't failing at the moment so it evidently isn't entirely robust. [ Risks ] I don't think adding a "\." to a version-matching regex can have much in the way of fallout. The worst case would be that we incorrectly fall back to the pre-7.8 logic, but that's what's already happening. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock paramiko/3.5.1-3 Thanks, -- Colin Watson (he/him) [cjwat...@debian.org]
diff -Nru paramiko-3.5.1/debian/changelog paramiko-3.5.1/debian/changelog --- paramiko-3.5.1/debian/changelog 2025-02-17 21:52:38.000000000 +0000 +++ paramiko-3.5.1/debian/changelog 2025-07-13 08:09:25.000000000 +0100 @@ -1,3 +1,10 @@ +paramiko (3.5.1-3) unstable; urgency=medium + + * Team upload. + * Fixed version parsing issue with OpenSSH >= 10.0 (closes: #1108434). + + -- Colin Watson <cjwat...@debian.org> Sun, 13 Jul 2025 09:09:25 +0200 + paramiko (3.5.1-2) unstable; urgency=medium * Team upload. diff -Nru paramiko-3.5.1/debian/patches/openssh-10.patch paramiko-3.5.1/debian/patches/openssh-10.patch --- paramiko-3.5.1/debian/patches/openssh-10.patch 1970-01-01 01:00:00.000000000 +0100 +++ paramiko-3.5.1/debian/patches/openssh-10.patch 2025-07-13 08:09:25.000000000 +0100 @@ -0,0 +1,26 @@ +From: rebcim <68267550+reb...@users.noreply.github.com> +Date: Wed, 4 Jun 2025 14:13:52 +0200 +Subject: Fixed version parsing issue with OpenSSH 10.0 + +Regex matches now for Version 1..7 but not for 10. + +Origin: other, https://github.com/paramiko/paramiko/pull/2516 +Bug-Debian: https://bugs.debian.org/1108434 +Last-Update: 2025-07-13 +--- + paramiko/auth_handler.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py +index bc7f298..2b54877 100644 +--- a/paramiko/auth_handler.py ++++ b/paramiko/auth_handler.py +@@ -321,7 +321,7 @@ class AuthHandler: + # regarding server-sig-algs, it's impossible to fit this into the rest + # of the logic here. + if key_type.endswith("-cert-...@openssh.com") and re.search( +- r"-OpenSSH_(?:[1-6]|7\.[0-7])", self.transport.remote_version ++ r"-OpenSSH_(?:[1-6]\.|7\.[0-7])", self.transport.remote_version + ): + pubkey_algo = "ssh-rsa-cert-...@openssh.com" + self.transport._agreed_pubkey_algorithm = pubkey_algo diff -Nru paramiko-3.5.1/debian/patches/series paramiko-3.5.1/debian/patches/series --- paramiko-3.5.1/debian/patches/series 2025-02-17 21:52:38.000000000 +0000 +++ paramiko-3.5.1/debian/patches/series 2025-07-13 08:09:25.000000000 +0100 @@ -1,2 +1,3 @@ 1071675.patch 0002-Ignore-host-keys-with-markers.patch +openssh-10.patch
