Upgrade to 2.7.2

backport-CVE-2018-1000805.patch

@@ -1,155 +0,0 @@
-From 56c96a659658acdbb873aef8809a7b508434dcce Mon Sep 17 00:00:00 2001
-From: Jeff Forcier <jeff@bitprophet.org>
-Date: Tue, 18 Sep 2018 19:59:16 -0700
-Subject: [PATCH] Fix and changelog re #1283
-
-Conflict:NA
-Reference:https://github.com/paramiko/paramiko/commit/56c96a65
----
- paramiko/auth_handler.py | 36 ++++++++++++++++++++++++----
- tests/test_transport.py  | 52 +++++++++++++++++++++++++++++++++++++---
- 2 files changed, 81 insertions(+), 7 deletions(-)
-
-diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py
-index a1ce5e3..137330e 100644
---- a/paramiko/auth_handler.py
-+++ b/paramiko/auth_handler.py
-@@ -664,17 +664,39 @@ Error Message: {}
-             self.auth_event.set()
-         return
- 
--    _handler_table = {
-+    # TODO: do the same to the other tables, in Transport.
-+    # TODO 3.0: MAY make sense to make these tables into actual
-+    # classes/instances that can be fed a mode bool or whatever. Or,
-+    # alternately (both?) make the message types small classes or enums that
-+    # embed this info within themselves (which could also then tidy up the
-+    # current 'integer -> human readable short string' stuff in common.py).
-+    # TODO: if we do that, also expose 'em publicly.
-+
-+    # Messages which should be handled _by_ servers (sent by clients)
-+    _server_handler_table = {
-         MSG_SERVICE_REQUEST: _parse_service_request,
--        MSG_SERVICE_ACCEPT: _parse_service_accept,
-         MSG_USERAUTH_REQUEST: _parse_userauth_request,
-+        MSG_USERAUTH_INFO_RESPONSE: _parse_userauth_info_response,
-+    }
-+
-+    # Messages which should be handled _by_ clients (sent by servers)
-+    _client_handler_table = {
-+        MSG_SERVICE_ACCEPT: _parse_service_accept,
-         MSG_USERAUTH_SUCCESS: _parse_userauth_success,
-         MSG_USERAUTH_FAILURE: _parse_userauth_failure,
-         MSG_USERAUTH_BANNER: _parse_userauth_banner,
-         MSG_USERAUTH_INFO_REQUEST: _parse_userauth_info_request,
--        MSG_USERAUTH_INFO_RESPONSE: _parse_userauth_info_response,
-     }
- 
-+    # NOTE: prior to the fix for #1283, this was a static dict instead of a
-+    # property. Should be backwards compatible in most/all cases.
-+    @property
-+    def _handler_table(self):
-+        if self.transport.server_mode:
-+            return self._server_handler_table
-+        else:
-+            return self._client_handler_table
-+
- 
- class GssapiWithMicAuthHandler(object):
-     """A specialized Auth handler for gssapi-with-mic
-@@ -767,9 +789,15 @@ class GssapiWithMicAuthHandler(object):
-         self._restore_delegate_auth_handler()
-         return self._delegate._parse_userauth_request(m)
- 
--    _handler_table = {
-+    __handler_table = {
-         MSG_SERVICE_REQUEST: _parse_service_request,
-         MSG_USERAUTH_REQUEST: _parse_userauth_request,
-         MSG_USERAUTH_GSSAPI_TOKEN: _parse_userauth_gssapi_token,
-         MSG_USERAUTH_GSSAPI_MIC: _parse_userauth_gssapi_mic,
-     }
-+
-+    @property
-+    def _handler_table(self):
-+        # TODO: determine if we can cut this up like we did for the primary
-+        # AuthHandler class.
-+        return self.__handler_table
-diff --git a/tests/test_transport.py b/tests/test_transport.py
-index 9474acf..17db1f4 100644
---- a/tests/test_transport.py
-+++ b/tests/test_transport.py
-@@ -30,18 +30,19 @@ import threading
- import random
- from hashlib import sha1
- import unittest
-+from mock import Mock
- 
- from paramiko import (
-     Transport, SecurityOptions, ServerInterface, RSAKey, DSSKey, SSHException,
--    ChannelException, Packetizer, Channel,
-+    ChannelException, Packetizer, Channel, AuthHandler,
- )
- from paramiko import AUTH_FAILED, AUTH_SUCCESSFUL
- from paramiko import OPEN_SUCCEEDED, OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
- from paramiko.common import (
-     MSG_KEXINIT, cMSG_CHANNEL_WINDOW_ADJUST, MIN_PACKET_SIZE, MIN_WINDOW_SIZE,
--    MAX_WINDOW_SIZE, DEFAULT_WINDOW_SIZE, DEFAULT_MAX_PACKET_SIZE,
-+    MAX_WINDOW_SIZE, DEFAULT_WINDOW_SIZE, DEFAULT_MAX_PACKET_SIZE, MSG_NAMES, MSG_UNIMPLEMENTED, MSG_USERAUTH_SUCCESS, cMSG_UNIMPLEMENTED,
- )
--from paramiko.py3compat import bytes
-+from paramiko.py3compat import bytes, byte_chr
- from paramiko.message import Message
- 
- from .util import needs_builtin, _support, slow
-@@ -974,3 +975,48 @@ class TransportTest(unittest.TestCase):
-             assert "forwarding request denied" in str(e)
-         else:
-             assert False, "Did not raise SSHException!"
-+
-+    def _send_client_message(self, message_type):
-+        self.setup_test_server(connect_kwargs={})
-+        self.ts._send_message = Mock()
-+        # NOTE: this isn't 100% realistic (most of these message types would
-+        # have actual other fields in 'em) but it suffices to test the level of
-+        # message dispatch we're interested in here.
-+        msg = Message()
-+        # TODO: really not liking the whole cMSG_XXX vs MSG_XXX duality right
-+        # now, esp since the former is almost always just byte_chr(the
-+        # latter)...but since that's the case...
-+        msg.add_byte(byte_chr(message_type))
-+        self.tc._send_message(msg)
-+        # No good way to actually wait for server action (see above tests re:
-+        # MSG_UNIMPLEMENTED). Grump.
-+        time.sleep(0.1)
-+
-+    def _expect_unimplemented(self):
-+        # Ensure MSG_UNIMPLEMENTED was sent (implies it hit end of loop instead
-+        # of truly handling the given message).
-+        # NOTE: When bug present, this will actually be the first thing that
-+        # fails (since in many cases actual message handling doesn't involve
-+        # sending a message back right away).
-+        assert self.ts._send_message.call_count == 1
-+        reply = self.ts._send_message.call_args[0][0]
-+        reply.rewind()  # Because it's pre-send, not post-receive
-+        assert reply.get_byte() == cMSG_UNIMPLEMENTED
-+
-+    def test_server_transports_reject_client_message_types(self):
-+        # TODO: handle Transport's own tables too, not just its inner auth
-+        # handler's table. See TODOs in auth_handler.py
-+        for message_type in AuthHandler._client_handler_table:
-+            self._send_client_message(message_type)
-+            self._expect_unimplemented()
-+            # Reset for rest of loop
-+            self.tearDown()
-+            self.setUp()
-+
-+    def test_server_rejects_client_MSG_USERAUTH_SUCCESS(self):
-+        self._send_client_message(MSG_USERAUTH_SUCCESS)
-+        # Sanity checks
-+        assert not self.ts.authenticated
-+        assert not self.ts.auth_handler.authenticated
-+        # Real fix's behavior
-+        self._expect_unimplemented()
--- 
-2.19.1
-

paramiko-2.3.1-disable-gssapi-on-unsupported-version.patch

@@ -1,17 +0,0 @@
-diff -ru paramiko-2.3.1.orig/paramiko/ssh_gss.py paramiko-2.3.1/paramiko/ssh_gss.py
---- paramiko-2.3.1.orig/paramiko/ssh_gss.py	2017-09-22 21:15:16.000000000 +0100
-+++ paramiko-2.3.1/paramiko/ssh_gss.py	2017-10-29 21:16:08.071429184 +0100
-@@ -51,7 +51,12 @@
- 
- try:
-     import gssapi
--    GSS_EXCEPTIONS = (gssapi.GSSException,)
-+    try:
-+        GSS_EXCEPTIONS = (gssapi.GSSException,)
-+    except AttributeError:
-+        # Unsupported GSS API
-+        GSS_AUTH_AVAILABLE = False
-+        _API = None
- except (ImportError, OSError):
-     try:
-         import pywintypes

paramiko-2.7.2-drop-pytest-relaxed.patch

@@ -1,5 +1,14 @@
+From 953d9a1f1055de97e35c7060fcebc7283eff9e29 Mon Sep 17 00:00:00 2001
+From: zhaorenhai <zhaorenhai@hotmail.com>
+Date: Fri, 29 Jan 2021 06:48:10 +0000
+Subject: [PATCH] drop pytest-relaxed
+
+---
+ tests/test_client.py | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
 diff --git a/tests/test_client.py b/tests/test_client.py
-index 7163fdc..947e4b3 100644
+index 60ad310c..2d665cdd 100644
 --- a/tests/test_client.py
 +++ b/tests/test_client.py
 @@ -33,7 +33,7 @@ import warnings
@@ -8,35 +17,37 @@ index 7163fdc..947e4b3 100644
  
 -from pytest_relaxed import raises
 +from pytest import raises
+ from mock import patch, Mock
  
  import paramiko
- from paramiko.pkey import PublicBlob
+@@ -684,10 +684,10 @@ class PasswordPassphraseTests(ClientTest):
-@@ -656,10 +656,10 @@ class PasswordPassphraseTests(ClientTest):
  
      # TODO: more granular exception pending #387; should be signaling "no auth
      # methods available" because no key and no password
 -    @raises(SSHException)
      def test_passphrase_kwarg_not_used_for_password_auth(self):
 -        # Using the "right" password in the "wrong" field shouldn't work.
--        self._test_connection(passphrase='pygmalion')
+-        self._test_connection(passphrase="pygmalion")
 +        with raises(SSHException):
 +            # Using the "right" password in the "wrong" field shouldn't work.
 +            self._test_connection(passphrase='pygmalion')
  
      def test_passphrase_kwarg_used_for_key_passphrase(self):
          # Straightforward again, with new passphrase kwarg.
-@@ -675,12 +675,12 @@ class PasswordPassphraseTests(ClientTest):
+@@ -705,14 +705,14 @@ class PasswordPassphraseTests(ClientTest):
-             password='television',
+             password="television",
          )
  
 -    @raises(AuthenticationException)  # TODO: more granular
-     def test_password_kwarg_not_used_for_passphrase_when_passphrase_kwarg_given(self): # noqa
+     def test_password_kwarg_not_used_for_passphrase_when_passphrase_kwarg_given(  # noqa
+         self
+     ):
 -        # Sanity: if we're given both fields, the password field is NOT used as
 -        # a passphrase.
 -        self._test_connection(
--            key_filename=_support('test_rsa_password.key'),
+-            key_filename=_support("test_rsa_password.key"),
--            password='television',
+-            password="television",
--            passphrase='wat? lol no',
+-            passphrase="wat? lol no",
 -        )
 +        with raises(AuthenticationException): # TODO: more granular
 +            # Sanity: if we're given both fields, the password field is NOT used as
@@ -46,4 +57,6 @@ index 7163fdc..947e4b3 100644
 +                password='television',
 +                passphrase='wat? lol no',
 +            )
+-- 
+2.27.0
 

python-paramiko.spec

@@ -1,14 +1,12 @@
 Name:          python-paramiko
-Version:       2.4.1
+Version:       2.7.2
-Release:       9
+Release:       1
 Summary:       Python SSH module
 License:       LGPLv2+
 URL:           https://github.com/paramiko/paramiko
 Source0:       https://github.com/paramiko/paramiko/archive/%{version}/paramiko-%{version}.tar.gz
 
-Patch0:        paramiko-2.3.1-disable-gssapi-on-unsupported-version.patch
+Patch0:        paramiko-2.7.2-drop-pytest-relaxed.patch
-Patch1:        paramiko-2.4.1-drop-pytest-relaxed.patch
-Patch6000:     backport-CVE-2018-1000805.patch
 
 BuildArch:     noarch
 
@@ -20,9 +18,10 @@ connections to remote machines.
 %package       -n python3-paramiko
 Summary:       Python SSH module
 BuildRequires: python3-devel python3-setuptools python3-bcrypt >= 3.1.3 python3-pytest
-BuildRequires: python3-cryptography >= 1.5 python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.0.1
+BuildRequires: python3-cryptography >= 2.5 python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.0.1
+BuildRequires: python3-invoke >= 1.3 python3-mock >= 2.0
 Requires:      python3-bcrypt >= 3.1.3 python3-cryptography >= 1.5
-Requires:      python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.0.1
+Requires:      python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.0.1 python3-invoke >= 1.3
 %{?python_provide:%python_provide python3-paramiko}
 
 %description   -n python3-paramiko
@@ -67,6 +66,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version}
 %doc html/ demos/ NEWS README.rst
 
 %changelog
+* Wed Apr 28 2021 jinzhimin <jinzhimin2@huawei.com> - 2.7.2-1
+- Upgrade to 2.7.2
+
 * Mon Feb 22 2021 jinzhimin <jinzhimin2@huawei.com> - 2.4.1-9
 - fix CVE-2018-1000805