Paramiko: Information disclosure — GLSA 200803-07

Unsafe randomness usage in Paramiko may allow access to sensitive information.

Affected packages

dev-python/paramiko on all architectures
Affected versions < 1.7.2
Unaffected versions >= 1.7.2

Background

Paramiko is a Secure Shell Server implementation written in Python.

Description

Dwayne C. Litzenberger reported that the file "common.py" does not properly use RandomPool when using threads or forked processes.

Impact

A remote attacker could predict the values generated by applications using Paramiko for encryption purposes, potentially gaining access to sensitive information.

Workaround

There is no known workaround at this time.

Resolution

All Paramiko users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-python/paramiko-1.7.2"

References

Release date
March 03, 2008

Latest revision
March 03, 2008: 01

Severity
low

Exploitable
remote

Bugzilla entries