Bug#1109661: unblock: paramiko/3.5.1-3
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: paramiko@packages.debian.org
Control: affects -1 + src:paramiko
User: release.debian.org@packages.debian.org
Usertags: unblock
[ Reason ]
Fix important bug https://bugs.debian.org/1108434 (does not correctly
handle OpenSSH 10 version).
[ Impact ]
When using RSA certificates, paramiko misdetects the current version of
OpenSSH as being earlier than 7.8 and uses inappropriate fallback code.
[ Tests ]
The history of https://github.com/paramiko/paramiko/pull/2516 suggests
that it's at least somewhat covered (given that the first incorrect
version of the PR caused a test failure), but tests aren't failing at
the moment so it evidently isn't entirely robust.
[ Risks ]
I don't think adding a "\." to a version-matching regex can have much in
the way of fallout. The worst case would be that we incorrectly fall
back to the pre-7.8 logic, but that's what's already happening.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock paramiko/3.5.1-3
Thanks,
--
Colin Watson (he/him) [cjwatson@debian.org]
diff -Nru paramiko-3.5.1/debian/changelog paramiko-3.5.1/debian/changelog
--- paramiko-3.5.1/debian/changelog 2025-02-17 21:52:38.000000000 +0000
+++ paramiko-3.5.1/debian/changelog 2025-07-13 08:09:25.000000000 +0100
@@ -1,3 +1,10 @@
+paramiko (3.5.1-3) unstable; urgency=medium
+
+ * Team upload.
+ * Fixed version parsing issue with OpenSSH >= 10.0 (closes: #1108434).
+
+ -- Colin Watson <cjwatson@debian.org> Sun, 13 Jul 2025 09:09:25 +0200
+
paramiko (3.5.1-2) unstable; urgency=medium
* Team upload.
diff -Nru paramiko-3.5.1/debian/patches/openssh-10.patch paramiko-3.5.1/debian/patches/openssh-10.patch
--- paramiko-3.5.1/debian/patches/openssh-10.patch 1970-01-01 01:00:00.000000000 +0100
+++ paramiko-3.5.1/debian/patches/openssh-10.patch 2025-07-13 08:09:25.000000000 +0100
@@ -0,0 +1,26 @@
+From: rebcim <68267550+rebcim@users.noreply.github.com>
+Date: Wed, 4 Jun 2025 14:13:52 +0200
+Subject: Fixed version parsing issue with OpenSSH 10.0
+
+Regex matches now for Version 1..7 but not for 10.
+
+Origin: other, https://github.com/paramiko/paramiko/pull/2516
+Bug-Debian: https://bugs.debian.org/1108434
+Last-Update: 2025-07-13
+---
+ paramiko/auth_handler.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py
+index bc7f298..2b54877 100644
+--- a/paramiko/auth_handler.py
++++ b/paramiko/auth_handler.py
+@@ -321,7 +321,7 @@ class AuthHandler:
+ # regarding server-sig-algs, it's impossible to fit this into the rest
+ # of the logic here.
+ if key_type.endswith("-cert-v01@openssh.com") and re.search(
+- r"-OpenSSH_(?:[1-6]|7\.[0-7])", self.transport.remote_version
++ r"-OpenSSH_(?:[1-6]\.|7\.[0-7])", self.transport.remote_version
+ ):
+ pubkey_algo = "ssh-rsa-cert-v01@openssh.com"
+ self.transport._agreed_pubkey_algorithm = pubkey_algo
diff -Nru paramiko-3.5.1/debian/patches/series paramiko-3.5.1/debian/patches/series
--- paramiko-3.5.1/debian/patches/series 2025-02-17 21:52:38.000000000 +0000
+++ paramiko-3.5.1/debian/patches/series 2025-07-13 08:09:25.000000000 +0100
@@ -1,2 +1,3 @@
1071675.patch
0002-Ignore-host-keys-with-markers.patch
+openssh-10.patch
Reply to: