Bug#1109661: marked as done (unblock: paramiko/3.5.1-3)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#1109661: marked as done (unblock: paramiko/3.5.1-3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 21 Jul 2025 15:23:06 +0000
Message-id: <[🔎] handler.1109661.D1109661.17531113463189214.ackdone@bugs.debian.org>
Reply-to: 1109661@bugs.debian.org
References: <E1udsLQ-00A384-0f@respighi.debian.org> <[🔎] aH4TX54CR6kqmEfI@camorr.rosewood.vpn.ucam.org>

Your message dated Mon, 21 Jul 2025 15:22:24 +0000
with message-id <E1udsLQ-00A384-0f@respighi.debian.org>
and subject line unblock paramiko
has caused the Debian Bug report #1109661,
regarding unblock: paramiko/3.5.1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1109661: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109661
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: paramiko/3.5.1-3
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 21 Jul 2025 11:15:59 +0100
Message-id: <[🔎] aH4TX54CR6kqmEfI@camorr.rosewood.vpn.ucam.org>

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: paramiko@packages.debian.org
Control: affects -1 + src:paramiko
User: release.debian.org@packages.debian.org
Usertags: unblock

[ Reason ]
Fix important bug https://bugs.debian.org/1108434 (does not correctly 
handle OpenSSH 10 version).

[ Impact ]
When using RSA certificates, paramiko misdetects the current version of 
OpenSSH as being earlier than 7.8 and uses inappropriate fallback code.

[ Tests ]
The history of https://github.com/paramiko/paramiko/pull/2516 suggests 
that it's at least somewhat covered (given that the first incorrect 
version of the PR caused a test failure), but tests aren't failing at 
the moment so it evidently isn't entirely robust.

[ Risks ]
I don't think adding a "\." to a version-matching regex can have much in 
the way of fallout.  The worst case would be that we incorrectly fall 
back to the pre-7.8 logic, but that's what's already happening.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock paramiko/3.5.1-3

Thanks,

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

diff -Nru paramiko-3.5.1/debian/changelog paramiko-3.5.1/debian/changelog
--- paramiko-3.5.1/debian/changelog	2025-02-17 21:52:38.000000000 +0000
+++ paramiko-3.5.1/debian/changelog	2025-07-13 08:09:25.000000000 +0100
@@ -1,3 +1,10 @@
+paramiko (3.5.1-3) unstable; urgency=medium
+
+  * Team upload.
+  * Fixed version parsing issue with OpenSSH >= 10.0 (closes: #1108434).
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 13 Jul 2025 09:09:25 +0200
+
 paramiko (3.5.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru paramiko-3.5.1/debian/patches/openssh-10.patch paramiko-3.5.1/debian/patches/openssh-10.patch
--- paramiko-3.5.1/debian/patches/openssh-10.patch	1970-01-01 01:00:00.000000000 +0100
+++ paramiko-3.5.1/debian/patches/openssh-10.patch	2025-07-13 08:09:25.000000000 +0100
@@ -0,0 +1,26 @@
+From: rebcim <68267550+rebcim@users.noreply.github.com>
+Date: Wed, 4 Jun 2025 14:13:52 +0200
+Subject: Fixed version parsing issue with OpenSSH 10.0
+
+Regex matches now for Version 1..7 but not for 10.
+
+Origin: other, https://github.com/paramiko/paramiko/pull/2516
+Bug-Debian: https://bugs.debian.org/1108434
+Last-Update: 2025-07-13
+---
+ paramiko/auth_handler.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py
+index bc7f298..2b54877 100644
+--- a/paramiko/auth_handler.py
++++ b/paramiko/auth_handler.py
+@@ -321,7 +321,7 @@ class AuthHandler:
+         # regarding server-sig-algs, it's impossible to fit this into the rest
+         # of the logic here.
+         if key_type.endswith("-cert-v01@openssh.com") and re.search(
+-            r"-OpenSSH_(?:[1-6]|7\.[0-7])", self.transport.remote_version
++            r"-OpenSSH_(?:[1-6]\.|7\.[0-7])", self.transport.remote_version
+         ):
+             pubkey_algo = "ssh-rsa-cert-v01@openssh.com"
+             self.transport._agreed_pubkey_algorithm = pubkey_algo
diff -Nru paramiko-3.5.1/debian/patches/series paramiko-3.5.1/debian/patches/series
--- paramiko-3.5.1/debian/patches/series	2025-02-17 21:52:38.000000000 +0000
+++ paramiko-3.5.1/debian/patches/series	2025-07-13 08:09:25.000000000 +0100
@@ -1,2 +1,3 @@
 1071675.patch
 0002-Ignore-host-keys-with-markers.patch
+openssh-10.patch

--- End Message ---

--- Begin Message ---

To: 1109661-done@bugs.debian.org

Subject: unblock paramiko

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Mon, 21 Jul 2025 15:22:24 +0000

Message-id: <E1udsLQ-00A384-0f@respighi.debian.org>
Unblocked paramiko.
--- End Message ---

Reply to:

References:
- Bug#1109661: unblock: paramiko/3.5.1-3
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#1109660: marked as done (unblock: afew/3.0.1-8)
Next by Date: Bug#1109654: unblock: ceph/18.2.7-3 (pre-approval)
Previous by thread: Processed: unblock: paramiko/3.5.1-3
Next by thread: Bug#1109662: unblock: megatools/1.11.5-1
Index(es):
- Date
- Thread