New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update paramiko to v2.4.2+ #3861

Closed
emkll opened this Issue Oct 10, 2018 · 1 comment

Comments

Projects
None yet
3 participants
@emkll
Copy link
Contributor

emkll commented Oct 10, 2018

Description

We currently use paramiko v2.4.1, for which a CVE was issued (https://nvd.nist.gov/vuln/detail/CVE-2018-1000805):

The vulnerability is on the server-side of the paramiko code, which means that it shouldn't be directly exploitable, as we only use it as a client, but safety will soon alert us of the vulnerable package.

User Stories

As an admin, I would like to use have no associated CVEs with the libraries used.

@redshiftzero redshiftzero added this to the 0.10.0 milestone Oct 10, 2018

@redshiftzero

This comment has been minimized.

Copy link
Member

redshiftzero commented Oct 10, 2018

Hey @heartsucker: we need this fix in for 0.10.0 - interested in investigating based on @emkll's report and filing a PR to update? (PR should be against develop at first and then we'll backport into the release branch)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment