Package: python-asyncssh / 2.10.1-2+deb12u2

Metadata

Package Version Patches format
python-asyncssh 2.10.1-2+deb12u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
sphinx use default theme.patch | (download)

docs/rftheme/static/rftheme.css_t | 2 1 + 1 - 0 !
docs/rftheme/theme.conf | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 make sphinx use default theme

0002 skip tests requiring network access.patch | (download)

tests/test_auth_keys.py | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 skip tests requiring network access


0003 Revert fido 0.9.2 support.patch | (download)

asyncssh/sk.py | 2 1 + 1 - 0 !
setup.py | 2 1 + 1 - 0 !
tests/sk_stub.py | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 revert fido 0.9.2 support

Not yet in Debian, we're still on 0.9.1

This reverts: 7a4597953a631ee5091ac1b6e384e32d4f018a82

0004 Handle ConnectionRefusedError when connecting to 223.patch | (download)

tests/test_connection.py | 23 16 + 7 - 0 !
1 file changed, 16 insertions(+), 7 deletions(-)

 handle connectionrefusederror when connecting to 223.255.255.254

If the tests are run from an environment with a firewall, they may be
refused instead of timing out.

Just skip the test.

mock pathlib expanduser.patch | (download)

tests/test_config.py | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 [patch] also patch pathlib expanduser

NB: with recent Python versions the existing `os.path.expanduser()` patch
also affects `pathlib.path.expanduser()` which is invoked by the config
parser for expanding `~/.ssh`.

CVE 2023 48795.patch | (download)

asyncssh/connection.py | 65 53 + 12 - 0 !
tests/test_connection.py | 147 128 + 19 - 0 !
tests/test_connection_auth.py | 4 2 + 2 - 0 !
tests/util.py | 14 14 + 0 - 0 !
4 files changed, 197 insertions(+), 33 deletions(-)

---
CVE 2023 46445 and CVE 2023 46446.patch | (download)

asyncssh/connection.py | 132 83 + 49 - 0 !
tests/test_connection.py | 151 124 + 27 - 0 !
2 files changed, 207 insertions(+), 76 deletions(-)

 [patch] harden asyncssh state machine against message injection
 during handshake
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

This commit puts additional restrictions on when messages are accepted
during the SSH handshake to avoid message injection attacks from a
rogue client or server.

More detailed information will be available in CVE-2023-46445 and
CVE-2023-46446, to be published shortly.

Thanks go to Fabian Bumer, Marcus Brinkmann, and Jrg Schwenk for
identifying and reporting these vulnerabilities and providing
detailed analysis and suggestions for how to protect against them,
as well as review comments on the proposed fix.