From 75e6b1426e43f90c464d5f88251cdcbd82755895 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 12 2018 20:23:33 +0000
Subject: import python-paramiko-2.1.1-9.el7


---

diff --git a/SOURCES/CVE-2018-1000805.diff b/SOURCES/CVE-2018-1000805.diff
new file mode 100644
index 0000000..dc83dae
--- /dev/null
+++ b/SOURCES/CVE-2018-1000805.diff
@@ -0,0 +1,31 @@
+--- paramiko-2.1.1/paramiko/auth_handler.py	2016-12-12 19:12:48.000000000 -0500
++++ paramiko-2.1.1_patched/paramiko/auth_handler.py	2018-10-22 08:59:45.397822283 -0400
+@@ -603,13 +603,25 @@
+             return
+         self._send_auth_result(self.auth_username, 'keyboard-interactive', result)
+ 
+-    _handler_table = {
++    _server_handler_table = {
+         MSG_SERVICE_REQUEST: _parse_service_request,
+-        MSG_SERVICE_ACCEPT: _parse_service_accept,
+         MSG_USERAUTH_REQUEST: _parse_userauth_request,
++        MSG_USERAUTH_INFO_RESPONSE: _parse_userauth_info_response,
++    }
++
++    _client_handler_table = {
++        MSG_SERVICE_ACCEPT: _parse_service_accept,
+         MSG_USERAUTH_SUCCESS: _parse_userauth_success,
+         MSG_USERAUTH_FAILURE: _parse_userauth_failure,
+         MSG_USERAUTH_BANNER: _parse_userauth_banner,
+         MSG_USERAUTH_INFO_REQUEST: _parse_userauth_info_request,
+-        MSG_USERAUTH_INFO_RESPONSE: _parse_userauth_info_response,
+     }
++
++    # NOTE: prior to the fix for #1283, this was a static dict instead of a
++    # property. Should be backwards compatible in most/all cases.
++    @property
++    def _handler_table(self):
++        if self.transport.server_mode:
++            return self._server_handler_table
++        else:
++            return self._client_handler_table
diff --git a/SPECS/python-paramiko.spec b/SPECS/python-paramiko.spec
index e8150d1..0ec78a2 100644
--- a/SPECS/python-paramiko.spec
+++ b/SPECS/python-paramiko.spec
@@ -10,7 +10,7 @@
 
 Name:          python-%{srcname}
 Version:       2.1.1
-Release:       5%{?dist}
+Release:       9%{?dist}
 Provides:       python2-paramiko = %{version}-%{release}
 Summary:       SSH2 protocol library for python
 
@@ -20,6 +20,7 @@ URL:           https://github.com/paramiko/paramiko
 Source0:       %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz
 
 Patch0:        CVE-2018-7750.diff
+Patch1:	       CVE-2018-1000805.diff
 
 BuildArch:     noarch
 
@@ -120,6 +121,12 @@ rm -f html/.buildinfo
 %doc html/ demos/
 
 %changelog
+* Thu Oct 18 2018 Jake Hunsaker <jhunsake@redhat.com> - 2.1.1-9
+- Fix a security flaw (CVE-2018-1000805) in Paramiko's server
+  mode (does not effect client mode).
+  Backported from 2.1.6
+  Resolves rhbz#1637366
+
 * Fri Jul 20 2018 Jake Hunsaker <jhunsake@redhat.com> - 2.1.1-5
 - Rebuild for move from Extras to Base for 7.6