diff --git a/.python-paramiko.metadata b/.python-paramiko.metadata index be221db..1e2b617 100644 --- a/.python-paramiko.metadata +++ b/.python-paramiko.metadata @@ -1 +1 @@ -0418c2fb8d2b8d1f4b86ac954ec31d5ba77d9956 SOURCES/paramiko-2.1.1.tar.gz +4375bbb1c07d078484e5cd4176b5bfb3973827af SOURCES/paramiko-2.7.2.tar.gz diff --git a/SOURCES/0001-remove-pytest-relaxed-dep.patch b/SOURCES/0001-remove-pytest-relaxed-dep.patch new file mode 100644 index 0000000..83a4f75 --- /dev/null +++ b/SOURCES/0001-remove-pytest-relaxed-dep.patch @@ -0,0 +1,74 @@ +diff --git a/dev-requirements.txt b/dev-requirements.txt +index f4f84748..b1b0cdf5 100644 +--- a/dev-requirements.txt ++++ b/dev-requirements.txt +@@ -2,7 +2,6 @@ + invoke>=1.0,<2.0 + invocations>=1.2.0,<2.0 + pytest==4.4.2 +-pytest-relaxed==1.1.5 + # pytest-xdist for test dir watching and the inv guard task + pytest-xdist==1.28.0 + mock==2.0.0 +diff --git a/setup.cfg b/setup.cfg +index 44d029c4..99159096 100644 +--- a/setup.cfg ++++ b/setup.cfg +@@ -17,9 +17,6 @@ ignore = E124,E125,E128,E261,E301,E302,E303,E402,E721,W503,E203,E722 + max-line-length = 79 + + [tool:pytest] +-# We use pytest-relaxed just for its utils at the moment, so disable it at the +-# plugin level until we adapt test organization to really use it. +-addopts = -p no:relaxed + # Loop on failure + looponfailroots = tests paramiko + # Ignore some warnings we cannot easily handle. +diff --git a/tests/test_client.py b/tests/test_client.py +index 60ad310c..88fd1d53 100644 +--- a/tests/test_client.py ++++ b/tests/test_client.py +@@ -33,7 +33,7 @@ import warnings + import weakref + from tempfile import mkstemp + +-from pytest_relaxed import raises ++import pytest + from mock import patch, Mock + + import paramiko +@@ -684,10 +684,10 @@ class PasswordPassphraseTests(ClientTest): + + # TODO: more granular exception pending #387; should be signaling "no auth + # methods available" because no key and no password +- @raises(SSHException) + def test_passphrase_kwarg_not_used_for_password_auth(self): +- # Using the "right" password in the "wrong" field shouldn't work. +- self._test_connection(passphrase="pygmalion") ++ with pytest.raises(SSHException): ++ # Using the "right" password in the "wrong" field shouldn't work. ++ self._test_connection(passphrase="pygmalion") + + def test_passphrase_kwarg_used_for_key_passphrase(self): + # Straightforward again, with new passphrase kwarg. +@@ -705,14 +705,14 @@ class PasswordPassphraseTests(ClientTest): + password="television", + ) + +- @raises(AuthenticationException) # TODO: more granular + def test_password_kwarg_not_used_for_passphrase_when_passphrase_kwarg_given( # noqa + self + ): + # Sanity: if we're given both fields, the password field is NOT used as + # a passphrase. +- self._test_connection( +- key_filename=_support("test_rsa_password.key"), +- password="television", +- passphrase="wat? lol no", +- ) ++ with pytest.raises(AuthenticationException): ++ self._test_connection( ++ key_filename=_support("test_rsa_password.key"), ++ password="television", ++ passphrase="wat? lol no", ++ ) diff --git a/SOURCES/0002-Skip-tests-requiring-invoke.patch b/SOURCES/0002-Skip-tests-requiring-invoke.patch new file mode 100644 index 0000000..2b2625b --- /dev/null +++ b/SOURCES/0002-Skip-tests-requiring-invoke.patch @@ -0,0 +1,37 @@ +From 2dc654a20c4f1908d587060809a9d67b31352497 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= +Date: Thu, 16 Apr 2020 09:46:39 +0200 +Subject: [PATCH] Skip tests requiring invoke if it's not installed + +Since invoke is an optional dependency and only one group of tests +require it, skip them gracefully rather than failing if it's not +present. +--- + tests/test_config.py | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/tests/test_config.py b/tests/test_config.py +index 5e9aa0592..2095061f2 100644 +--- a/tests/test_config.py ++++ b/tests/test_config.py +@@ -6,7 +6,11 @@ + + from paramiko.py3compat import string_types + +-from invoke import Result ++try: ++ from invoke import Result ++except ImportError: ++ Result = None ++ + from mock import patch + from pytest import raises, mark, fixture + +@@ -705,6 +709,7 @@ def inner(command, *args, **kwargs): + return inner + + ++@mark.skipif(Result is None, reason="requires invoke package") + class TestMatchExec(object): + @patch("paramiko.config.invoke", new=None) + @patch("paramiko.config.invoke_import_error", new=ImportError("meh")) diff --git a/SPECS/python-paramiko.spec b/SPECS/python-paramiko.spec index 0ec78a2..1b53639 100644 --- a/SPECS/python-paramiko.spec +++ b/SPECS/python-paramiko.spec @@ -1,74 +1,56 @@ %global srcname paramiko -%if 0%{?rhel} && 0%{?rhel} <= 7 -%bcond_with weak_deps -%bcond_with python3 -%else -%bcond_without weak_deps -%bcond_without python3 -%endif - Name: python-%{srcname} -Version: 2.1.1 -Release: 9%{?dist} -Provides: python2-paramiko = %{version}-%{release} +Version: 2.7.2 +Release: 4%{?dist} Summary: SSH2 protocol library for python -# No version specified. +# No version specified License: LGPLv2+ URL: https://github.com/paramiko/paramiko Source0: %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz - -Patch0: CVE-2018-7750.diff -Patch1: CVE-2018-1000805.diff +# Remove pytest-relaxed, which depends on pytest4 +# Can be removed when https://github.com/paramiko/paramiko/pull/1665/ is released +Patch0: 0001-remove-pytest-relaxed-dep.patch +# Skip tests requiring invoke if it's not installed +# Can be removed when https://github.com/paramiko/paramiko/pull/1667/ is released +Patch2: 0002-Skip-tests-requiring-invoke.patch BuildArch: noarch -Requires: python-cryptography -Requires: python2-pyasn1 -BuildRequires: python2-devel -BuildRequires: python-setuptools -BuildRequires: python-cryptography -BuildRequires: python2-pyasn1 %global paramiko_desc \ -Paramiko (a combination of the esperanto words for "paranoid" and "friend") is\ +Paramiko (a combination of the Esperanto words for "paranoid" and "friend") is\ a module for python 2.3 or greater that implements the SSH2 protocol for secure\ (encrypted and authenticated) connections to remote machines. Unlike SSL (aka\ -TLS), the SSH2 protocol does not require heirarchical certificates signed by a\ +TLS), the SSH2 protocol does not require hierarchical certificates signed by a\ powerful central authority. You may know SSH2 as the protocol that replaced\ telnet and rsh for secure access to remote shells, but the protocol also\ includes the ability to open arbitrary channels to remote services across an\ -encrypted tunnel. (This is how sftp works, for example.)\ +encrypted tunnel (this is how sftp works, for example). %description %{paramiko_desc} -%if %{with weak_deps} -Recommends: python-gssapi -%endif - -%if %{with python3} %package -n python%{python3_pkgversion}-%{srcname} Summary: SSH2 protocol library for python -%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} BuildRequires: python%{python3_pkgversion}-devel -BuildRequires: python%{python3_pkgversion}-setuptools -BuildRequires: python%{python3_pkgversion}-cryptography -Requires: python%{python3_pkgversion}-cryptography -%if %{with weak_deps} -Recommends: python%{python3_pkgversion}-gssapi -%endif +BuildRequires: %{py3_dist bcrypt} >= 3.1.3 +BuildRequires: %{py3_dist cryptography} >= 2.5 +BuildRequires: %{py3_dist mock} >= 2.0.0 +BuildRequires: %{py3_dist pyasn1} >= 0.1.7 +BuildRequires: %{py3_dist pynacl} >= 1.0.1 +BuildRequires: %{py3_dist pytest} +BuildRequires: %{py3_dist setuptools} +Recommends: %{py3_dist pyasn1} >= 0.1.7 %description -n python%{python3_pkgversion}-%{srcname} %{paramiko_desc} Python 3 version. -%endif %package doc Summary: Docs and demo for SSH2 protocol library for python BuildRequires: /usr/bin/sphinx-build -BuildRequires: python2-sphinx-theme-alabaster Requires: %{name} = %{version}-%{release} %description doc @@ -77,78 +59,273 @@ Requires: %{name} = %{version}-%{release} This is the documentation and demos. %prep -%autosetup -n %{srcname}-%{version} -p1 +%autosetup -p1 -n %{srcname}-%{version} -chmod a-x demos/* +chmod -c a-x demos/* sed -i -e '/^#!/,1d' demos/* %build -CFLAGS="%{optflags}" %{__python} setup.py %{?py_setup_args} build --executable="%{__python2} -s" -%if %{with python3} %py3_build -%endif %install -CFLAGS="%{optflags}" %{__python} setup.py %{?py_setup_args} install -O1 --skip-build --root %{buildroot} -%if %{with python3} %py3_install -%endif sphinx-build -b html sites/docs/ html/ -rm -f html/.buildinfo +rm html/.buildinfo %check -%{__python2} ./test.py --no-sftp --no-big-file -%if %{with python3} -%{__python3} ./test.py --no-sftp --no-big-file -%endif - -%files -n python-%{srcname} -%license LICENSE -%doc NEWS README.rst -%{python2_sitelib}/%{srcname}-*.egg-info/ -%{python2_sitelib}/%{srcname}/ +# Remove sftp test (fail under mock) +rm tests/test_sftp*.py +PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version} -%if %{with python3} %files -n python%{python3_pkgversion}-%{srcname} %license LICENSE %doc NEWS README.rst %{python3_sitelib}/%{srcname}-*.egg-info/ %{python3_sitelib}/%{srcname}/ -%endif %files doc %doc html/ demos/ %changelog -* Thu Oct 18 2018 Jake Hunsaker - 2.1.1-9 -- Fix a security flaw (CVE-2018-1000805) in Paramiko's server - mode (does not effect client mode). - Backported from 2.1.6 - Resolves rhbz#1637366 - -* Fri Jul 20 2018 Jake Hunsaker - 2.1.1-5 -- Rebuild for move from Extras to Base for 7.6 - -* Thu Mar 22 2018 Pavel Cahyna - 2.1.1-4 -- Add a dependency on python2-pyasn1. It used to be a dependency - of python2-cryptography, but it is not the case with newer versions. - (RHBZ #1559133) - -* Wed Mar 21 2018 Pavel Cahyna - 2.1.1-3 -- Fix a security flaw (CVE-2018-7750) in Paramiko's server - mode (emphasis on **server** mode; this does **not** impact *client* use!) - Backported from 2.1.5. - Resolves #1557142 - -* Fri May 12 2017 Pavel Cahyna - 2.1.1-2 -- Rebuild for RHEL 7.4 Extras - -* Thu Jan 05 2017 Troy Dawson 2.1.1-1 -- Update to 2.1.1 - -* Fri Jul 08 2016 Jon Schlueter 2.0.0-1.0 -- Rebuild +* Wed Mar 3 2021 Paul Howarth - 2.7.2-4 +- Drop invoke dependencies as it requires ancient pytest and we can't expect + it to remain around + +* Tue Mar 02 2021 Dan Radez - 2.7.2-3 +- Removing the python-relax dep using upstream patch + https://github.com/paramiko/paramiko/pull/1665/ + +* Wed Jan 27 2021 Fedora Release Engineering - 2.7.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Aug 31 2020 Paul Howarth - 2.7.2-1 +- Update to 2.7.2 + - Update our CI to catch issues with sdist generation, installation and + testing + - Add missing test suite fixtures directory to MANIFEST.in, reinstating the + ability to run Paramiko's tests from an sdist tarball (GH#1727) + - Remove leading whitespace from OpenSSH RSA test suite static key fixture, + to conform better to spec. (GH#1722) + - Fix incorrect string formatting causing unhelpful error message annotation + when using Kerberos/GSSAPI + - Fix incorrectly swapped order of 'p' and 'q' numbers when loading + OpenSSH-format RSA private keys; at minimum this should address a slowdown + when using such keys, and it also means Paramiko works with Cryptography + 3.1 and above, which complains strenuously when this problem appears + (GH#1723) + +* Wed Jul 29 2020 Fedora Release Engineering - 2.7.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sat May 30 2020 Paul Howarth - 2.7.1-4 +- Avoid FTBFS with pytest 5 (pytest-relaxed pulls in pytest 4) +- Drop explicit dependencies for things that the python dependency generator + finds by itself + +* Sun May 24 2020 Miro Hrončok - 2.7.1-3 +- Rebuilt for Python 3.9 + +* Thu Jan 30 2020 Fedora Release Engineering - 2.7.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Dec 11 2019 Paul Howarth - 2.7.1-1 +- Update to 2.7.1 + - The new-style private key format (added in 2.7.0) suffered from an + unpadding bug that had been fixed earlier for Ed25519 (as that key type has + always used the newer format); that fix has been refactored and applied to + the base key class (GH#1567) + - Fix a bug in support for ECDSA keys under the newly-supported OpenSSH key + format (GH#1565, GH#1566) + +* Wed Dec 4 2019 Paul Howarth - 2.7.0-1 +- Update to 2.7.0 + - Implement support for OpenSSH 6.5-style private key files (typically + denoted as having 'BEGIN OPENSSH PRIVATE KEY' headers instead of PEM + format's 'BEGIN RSA PRIVATE KEY' or similar); if you were getting any sort + of weird auth error from "modern" keys generated on newer operating system + releases (such as macOS Mojave), this is the first update to try (GH#602, + GH#618, GH#1313, GH#1343) + - Token expansion in 'ssh_config' used a different method of determining the + local username ('$USER' environment variable), compared to what the (much + older) client connection code does ('getpass.getuser', which includes + '$USER' but may check other variables first, and is generally much more + comprehensive); both modules now use 'getpass.getuser' + - A couple of outright '~paramiko.config.SSHConfig' parse errors were + previously represented as vanilla 'Exception' instances; as part of recent + feature work a more specific exception class, + '~paramiko.ssh_exception.ConfigParseError', has been created; it is now + also used in those older spots, which is naturally backwards compatible + - Implement support for the 'Match' keyword in 'ssh_config' files; + previously, this keyword was simply ignored and keywords inside such blocks + were treated as if they were part of the previous block (GH#717) + - Note: this feature adds a new optional install dependency 'Invoke' + (https://www.pyinvoke.org), for managing 'Match exec' subprocesses + - Additional installation 'extras_require' "flavors" ('ed25519', 'invoke', + and 'all') have been added to our packaging metadata + - Paramiko's use of 'subprocess' for 'ProxyCommand' support is conditionally + imported to prevent issues on limited interpreter platforms like Google + Compute Engine; however, any resulting 'ImportError' was lost instead of + preserved for raising (in the rare cases where a user tried leveraging + 'ProxyCommand' in such an environment); this has been fixed + - Perform deduplication of 'IdentityFile' contents during 'ssh_config' + parsing; previously, if your config would result in the same value being + encountered more than once, 'IdentityFile' would contain that many copies + of the same string + - Implement most 'canonical hostname' 'ssh_config' functionality + ('CanonicalizeHostname', 'CanonicalDomains', 'CanonicalizeFallbackLocal', + and 'CanonicalizeMaxDots'; 'CanonicalizePermittedCNAMEs' has *not* yet + been implemented) - all were previously silently ignored (GH#897) + - Explicitly document which ssh_config features we currently support; + previously users just had to guess, which is simply no good + - Add new convenience classmethod constructors to + '~paramiko.config.SSHConfig': '~paramiko.config.SSHConfig.from_text', + '~paramiko.config.SSHConfig.from_file', and + '~paramiko.config.SSHConfig.from_path'; no more annoying two-step process! +- Add Recommends: of python3-invoke and python3-pyasn1 for optional + functionality + +* Sun Oct 06 2019 Othman Madjoudj - 2.6.0-5 +- Drop python2 subpackage since it's eol-ed + +* Thu Oct 03 2019 Miro Hrončok - 2.6.0-4 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Mon Aug 19 2019 Miro Hrončok - 2.6.0-3 +- Rebuilt for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 2.6.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jun 27 2019 Paul Howarth - 2.6.0-1 +- Update to 2.6.0 + - Add a new keyword argument to 'SSHClient.connect' and + '~paramiko.transport.Transport', 'disabled_algorithms', which allows + selectively disabling one or more kex/key/cipher/etc algorithms; this can + be useful when disabling algorithms your target server (or client) does not + support cleanly, or to work around unpatched bugs in Paramiko's own + implementation thereof (GH#1463) + - Tweak many exception classes so their string representations are more + human-friendly; this also includes incidental changes to some 'super()' + calls (GH#1440, GH#1460) + - Add backwards-compatible support for the 'gssapi' GSSAPI library, as the + previous backend ('python-gssapi') has become defunct (GH#584, GH#1166, + GH#1311) + - 'SSHClient.exec_command' now returns a new subclass, + '~paramiko.channel.ChannelStdinFile', rather than a naïve + '~paramiko.channel.ChannelFile' object for its 'stdin' value, which fixes + issues such as hangs when running remote commands that read from stdin + (GH#322) +- Drop gssapi patch as it's no longer needed +- Drop pytest-relaxed patch as it's no longer needed + +* Thu Jun 27 2019 Paul Howarth - 2.5.1-1 +- Update to 2.5.1 + - Fix Ed25519 key handling so certain key comment lengths don't cause + 'SSHException("Invalid key")' (GH#1306, GH#1400) + +* Mon Jun 10 2019 Paul Howarth - 2.5.0-1 +- Update to 2.5.0 + - Add support for encrypt-then-MAC (ETM) schemes and two newer Diffie-Hellman + group key exchange algorithms ('group14', using SHA256; and 'group16', + using SHA512) + - Add support for Curve25519 key exchange + - Raise Cryptography dependency requirement to version 2.5 (from 1.5) and + update some deprecated uses of its API + - Add support for the modern (as of Python 3.3) import location of + 'MutableMapping' (used in host key management) to avoid the old location + becoming deprecated in Python 3.8 +- Drop hard dependency on pyasn1 as it's only needed for optional GSSAPI + functionality + +* Sat Feb 02 2019 Fedora Release Engineering - 2.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Oct 9 2018 Paul Howarth - 2.4.2-1 +- Update to 2.4.2 + - Fix exploit (GH#1283, CVE-2018-1000805) in Paramiko’s server mode (not + client mode) where hostile clients could trick the server into thinking + they were authenticated without actually submitting valid authentication + - Modify protocol message handling such that Transport does not respond to + MSG_UNIMPLEMENTED with its own MSG_UNIMPLEMENTED; this behavior probably + didn’t cause any outright errors, but it doesn’t seem to conform to the + RFCs and could cause (non-infinite) feedback loops in some scenarios + (usually those involving Paramiko on both ends) + - Add *.pub files to the MANIFEST so distributed source packages contain + some necessary test assets (GH#1262) +- Test suite now requires mock ≥ 2.0.0 + +* Sat Jul 14 2018 Fedora Release Engineering - 2.4.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jun 20 2018 Miro Hrončok - 2.4.1-4 +- Rebuilt for Python 3.7 +- Remove dependency on on pytest-relaxed + +* Fri Mar 16 2018 Paul Howarth - 2.4.1-1 +- Update to 2.4.1 + - Fix a security flaw (GH#1175, CVE-2018-7750) in Paramiko's server mode + (this does not impact client use) where authentication status was not + checked before processing channel-open and other requests typically only + sent after authenticating + - Ed25519 auth key decryption raised an unexpected exception when given a + unicode password string (typical in python 3) (GH#1039) + +* Fri Feb 09 2018 Fedora Release Engineering - 2.4.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Nov 18 2017 Athmane Madjoudj - 2.4.0-2 +- Add gssapi patch back since 2.4.0 still not compatible +- Add missing BR (lost during merge) + +* Fri Nov 17 2017 Igor Gnatenko - 2.4.0-1 +- Update to 2.4.0 + +* Wed Nov 15 2017 Athmane Madjoudj - 2.4.0-1 +- Update to 2.4.0 (rhbz #1513208) +- Revamp check section + +* Sun Oct 29 2017 Athmane Madjoudj - 2.3.1-3 +- Add a patch to disable gssapi on unsupported version (rhbz #1507174) + +* Tue Sep 26 2017 Athmane Madjoudj - 2.3.1-2 +- Remove weak deps, paramiko does not support recent gssapi (rhbz #1496148) + +* Sat Sep 23 2017 Athmane Madjoudj - 2.3.1-1 +- Update to 2.3.1 (rhbz #1494764) + +* Wed Sep 20 2017 Paul Howarth - 2.3.0-1 +- 2.3.0. + +* Thu Jul 27 2017 Fedora Release Engineering - 2.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Jun 14 2017 Paul Howarth - 2.2.1-1 +- 2.2.1. + +* Sun Jun 11 2017 Paul Howarth - 2.2.0-1 +- 2.2.0. + +* Wed Feb 22 2017 Paul Howarth - 2.1.2-1 +- 2.1.2. + +* Sat Feb 11 2017 Fedora Release Engineering - 2.1.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Dec 19 2016 Miro Hrončok - 2.1.1-2 +- Rebuild for Python 3.6 + +* Fri Dec 16 2016 Jon Ciesla - 2.1.1-1 +- 2.1.1. + +* Fri Dec 09 2016 Jon Ciesla - 2.1.0-1 +- 2.1.0. + +* Fri Dec 09 2016 Jon Ciesla - 2.0.2-1 +- 2.0.2. + +* Tue Jul 19 2016 Fedora Release Engineering - 2.0.0-2 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages * Fri Apr 29 2016 Igor Gnatenko - 2.0.0-1 - Update to 2.0.0 (RHBZ #1331737)