{"update": {"autokarma": true, "autotime": true, "stable_karma": 3, "stable_days": 7, "unstable_karma": -1, "require_bugs": true, "require_testcases": true, "display_name": "", "notes": "CVE-2022-24302: Creation of new private key files using `~paramiko.pkey.PKey` subclasses was subject to a race condition between file creation and mode modification, which could be exploited by an attacker with knowledge of where the Paramiko-using code would write out such files; this has been patched by using `os.open` and `os.fdopen` to ensure new files are opened with the correct mode immediately (we've left the subsequent explicit 'chmod' in place to minimize any possible  disruption, though it may get removed in future backwards-incompatible updates).\n\n\n", "type": "security", "status": "stable", "request": null, "severity": "medium", "suggest": "unspecified", "locked": false, "pushed": true, "critpath": false, "critpath_groups": null, "close_bugs": true, "date_submitted": "2022-03-13 13:08:52", "date_modified": "2022-03-19 13:30:39", "date_approved": null, "date_testing": "2022-03-19 22:54:36", "date_stable": "2022-03-27 01:40:15", "alias": "FEDORA-2022-806492f1d1", "test_gating_status": "ignored", "from_tag": null, "date_pushed": "2022-03-27 01:40:15", "meets_testing_requirements": true, "url": "https://bodhi.stg.fedoraproject.org/updates/FEDORA-2022-806492f1d1", "title": "python-paramiko-2.10.3-1.fc34", "version_hash": "6b4eeef1ff49166934ac1933a41c66cada0a5d0b", "release": {"name": "F34", "long_name": "Fedora 34", "version": "34", "id_prefix": "FEDORA", "branch": "f34", "dist_tag": "f34", "stable_tag": "f34-updates", "testing_tag": "f34-updates-testing", "candidate_tag": "f34-updates-candidate", "pending_signing_tag": "f34-signing-pending", "pending_testing_tag": "f34-updates-testing-pending", "pending_stable_tag": "f34-updates-pending", "override_tag": "f34-override", "mail_template": "fedora_errata_template", "state": "archived", "composed_by_bodhi": true, "create_automatic_updates": false, "package_manager": "dnf", "testing_repository": "updates-testing", "released_on": null, "eol": null, "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "pghmcfc", "email": "paul@city-fan.org", "id": 165, "avatar": "https://seccdn.libravatar.org/avatar/e6d92d9d894db58d2c7e8c1a627b669f062f35ef31fdaa8d8c7b57068b2416e1?s=24&d=retro", "openid": "pghmcfc.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "provenpackager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "perl-maint-sig"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by pghmcfc. ", "timestamp": "2022-03-13 13:08:53", "update_id": 387164, "user_id": 91, "id": 2443403, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'ignored'.", "timestamp": "2022-03-13 13:08:53", "update_id": 387164, "user_id": 91, "id": 2443404, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2022-03-13 18:38:41", "update_id": 387164, "user_id": 91, "id": 2443722, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "pghmcfc edited this update.", "timestamp": "2022-03-18 13:29:51", "update_id": 387164, "user_id": 91, "id": 2449182, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "pghmcfc edited this update.\n\nNew build(s):\n\n- python-paramiko-2.10.3-1.fc34\n\nRemoved build(s):\n\n- python-paramiko-2.10.1-1.fc34\n\nKarma has been reset.", "timestamp": "2022-03-19 13:30:35", "update_id": 387164, "user_id": 91, "id": 2450230, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by pghmcfc. ", "timestamp": "2022-03-19 13:30:39", "update_id": 387164, "user_id": 91, "id": 2450231, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2022-03-19 22:55:06", "update_id": 387164, "user_id": 91, "id": 2450526, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for stable by bodhi. ", "timestamp": "2022-03-26 22:54:42", "update_id": 387164, "user_id": 91, "id": 2459308, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to stable.", "timestamp": "2022-03-27 01:40:41", "update_id": 387164, "user_id": 91, "id": 2459479, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}], "builds": [{"nvr": "python-paramiko-2.10.3-1.fc34", "signed": true, "release_id": 47, "type": "rpm", "epoch": 0}], "bugs": [{"bug_id": 2063488, "title": "python-paramiko-2.10.1 is available", "security": false, "parent": false, "feedback": []}, {"bug_id": 2065665, "title": "CVE-2022-24302 python-paramiko: Race condition in the write_private_key_file function", "security": true, "parent": true, "feedback": []}, {"bug_id": 2065666, "title": "CVE-2022-24302 python-paramiko: Race condition in the write_private_key_file function [fedora-all]", "security": true, "parent": false, "feedback": []}, {"bug_id": 2065882, "title": "python-paramiko-2.10.3 is available", "security": false, "parent": false, "feedback": []}], "updateid": "FEDORA-2022-806492f1d1", "karma": 0, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}