CVE-2018-7750

Priority
Description
transport.py in the SSH server implementation of Paramiko before 1.17.6,
1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before
2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check
whether authentication is completed before processing other requests, as
demonstrated by channel-open. A customized SSH client can simply skip the
authentication step.
Ubuntu-Description
Matthijs Kooijman discovered that Paramiko's SSH server implementation
did not properly require authentication before processing requests. An
unauthenticated remote attacker could possibly use this to execute
arbitrary code.
Notes
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):released (1.7.7.1-2ubuntu1.1)
Ubuntu 14.04 ESM (Trusty Tahr):released (1.10.1-1git1ubuntu0.1)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.16.0-1ubuntu0.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.0.0-1ubuntu1)
Patches:
Upstream:https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516
More Information

Updated: 2020-09-10 06:03:27 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)