CVE-2018-7750

Priority
Description
transport.py in the SSH server implementation of Paramiko before 1.17.6,
1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before
2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check
whether authentication is completed before processing other requests, as
demonstrated by channel-open. A customized SSH client can simply skip the
authentication step.
Ubuntu-Description
Matthijs Kooijman discovered that Paramiko's SSH server implementation
did not properly require authentication before processing requests. An
unauthenticated remote attacker could possibly use this to execute
arbitrary code.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):released (1.7.7.1-2ubuntu1.1)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.10.1-1git1ubuntu0.1)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.16.0-1ubuntu0.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.0.0-1ubuntu1)
Patches:
Upstream:https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516
More Information

Updated: 2019-03-19 12:31:12 UTC (commit 15472795df7e9de45b82f2d36b8b419b939f97b2)