ALAS-2018-989

Amazon Linux 1 (EOL) Security Advisory: ALAS-2018-989
Advisory Released Date: 2018-04-05
Advisory Updated Date: 2018-04-05

Severity: Critical

References: CVE-2018-7750
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Authentication bypass in transport.py
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step. (CVE-2018-7750 )

Affected Packages:

python-paramiko

Issue Correction:
Run yum update python-paramiko to update your system.

New Packages:

noarch:
    python26-paramiko-1.15.1-2.6.amzn1.noarch
    python27-paramiko-1.15.1-2.6.amzn1.noarch

src:
    python-paramiko-1.15.1-2.6.amzn1.src

Additional References

Red Hat: CVE-2018-7750

Mitre: CVE-2018-7750