weak preferred kex in 16.04 LTS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
paramiko (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Paramiko 1.* uses diffie-
This has been fixed upstream in paramiko 2.3.1:
https:/
It would be nice to land that in the lastest LTS, probably as a security update.
It shouldn't have any impact, as long as diffie-
(maybe https:/
Thoughts?
CVE References
information type: | Public → Public Security |
Changed in paramiko (Ubuntu): | |
importance: | Undecided → Medium |
..maybe it's worth mentioning that there is no way to change this preferred kex list from the outside (in a client app) before it's being used. Hence the requirement for the patch.