CVE-2018-1000808

Advisory

Paradrop 0.13.0 updates its dependency pyOpenSSL to v17.5.0 to include a security fix.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Features

* Enable chutes to install multiple services (e.g. a webserver and a database) as separate containers.
* Major rework of chute configuration syntax to support composing. Please refer to https://paradrop.readthedocs.io/en/v0.12.1/api/chute-configuration.html for details about the new syntax.
* Enable listing of devices connected to LAN bridge (e.g. a wired security camera).
* Enable multiple users to access a node with different permission sets.
* Add ownership information to installed chutes and enforce user access rights.
* Add a trusted user role that can install, update, and remove chutes as long as the changes do not impact another user's chute.
* Enable downloading chute source from git over SSH to work with Paradrop-hosted private repositories.
* Add a settings file for configuration variables that were previously only exposed through environment variables.
* Enable concurrency during the chute build process to provide a better experience when multiple users are sharing access to a node.
* Block chutes from creating monitor mode WiFi interfaces due to continued stability issues. Device owners can override this change in the settings file.

Resources

• https://pypi.org/project/paradrop
• https://pyup.io/changelogs/paradrop/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000808