CVE-2022-24302

Advisory

Rucio 1.28.1 upgrades its paramiko dependency from 2.7.2 to 2.10.3 due to the CVE-2022-24302.
https://github.com/rucio/rucio/pull/5416/commits/01fdec153b63e12299d953ff00346ad1ff7105c5

Affected package

Affected versions

Fixed versions

Vulnerability changelog

General

Enhancements

- Consistency checks: Drop references to the AGIS-API endpoint to fix the auditor 5226
- Core & Internals: Oracle hints for list_bad_* have a plus too much 5411
- Deletion: Heartbeat is never refreshed for the Dark Reaper 5374
- Recovery: Too many execution of get_bad_replicas_backlog 5433
- Release management: Update paramiko dependency due to security advisory 5412
- Rules: rucio update-rule --locked is case sensitive 5356
- Testing: Disable the add header CI/CD job 5389
- Transfers: implement cross-transfertool multihop 5403
- Transfers: allow prioritization between two multihops 5408
- Transfers: Flag transfer errors coming from tape sources 5410
- Transfers: reduce verbosity of submitter on INFO level 5413

Bugs

- Core & Internals: Bug in delete_dids when bad files are declared 5387
- Transfers: Incorrect number of format arguments in one submitter log 5405
- Transfers: Preparer bulk size argument not used 5430

Clients

Bugs

- Clients: Bug in the upload client for cloud resources 5354
- Clients: Problem to print the summary when using rucio add-lifetime-exception 5427

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24302