diff --git a/.gitignore b/.gitignore
index c11b72e..d6097fc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,7 +18,12 @@
 /paramiko-2.1.2.tar.gz
 /paramiko-2.2.0.tar.gz
 /paramiko-2.2.1.tar.gz
+/paramiko-2.2.2.tar.gz
+/paramiko-2.2.3.tar.gz
 /paramiko-2.3.0.tar.gz
 /paramiko-2.3.1.tar.gz
+/paramiko-2.3.2.tar.gz
+/paramiko-2.3.3.tar.gz
 /paramiko-2.4.0.tar.gz
 /paramiko-2.4.1.tar.gz
+/paramiko-2.4.2.tar.gz
diff --git a/paramiko-2.3.1-disable-gssapi-on-unsupported-version.patch b/paramiko-2.3.1-disable-gssapi-on-unsupported-version.patch
deleted file mode 100644
index ee4815e..0000000
--- a/paramiko-2.3.1-disable-gssapi-on-unsupported-version.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-diff -ru paramiko-2.3.1.orig/paramiko/ssh_gss.py paramiko-2.3.1/paramiko/ssh_gss.py
---- paramiko-2.3.1.orig/paramiko/ssh_gss.py	2017-09-22 21:15:16.000000000 +0100
-+++ paramiko-2.3.1/paramiko/ssh_gss.py	2017-10-29 21:16:08.071429184 +0100
-@@ -51,7 +51,12 @@
- 
- try:
-     import gssapi
--    GSS_EXCEPTIONS = (gssapi.GSSException,)
-+    try:
-+        GSS_EXCEPTIONS = (gssapi.GSSException,)
-+    except AttributeError:
-+        # Unsupported GSS API
-+        GSS_AUTH_AVAILABLE = False
-+        _API = None
- except (ImportError, OSError):
-     try:
-         import pywintypes
diff --git a/paramiko-2.4.1-drop-pytest-relaxed.patch b/paramiko-2.4.1-drop-pytest-relaxed.patch
deleted file mode 100644
index 91158eb..0000000
--- a/paramiko-2.4.1-drop-pytest-relaxed.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-diff --git a/tests/test_client.py b/tests/test_client.py
-index 7163fdc..947e4b3 100644
---- a/tests/test_client.py
-+++ b/tests/test_client.py
-@@ -33,7 +33,7 @@ import warnings
- import weakref
- from tempfile import mkstemp
- 
--from pytest_relaxed import raises
-+from pytest import raises
- 
- import paramiko
- from paramiko.pkey import PublicBlob
-@@ -656,10 +656,10 @@ class PasswordPassphraseTests(ClientTest):
- 
-     # TODO: more granular exception pending #387; should be signaling "no auth
-     # methods available" because no key and no password
--    @raises(SSHException)
-     def test_passphrase_kwarg_not_used_for_password_auth(self):
--        # Using the "right" password in the "wrong" field shouldn't work.
--        self._test_connection(passphrase='pygmalion')
-+        with raises(SSHException):
-+            # Using the "right" password in the "wrong" field shouldn't work.
-+            self._test_connection(passphrase='pygmalion')
- 
-     def test_passphrase_kwarg_used_for_key_passphrase(self):
-         # Straightforward again, with new passphrase kwarg.
-@@ -675,12 +675,12 @@ class PasswordPassphraseTests(ClientTest):
-             password='television',
-         )
- 
--    @raises(AuthenticationException) # TODO: more granular
-     def test_password_kwarg_not_used_for_passphrase_when_passphrase_kwarg_given(self): # noqa
--        # Sanity: if we're given both fields, the password field is NOT used as
--        # a passphrase.
--        self._test_connection(
--            key_filename=_support('test_rsa_password.key'),
--            password='television',
--            passphrase='wat? lol no',
--        )
-+        with raises(AuthenticationException): # TODO: more granular
-+            # Sanity: if we're given both fields, the password field is NOT used as
-+            # a passphrase.
-+            self._test_connection(
-+                key_filename=_support('test_rsa_password.key'),
-+                password='television',
-+                passphrase='wat? lol no',
-+            )
diff --git a/paramiko-2.4.2-disable-gssapi-on-unsupported-version.patch b/paramiko-2.4.2-disable-gssapi-on-unsupported-version.patch
new file mode 100644
index 0000000..0913f68
--- /dev/null
+++ b/paramiko-2.4.2-disable-gssapi-on-unsupported-version.patch
@@ -0,0 +1,17 @@
+diff -up paramiko-2.4.2/paramiko/ssh_gss.py.orig paramiko-2.4.2/paramiko/ssh_gss.py
+--- paramiko-2.4.2/paramiko/ssh_gss.py.orig	2018-09-19 05:16:40.000000000 +0100
++++ paramiko-2.4.2/paramiko/ssh_gss.py	2018-10-09 09:15:46.083966972 +0100
+@@ -52,7 +52,12 @@ _API = "MIT"
+ try:
+     import gssapi
+ 
+-    GSS_EXCEPTIONS = (gssapi.GSSException,)
++    try:
++        GSS_EXCEPTIONS = (gssapi.GSSException,)
++    except AttributeError:
++        # Unsupported GSS API
++        GSS_AUTH_AVAILABLE = False
++        _API = None
+ except (ImportError, OSError):
+     try:
+         import pywintypes
diff --git a/paramiko-2.4.2-drop-pytest-relaxed.patch b/paramiko-2.4.2-drop-pytest-relaxed.patch
new file mode 100644
index 0000000..8c37fbe
--- /dev/null
+++ b/paramiko-2.4.2-drop-pytest-relaxed.patch
@@ -0,0 +1,49 @@
+diff -up ./tests/test_client.py.relaxed ./tests/test_client.py
+--- ./tests/test_client.py.relaxed	2018-09-19 05:16:40.000000000 +0100
++++ ./tests/test_client.py	2018-10-09 09:47:51.837994509 +0100
+@@ -33,7 +33,7 @@ import warnings
+ import weakref
+ from tempfile import mkstemp
+ 
+-from pytest_relaxed import raises
++from pytest import raises
+ 
+ import paramiko
+ from paramiko.pkey import PublicBlob
+@@ -662,10 +662,10 @@ class PasswordPassphraseTests(ClientTest
+ 
+     # TODO: more granular exception pending #387; should be signaling "no auth
+     # methods available" because no key and no password
+-    @raises(SSHException)
+     def test_passphrase_kwarg_not_used_for_password_auth(self):
+-        # Using the "right" password in the "wrong" field shouldn't work.
+-        self._test_connection(passphrase="pygmalion")
++        with raises(SSHException):
++            # Using the "right" password in the "wrong" field shouldn't work.
++            self._test_connection(passphrase='pygmalion')
+ 
+     def test_passphrase_kwarg_used_for_key_passphrase(self):
+         # Straightforward again, with new passphrase kwarg.
+@@ -683,14 +683,14 @@ class PasswordPassphraseTests(ClientTest
+             password="television",
+         )
+ 
+-    @raises(AuthenticationException)  # TODO: more granular
+     def test_password_kwarg_not_used_for_passphrase_when_passphrase_kwarg_given(
+         self
+     ):  # noqa
+-        # Sanity: if we're given both fields, the password field is NOT used as
+-        # a passphrase.
+-        self._test_connection(
+-            key_filename=_support("test_rsa_password.key"),
+-            password="television",
+-            passphrase="wat? lol no",
+-        )
++        with raises(AuthenticationException): # TODO: more granular
++            # Sanity: if we're given both fields, the password field is NOT used as
++            # a passphrase.
++            self._test_connection(
++                key_filename=_support('test_rsa_password.key'),
++                password='television',
++                passphrase='wat? lol no',
++            )
diff --git a/python-paramiko.spec b/python-paramiko.spec
index 8f262dc..0708d77 100644
--- a/python-paramiko.spec
+++ b/python-paramiko.spec
@@ -1,19 +1,19 @@
 %global srcname paramiko
 
 Name:          python-%{srcname}
-Version:       2.4.1
-Release:       5%{?dist}
+Version:       2.4.2
+Release:       1%{?dist}
 Summary:       SSH2 protocol library for python
 
 # No version specified.
 License:       LGPLv2+
 URL:           https://github.com/paramiko/paramiko
 Source0:       %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz
-Patch0:        paramiko-2.3.1-disable-gssapi-on-unsupported-version.patch
+Patch0:        paramiko-2.4.2-disable-gssapi-on-unsupported-version.patch
 
 # pytest-relaxed needs pytest < 3.3, but we have 3.6
 # this patch removes the dependency on pytest-relaxed
-Patch1:        paramiko-2.4.1-drop-pytest-relaxed.patch
+Patch1:        paramiko-2.4.2-drop-pytest-relaxed.patch
 
 BuildArch:     noarch
 
@@ -37,6 +37,7 @@ BuildRequires: python2-devel
 BuildRequires: python2-setuptools
 BuildRequires: python2-bcrypt >= 3.1.3
 BuildRequires: python2-cryptography >= 1.5
+BuildRequires: python2-mock >= 2.0.0
 BuildRequires: python2-pyasn1 >= 0.1.7
 BuildRequires: python2-pynacl >= 1.0.1
 BuildRequires: python2-pytest
@@ -57,6 +58,7 @@ BuildRequires: python%{python3_pkgversion}-devel
 BuildRequires: python%{python3_pkgversion}-setuptools
 BuildRequires: python%{python3_pkgversion}-bcrypt >= 3.1.3
 BuildRequires: python%{python3_pkgversion}-cryptography >= 1.5
+BuildRequires: python%{python3_pkgversion}-mock >= 2.0.0
 BuildRequires: python%{python3_pkgversion}-pyasn1 >= 0.1.7
 BuildRequires: python%{python3_pkgversion}-pynacl >= 1.0.1
 BuildRequires: python%{python3_pkgversion}-pytest
@@ -120,6 +122,20 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version}
 %doc html/ demos/
 
 %changelog
+* Tue Oct  9 2018 Paul Howarth <paul@city-fan.org> - 2.4.2-1
+- Update to 2.4.2
+  - Fix exploit (GH#1283, CVE-2018-1000805) in Paramiko’s server mode (not
+    client mode) where hostile clients could trick the server into thinking
+    they were authenticated without actually submitting valid authentication
+  - Modify protocol message handling such that Transport does not respond to
+    MSG_UNIMPLEMENTED with its own MSG_UNIMPLEMENTED; this behavior probably
+    didn’t cause any outright errors, but it doesn’t seem to conform to the
+    RFCs and could cause (non-infinite) feedback loops in some scenarios
+    (usually those involving Paramiko on both ends)
+  - Add *.pub files to the MANIFEST so distributed source packages contain
+    some necessary test assets (GH#1262)
+- Test suite now requires mock ≥ 2.0.0
+
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.1-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
diff --git a/sources b/sources
index 79265ed..f64c41e 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (paramiko-2.4.1.tar.gz) = 5a580d25e7911937f228ef4a2b89b5a1efd771f576c6c68cf1c36e1abbc38adbc6ad5dc91400de7112238fcf7803f5f26c13fe10be4af8a2a86af9398da7a8de
+SHA512 (paramiko-2.4.2.tar.gz) = 894c2ebfcfb35a84fe74670d0eb67022a49b7bf165f31acd929045c17509d8a2be111e8319f20513b5034efd033edc6432b2ca2e7027dc7e3c6703166a96790f