From d6e57d34bafb65c6ce62a022d1b509f35cf82d49 Mon Sep 17 00:00:00 2001
From: Jeff Forcier <jeff@bitprophet.org>
Date: Tue, 6 Jun 2017 13:26:13 -0700
Subject: Partially apply #983 for 2.0+

---
 paramiko/transport.py   | 2 +-
 sites/www/changelog.rst | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/paramiko/transport.py b/paramiko/transport.py
index 4a3ae8f4..802b496f 100644
--- a/paramiko/transport.py
+++ b/paramiko/transport.py
@@ -113,10 +113,10 @@ class Transport(threading.Thread, ClosingContextManager):
     _preferred_macs = (
         'hmac-sha2-256',
         'hmac-sha2-512',
+        'hmac-sha1',
         'hmac-md5',
         'hmac-sha1-96',
         'hmac-md5-96',
-        'hmac-sha1',
     )
     _preferred_keys = (
         'ecdsa-sha2-nistp256',
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
index ec1c09cb..9aead611 100644
--- a/sites/www/changelog.rst
+++ b/sites/www/changelog.rst
@@ -2,6 +2,9 @@
 Changelog
 =========
 
+* :bug:`983` Move ``sha1`` above the now-arguably-broken ``md5`` in the list of
+  preferred MAC algorithms, as an incremental security improvement for users
+  whose target systems offer both. Credit: Pierce Lopez.
 * :bug:`667` The RC4/arcfour family of ciphers has been broken since version
   2.0; but since the algorithm is now known to be completely insecure, we are
   opting to remove support outright instead of fixing it. Thanks to Alex Gaynor
-- 
cgit v1.2.1