Debian Bug report logs -
#438162
CVE-2007-4323: DenyHosts DoS vulnerability
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Wed, 15 Aug 2007 19:03:03 UTC
Severity: grave
Tags: etch, security
Found in version denyhosts/2.6-1
Fixed in versions denyhosts/2.6-2.1, denyhosts/2.6-1etch4
Done: Martin Zobel-Helas <zobel@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Marco Bertorello <marco@bertorello.ns0.it>:
Bug#438162; Package denyhosts.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Marco Bertorello <marco@bertorello.ns0.it>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: denyhosts
Version: 2.6-1
Severity: grave
Tags: security
Justification: user security hole
>From CVE-2007-4323:
"DenyHosts 2.6 does not properly parse sshd log files, which allows
remote attackers to add arbitrary hosts to the /etc/hosts.deny file
and cause a denial of service by adding arbitrary IP addresses to the
sshd log file, as demonstrated by logging in via ssh with a client
protocol version identification containing an IP address string, a
different vector than CVE-2006-6301."
Please mention the CVE id in the changelog.
Information forwarded to debian-bugs-dist@lists.debian.org, Marco Bertorello <marco@bertorello.ns0.it>:
Bug#438162; Package denyhosts.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Marco Bertorello <marco@bertorello.ns0.it>.
(full text, mbox, link).
Message #10 received at 438162@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I intend to upload an NMU to fix this problem, attached is a
patch which should fix CVE-2007-4323
I know its a bit early for an NMU announce but I thought it
might be useful since it also includes a patch for the
problem. So feel free to use it and upload yourself.
The patch is also archived on:
http://people.debian.org/~nion/nmu-diff/denyhosts-2.6-2_2.6-2.1.patch
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[denyhosts-2.6-2_2.6-2.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 438162-close@bugs.debian.org (full text, mbox, reply):
Source: denyhosts
Source-Version: 2.6-2.1
We believe that the bug you reported is fixed in the latest version of
denyhosts, which is due to be installed in the Debian FTP archive:
denyhosts_2.6-2.1.diff.gz
to pool/main/d/denyhosts/denyhosts_2.6-2.1.diff.gz
denyhosts_2.6-2.1.dsc
to pool/main/d/denyhosts/denyhosts_2.6-2.1.dsc
denyhosts_2.6-2.1_all.deb
to pool/main/d/denyhosts/denyhosts_2.6-2.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 438162@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated denyhosts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 16 Aug 2007 02:41:59 +0200
Source: denyhosts
Binary: denyhosts
Architecture: source all
Version: 2.6-2.1
Distribution: unstable
Urgency: high
Maintainer: Marco Bertorello <marco@bertorello.ns0.it>
Changed-By: Nico Golde <nion@debian.org>
Description:
denyhosts - an utility to help sys admins thwart ssh hackers
Closes: 438162
Changes:
denyhosts (2.6-2.1) unstable; urgency=high
.
* Non-maintainer upload for testing security team
* Included 07_fix_CVE-2007-4323.dpatch to fix
CVE-2007-4323 (Closes: #438162).
Files:
a04e227f2332ad4696ee40a764ccd9e5 713 net optional denyhosts_2.6-2.1.dsc
4e537f64be9aa32414a3f03722bdcc31 33975 net optional denyhosts_2.6-2.1.diff.gz
ae56cd77766be74a7b731ac5350299fb 62784 net optional denyhosts_2.6-2.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGw5/yHYflSXNkfP8RAosUAKCsoUMbMD5scAfZKi5V1eWYNwA4CQCeIwCR
ZQz2rC8O0AYDFpfSBVOnGP8=
=QqN0
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Marco Bertorello <marco@bertorello.ns0.it>:
Bug#438162; Package denyhosts.
(full text, mbox, link).
Acknowledgement sent to Raphael Geissert <atomo64@gmail.com>:
Extra info received and forwarded to list. Copy sent to Marco Bertorello <marco@bertorello.ns0.it>.
(full text, mbox, link).
Message #20 received at 438162@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
reopen 438162 =
tags 438162 etch
thanks
Package version in etch is 2.6-1 which is affected.
--
Atomo64 - Raphael
Please avoid sending me Word, PowerPoint or Excel attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
[signature.asc (application/pgp-signature, inline)]
Bug reopened, originator not changed.
Request was from Raphael Geissert <atomo64@gmail.com>
to control@bugs.debian.org.
(Mon, 08 Oct 2007 02:42:06 GMT) (full text, mbox, link).
Tags added: etch
Request was from Raphael Geissert <atomo64@gmail.com>
to control@bugs.debian.org.
(Mon, 08 Oct 2007 02:42:06 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Marco Bertorello <marco@bertorello.ns0.it>:
Bug#438162; Package denyhosts.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Marco Bertorello <marco@bertorello.ns0.it>.
(full text, mbox, link).
Message #29 received at 438162@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
found 438162 2.6-1
fixed 438162 2.6-2.1
thanks
Hi Raphael,
* Raphael Geissert <atomo64@gmail.com> [2007-10-08 11:04]:
> reopen 438162 =
> tags 438162 etch
> thanks
>
> Package version in etch is 2.6-1 which is affected.
I closed this bug again, there is no need to keep it open,
that's what we have version tracking for.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug marked as found in version 2.6-1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 08 Oct 2007 09:57:11 GMT) (full text, mbox, link).
Bug marked as fixed in version 2.6-2.1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 08 Oct 2007 09:57:11 GMT) (full text, mbox, link).
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Reply sent to Martin Zobel-Helas <zobel@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #43 received at 438162-close@bugs.debian.org (full text, mbox, reply):
Source: denyhosts
Source-Version: 2.6-1etch4
We believe that the bug you reported is fixed in the latest version of
denyhosts, which is due to be installed in the Debian FTP archive:
denyhosts_2.6-1etch4.diff.gz
to pool/main/d/denyhosts/denyhosts_2.6-1etch4.diff.gz
denyhosts_2.6-1etch4.dsc
to pool/main/d/denyhosts/denyhosts_2.6-1etch4.dsc
denyhosts_2.6-1etch4_all.deb
to pool/main/d/denyhosts/denyhosts_2.6-1etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 438162@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Zobel-Helas <zobel@debian.org> (supplier of updated denyhosts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 26 Jan 2008 00:19:15 +0100
Source: denyhosts
Binary: denyhosts
Architecture: source all
Version: 2.6-1etch4
Distribution: stable
Urgency: low
Maintainer: Marco Bertorello <marco@bertorello.ns0.it>
Changed-By: Martin Zobel-Helas <zobel@debian.org>
Description:
denyhosts - an utility to help sys admins thwart ssh hackers
Closes: 438162
Changes:
denyhosts (2.6-1etch4) stable; urgency=low
.
* Non-maintainer upload by SRM
* Included 07_fix_CVE-2007-4323.dpatch to fix
CVE-2007-4323 (Closes: #438162).
Files:
cf66b8e39f3744f7484a02320c6c96a4 719 net optional denyhosts_2.6-1etch4.dsc
313d73176594555196c0088d8d1a70a9 33801 net optional denyhosts_2.6-1etch4.diff.gz
f39aa3b7fffda9c8f41e2b051550e3dd 62434 net optional denyhosts_2.6-1etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHmnqqST77jl1k+HARAqMTAJwKZagENZuZFBaMPIZSV+TSlX9GcwCg3Lna
Yz9whkJMG7iq+gbMtnLG4JA=
=Bynn
-----END PGP SIGNATURE-----
Reply sent to Martin Zobel-Helas <zobel@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #48 received at 438162-close@bugs.debian.org (full text, mbox, reply):
Source: denyhosts
Source-Version: 2.6-1etch4
We believe that the bug you reported is fixed in the latest version of
denyhosts, which is due to be installed in the Debian FTP archive:
denyhosts_2.6-1etch4.diff.gz
to pool/main/d/denyhosts/denyhosts_2.6-1etch4.diff.gz
denyhosts_2.6-1etch4.dsc
to pool/main/d/denyhosts/denyhosts_2.6-1etch4.dsc
denyhosts_2.6-1etch4_all.deb
to pool/main/d/denyhosts/denyhosts_2.6-1etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 438162@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Zobel-Helas <zobel@debian.org> (supplier of updated denyhosts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 26 Jan 2008 00:19:15 +0100
Source: denyhosts
Binary: denyhosts
Architecture: source all
Version: 2.6-1etch4
Distribution: stable
Urgency: low
Maintainer: Marco Bertorello <marco@bertorello.ns0.it>
Changed-By: Martin Zobel-Helas <zobel@debian.org>
Description:
denyhosts - an utility to help sys admins thwart ssh hackers
Closes: 438162
Changes:
denyhosts (2.6-1etch4) stable; urgency=low
.
* Non-maintainer upload by SRM
* Included 07_fix_CVE-2007-4323.dpatch to fix
CVE-2007-4323 (Closes: #438162).
Files:
cf66b8e39f3744f7484a02320c6c96a4 719 net optional denyhosts_2.6-1etch4.dsc
313d73176594555196c0088d8d1a70a9 33801 net optional denyhosts_2.6-1etch4.diff.gz
f39aa3b7fffda9c8f41e2b051550e3dd 62434 net optional denyhosts_2.6-1etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHmnqqST77jl1k+HARAqMTAJwKZagENZuZFBaMPIZSV+TSlX9GcwCg3Lna
Yz9whkJMG7iq+gbMtnLG4JA=
=Bynn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Mar 2008 07:32:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:45:23 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon