First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 181213
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 181213 depends on: Show dependency tree
Show dependency graph
Bug 181213 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-06-07 17:08 0000 
Another log injection issue in denyhosts.

------- Comment #1 From Raphael Marichez 2007-06-28 09:33:28 0000 ------- 
Adding netmon herd. This is a whole SSH DoS issue. The initial fix seems
incomplete, i sent you an email.

------- Comment #2 From Benjamin Smee (strerror) (RETIRED) 2007-06-28 12:01:47 0000 ------- 
Waiting on reply from upstream.

From my perspective this is an upstream issue. If I'm getting to the stage
where I have to maintain a patchset from the main codebase then I'd rather just
yank it from the tree as I'm not interested in maintaining security patches for
what is after all meant to be a security tool.

------- Comment #3 From Raphael Marichez 2007-06-28 12:21:42 0000 ------- 
thanks for your reply, let's hope that upstream will fix this, otherwise we
will have to mask this package.

------- Comment #4 From Tavis Ormandy (RETIRED) 2007-06-28 18:06:49 0000 ------- 
I think we should yank it, even if he does fix it, local users can still attack
it with logger.

------- Comment #5 From Pierre-Yves Rofes 2007-07-16 14:58:57 0000 ------- 
Benjamin, any news from upstream?

------- Comment #6 From Peter Volkov 2007-09-13 15:13:55 0000 ------- 
I agree that this is upstream issue. But while we are waiting for news from
UPSTREAM I've bumped ebuild with the fixes from redhat:
https://bugzilla.redhat.com/show_bug.cgi?id=237449
https://bugzilla.redhat.com/show_bug.cgi?id=244943
It should address this log injection.

Now I'm not sure what best shall we do, stabilize or mask. Taking short look at
forums I'd say that users use it and it's better to keep. But personally I do
not use this tool so I'd like somebody else to take this decision.

------- Comment #7 From Sune Kloppenborg Jeppesen 2007-09-24 16:22:31 0000 ------- 
I think we should mask this one.

------- Comment #8 From Robert Buchholz 2007-09-24 18:08:13 0000 ------- 
(In reply to comment #7)
> I think we should mask this one.

Why? Masking doesn't make anything easier for us than stabling this.

It should be the maintainer's decision to Last-Rite and not that of Security
once a security issue is fixed.

------- Comment #9 From Sune Kloppenborg Jeppesen 2007-09-24 18:18:36 0000 ------- 
@rbu It was just my personal opinion.

Arches please test and mark stable. Target keywords are:

denyhosts-2.6-r1.ebuild:KEYWORDS="alpha amd64 hppa ~ppc sparc x86"

------- Comment #10 From Christian Faulhammer 2007-09-24 18:25:49 0000 ------- 
x86 stable

------- Comment #11 From Jeroen Roovers 2007-09-25 00:26:06 0000 ------- 
Stable for HPPA.

------- Comment #12 From Raúl Porcel 2007-09-25 14:28:27 0000 ------- 
alpha/sparc stable

------- Comment #13 From Philippe Chaintreuil 2007-09-26 17:11:31 0000 ------- 
By the way, I just wanted to throw in my two cents as a user of this package.

I find it a helpful and useful program, and would be very sad if it was removed
from the tree.

It is a little sad that UPSTREAM seems to be losing interest in this program. 
He's getting slower and slower about fixing/improving things.  But I'd rather
have this program than not have it.  Additionally I appreciate the maintainers
of this ebuild for keeping it patched & working when it matters -- especially
when UPSTREAM is slow/appears dead.


> local users can still attack it with logger.

I trust my local users -- that's why they have accounts.  I don't trust people
trying to break into my machine from the internet -- that's why I use this
program.

<rant>
I know, I know.... layers of security ... an onion....  But that's hog-wash if
I don't have a defense from random people running scripts against my box from
all over the world at all hours of the day.  At least if a local user starts
doing something strange, I know where they live and can go smack them upside
the head.  Plane tickets to China are too expensive.
</rant>

------- Comment #14 From Robert Buchholz 2007-09-29 00:59:20 0000 ------- 
This is CVE-2007-4323.

------- Comment #15 From Steve Dibb 2007-09-29 02:19:03 0000 ------- 
amd64 stable

------- Comment #16 From Robert Buchholz 2007-09-29 09:00:19 0000 ------- 
B3 -> [glsa?]

Please vote.

------- Comment #17 From Raphael Marichez 2007-10-02 21:21:21 0000 ------- 
it can block SSH connections from everywhere. I vote yes.

------- Comment #18 From Pierre-Yves Rofes 2007-10-06 13:32:19 0000 ------- 
voting yes too, request filed.

------- Comment #19 From Pierre-Yves Rofes 2007-10-13 12:11:02 0000 ------- 
GLSA 200710-14, sorry for the delay.
First Last Prev Next    No search results available      Search page      Enter new bug