Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 495130 (CVE-2013-6890)

Summary: <app-admin/denyhosts-2.6-r9: remote denial of ssh service (CVE-2013-6890)
Product: Gentoo Security Reporter: Christoph Junghans (RETIRED) <junghans>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: dastergon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://access.redhat.com/security/cve/CVE-2013-6890
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Christoph Junghans (RETIRED) gentoo-dev 2013-12-23 15:28:46 UTC 
In short, using something like:
ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21
can lead to blocking of 123.123.123.123 as the regex in denyhosts.py is not specific enough.

https://bugzilla.redhat.com/show_bug.cgi?id=1045982
http://seclists.org/oss-sec/2013/q4/535
http://www.debian.org/security/2013/dsa-2826
Comment 1 Agostino Sarubbo gentoo-dev 2013-12-23 15:37:12 UTC 
Thanks for the report
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-12-25 20:25:55 UTC 
CVE-2013-6890 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6890):
  denyhosts 2.6 uses an incorrect regular expression when analyzing
  authentication logs, which allows remote attackers to cause a denial of
  service (incorrect block of IP addresses) via crafted login names.
Comment 3 Christoph Junghans (RETIRED) gentoo-dev 2014-01-06 01:54:35 UTC 
+*denyhosts-2.6-r9 (06 Jan 2014)
+
+  06 Jan 2014; Christoph Junghans <ottxor@gentoo.org> +denyhosts-2.6-r9.ebuild,
+  +files/denyhosts-2.6-cve-2013-6890.patch, +files/denyhosts.init-r2,
+  metadata.xml:
+  fixed remote denial of ssh service (CVE-2013-6890, bug #495130), added purge
+  command to init.d script (bug #486730) and added me as maintainer
+
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-06 03:25:23 UTC 
Arches, please test and stabilize:
=app-admin/denyhosts-2.6-r9
Target arches: alpha amd64 arm hppa ppc sparc x86
Comment 5 Agostino Sarubbo gentoo-dev 2014-01-06 09:24:15 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-01-06 09:24:29 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-01-06 09:25:10 UTC 
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-01-06 09:25:52 UTC 
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-01-06 09:42:18 UTC 
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-01-06 09:42:41 UTC 
ppc stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-06 21:59:13 UTC 
Stable for HPPA.
Comment 12 Christoph Junghans (RETIRED) gentoo-dev 2014-01-08 22:25:18 UTC 
@creffett: why ia64?
Comment 13 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-08 23:16:37 UTC 
Unintentional, must have accidentally clicked it while selecting arches. @maintainers: please clean up, @security, voting time, GLSA vote: yes.
Comment 14 Christoph Junghans (RETIRED) gentoo-dev 2014-01-09 01:07:59 UTC 
+  09 Jan 2014; Christoph Junghans <ottxor@gentoo.org> -denyhosts-2.6-r8.ebuild:
+  remove vulnerable version (bug #495130)
+
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-05-21 03:56:59 UTC 
Maintainer(s), Thank you for cleanup!

Security please Vote!
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-06-16 04:55:47 UTC 
GLSA Vote: Yes
Created a New GLSA request.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-06-25 21:34:51 UTC 
This issue was resolved and addressed in
 GLSA 201406-23 at http://security.gentoo.org/glsa/glsa-201406-23.xml
by GLSA coordinator Mikle Kolyada (Zlogene).