Another log injection issue in denyhosts.
Adding netmon herd. This is a whole SSH DoS issue. The initial fix seems incomplete, i sent you an email.
Waiting on reply from upstream.
From my perspective this is an upstream issue. If I'm getting to the stage where I have to maintain a patchset from the main codebase then I'd rather just yank it from the tree as I'm not interested in maintaining security patches for what is after all meant to be a security tool.
thanks for your reply, let's hope that upstream will fix this, otherwise we will have to mask this package.
I think we should yank it, even if he does fix it, local users can still attack it with logger.
Benjamin, any news from upstream?
I agree that this is upstream issue. But while we are waiting for news from UPSTREAM I've bumped ebuild with the fixes from redhat:
It should address this log injection.
Now I'm not sure what best shall we do, stabilize or mask. Taking short look at forums I'd say that users use it and it's better to keep. But personally I do not use this tool so I'd like somebody else to take this decision.
I think we should mask this one.
(In reply to comment #7)
> I think we should mask this one.
Why? Masking doesn't make anything easier for us than stabling this.
It should be the maintainer's decision to Last-Rite and not that of Security once a security issue is fixed.
@rbu It was just my personal opinion.
Arches please test and mark stable. Target keywords are:
denyhosts-2.6-r1.ebuild:KEYWORDS="alpha amd64 hppa ~ppc sparc x86"
Stable for HPPA.
By the way, I just wanted to throw in my two cents as a user of this package.
I find it a helpful and useful program, and would be very sad if it was removed from the tree.
It is a little sad that UPSTREAM seems to be losing interest in this program. He's getting slower and slower about fixing/improving things. But I'd rather have this program than not have it. Additionally I appreciate the maintainers of this ebuild for keeping it patched & working when it matters -- especially when UPSTREAM is slow/appears dead.
> local users can still attack it with logger.
I trust my local users -- that's why they have accounts. I don't trust people trying to break into my machine from the internet -- that's why I use this program.
I know, I know.... layers of security ... an onion.... But that's hog-wash if I don't have a defense from random people running scripts against my box from all over the world at all hours of the day. At least if a local user starts doing something strange, I know where they live and can go smack them upside the head. Plane tickets to China are too expensive.
This is CVE-2007-4323.
B3 -> [glsa?]
it can block SSH connections from everywhere. I vote yes.
voting yes too, request filed.
GLSA 200710-14, sorry for the delay.