Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 495130 (CVE-2013-6890) - <app-admin/denyhosts-2.6-r9: remote denial of ssh service (CVE-2013-6890)
Summary: <app-admin/denyhosts-2.6-r9: remote denial of ssh service (CVE-2013-6890)
Status: RESOLVED FIXED
Alias: CVE-2013-6890
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://access.redhat.com/security/cv...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-23 15:28 UTC by Christoph Junghans
Modified: 2014-06-25 21:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christoph Junghans gentoo-dev 2013-12-23 15:28:46 UTC
In short, using something like:
ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21
can lead to blocking of 123.123.123.123 as the regex in denyhosts.py is not specific enough.

https://bugzilla.redhat.com/show_bug.cgi?id=1045982
http://seclists.org/oss-sec/2013/q4/535
http://www.debian.org/security/2013/dsa-2826
Comment 1 Agostino Sarubbo gentoo-dev 2013-12-23 15:37:12 UTC
Thanks for the report
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-12-25 20:25:55 UTC
CVE-2013-6890 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6890):
  denyhosts 2.6 uses an incorrect regular expression when analyzing
  authentication logs, which allows remote attackers to cause a denial of
  service (incorrect block of IP addresses) via crafted login names.
Comment 3 Christoph Junghans gentoo-dev 2014-01-06 01:54:35 UTC
+*denyhosts-2.6-r9 (06 Jan 2014)
+
+  06 Jan 2014; Christoph Junghans <ottxor@gentoo.org> +denyhosts-2.6-r9.ebuild,
+  +files/denyhosts-2.6-cve-2013-6890.patch, +files/denyhosts.init-r2,
+  metadata.xml:
+  fixed remote denial of ssh service (CVE-2013-6890, bug #495130), added purge
+  command to init.d script (bug #486730) and added me as maintainer
+
Comment 4 Chris Reffett gentoo-dev Security 2014-01-06 03:25:23 UTC
Arches, please test and stabilize:
=app-admin/denyhosts-2.6-r9
Target arches: alpha amd64 arm hppa ppc sparc x86
Comment 5 Agostino Sarubbo gentoo-dev 2014-01-06 09:24:15 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-01-06 09:24:29 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-01-06 09:25:10 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-01-06 09:25:52 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-01-06 09:42:18 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-01-06 09:42:41 UTC
ppc stable
Comment 11 Jeroen Roovers gentoo-dev 2014-01-06 21:59:13 UTC
Stable for HPPA.
Comment 12 Christoph Junghans gentoo-dev 2014-01-08 22:25:18 UTC
@creffett: why ia64?
Comment 13 Chris Reffett gentoo-dev Security 2014-01-08 23:16:37 UTC
Unintentional, must have accidentally clicked it while selecting arches. @maintainers: please clean up, @security, voting time, GLSA vote: yes.
Comment 14 Christoph Junghans gentoo-dev 2014-01-09 01:07:59 UTC
+  09 Jan 2014; Christoph Junghans <ottxor@gentoo.org> -denyhosts-2.6-r8.ebuild:
+  remove vulnerable version (bug #495130)
+
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-21 03:56:59 UTC
Maintainer(s), Thank you for cleanup!

Security please Vote!
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-16 04:55:47 UTC
GLSA Vote: Yes
Created a New GLSA request.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-06-25 21:34:51 UTC
This issue was resolved and addressed in
 GLSA 201406-23 at http://security.gentoo.org/glsa/glsa-201406-23.xml
by GLSA coordinator Mikle Kolyada (Zlogene).