Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 495130 (CVE-2013-6890) - <app-admin/denyhosts-2.6-r9: remote denial of ssh service (CVE-2013-6890)
Summary: <app-admin/denyhosts-2.6-r9: remote denial of ssh service (CVE-2013-6890)
Alias: CVE-2013-6890
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2013-12-23 15:28 UTC by Christoph Junghans (RETIRED)
Modified: 2014-06-25 21:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christoph Junghans (RETIRED) gentoo-dev 2013-12-23 15:28:46 UTC
In short, using something like:
ssh -l 'Invalid user root from'
can lead to blocking of as the regex in is not specific enough.
Comment 1 Agostino Sarubbo gentoo-dev 2013-12-23 15:37:12 UTC
Thanks for the report
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-12-25 20:25:55 UTC
CVE-2013-6890 (
  denyhosts 2.6 uses an incorrect regular expression when analyzing
  authentication logs, which allows remote attackers to cause a denial of
  service (incorrect block of IP addresses) via crafted login names.
Comment 3 Christoph Junghans (RETIRED) gentoo-dev 2014-01-06 01:54:35 UTC
+*denyhosts-2.6-r9 (06 Jan 2014)
+  06 Jan 2014; Christoph Junghans <> +denyhosts-2.6-r9.ebuild,
+  +files/denyhosts-2.6-cve-2013-6890.patch, +files/denyhosts.init-r2,
+  metadata.xml:
+  fixed remote denial of ssh service (CVE-2013-6890, bug #495130), added purge
+  command to init.d script (bug #486730) and added me as maintainer
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-06 03:25:23 UTC
Arches, please test and stabilize:
Target arches: alpha amd64 arm hppa ppc sparc x86
Comment 5 Agostino Sarubbo gentoo-dev 2014-01-06 09:24:15 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-01-06 09:24:29 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-01-06 09:25:10 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-01-06 09:25:52 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-01-06 09:42:18 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-01-06 09:42:41 UTC
ppc stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-06 21:59:13 UTC
Stable for HPPA.
Comment 12 Christoph Junghans (RETIRED) gentoo-dev 2014-01-08 22:25:18 UTC
@creffett: why ia64?
Comment 13 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-08 23:16:37 UTC
Unintentional, must have accidentally clicked it while selecting arches. @maintainers: please clean up, @security, voting time, GLSA vote: yes.
Comment 14 Christoph Junghans (RETIRED) gentoo-dev 2014-01-09 01:07:59 UTC
+  09 Jan 2014; Christoph Junghans <> -denyhosts-2.6-r8.ebuild:
+  remove vulnerable version (bug #495130)
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-05-21 03:56:59 UTC
Maintainer(s), Thank you for cleanup!

Security please Vote!
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-06-16 04:55:47 UTC
GLSA Vote: Yes
Created a New GLSA request.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-06-25 21:34:51 UTC
This issue was resolved and addressed in
 GLSA 201406-23 at
by GLSA coordinator Mikle Kolyada (Zlogene).