CVE-2006-6301: DoS via log injection
Bug #163257 reported by
William Grant
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| denyhosts (Debian) |
Fix Released
|
Unknown
|
|||
| denyhosts (Gentoo Linux) |
Fix Released
|
Low
|
|||
| denyhosts (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Edgy |
Fix Released
|
Undecided
|
William Grant | ||
Bug Description
Binary package hint: denyhosts
DenyHosts 2.5 does not properly parse sshd log files, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in to ssh using a login name containing certain strings with an IP address, which is not properly handled by a regular expression.
Edgy is unfixed, and we should probably throw this in with the other two fixes.
Related branches
CVE References
| Changed in denyhosts: | |
| status: | New → Fix Released |
| assignee: | nobody → fujitsu |
| status: | New → In Progress |
| Changed in denyhosts: | |
| status: | Unknown → Fix Released |
| Changed in denyhosts: | |
| status: | In Progress → Fix Committed |
| Changed in denyhosts: | |
| status: | Fix Committed → Fix Released |
| Changed in denyhosts: | |
| status: | Unknown → Fix Released |
| Changed in denyhosts (Gentoo Linux): | |
| importance: | Unknown → Low |
To post a comment you must log in.
