Major upstream version 3.1 released 1 year ago (2015-09) - Python 3 port, security fixes and other improvements!

Bug #1613532 reported by Mantas Kriaučiūnas
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
denyhosts (Debian)
Fix Released
Unknown
denyhosts (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Major upstream denyhosts version 3.1 released 1 year ago (2015-09), please update Ubuntu packages.

I'm pasting few lines from https://github.com/denyhosts/denyhosts/blob/master/CHANGELOG.txt

3.1

Fixed a type check in DenyHosts/report.py which was causing problems when moving between Python2 and Python3.

Added checks to see if an IP address is valid. This pulls in the requirement for the ipaddr Python module.

Added check to see if there is a break-in attempt against the Dovecot imap service. This is an option which can be enabled/disabled in the configuration file. It is turned off by default.

3.0

Initial translation of code from Python 2 to Python 3. DenyHosts can now be run as either a Python 2 or a Python 3 program.

Added patch from Fedora to fix initial sync issue and insure info logging stream is active.
(Provided by Jason Tibbitts.)

Added "import logging" to denyhosts.py to avoid errors when setting up logging. (See above change.)

Added option PF_TABLE_FILE to the configuration file. When this option is enabled it causes DenyHosts to write blocked IP addresses to a text file. The default location is /etc/blacklist. This text file should correspond to a PF firewall table.

At start-up, try to create the file specified by HOSTS_DENY. That way we avoid errors later if the file does not exists. Can be a problem on operating systems where /etc/hosts.deny does not exist in the default configuration.

Added regex pattern to detect invalid user accounts. This blocks connections from remote hosts who are attempting to login with accounts not found on the local system.
While these connections to non-existent accounts are relatively harmless, they are usually used as part of a brute force attack and filtering them before they reach OpenSSH is a good idea.

For more info look at https://github.com/denyhosts/denyhosts/releases

Btw, master branch at https://github.com/denyhosts/denyhosts has 25 commits since 3.1 release, maybe it's wise to package latest code instead of 3.1 release?

Thanks,
Mantas
--
Prekyba kompiuteriais su Linux OS - http://tinklas.eu/prekyba
Naudokite laisvą Linux operacinę sistemą savo kompiuteryje -
http://baltix.lt

CVE References

tags: added: upgrade-software-version
Changed in denyhosts (Debian):
status: Unknown → New
Revision history for this message
Tom Reynolds (tomreyn) wrote :

This package and its open security bugs have not been handled during the past five years. Debian is no longer shipping it in release for the same time (Ubuntu is, it is still in sid).

As a result, I recommend dropping this package off any future Ubuntu releases as well as LTS releases.

information type: Public → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in denyhosts (Ubuntu):
status: New → Confirmed
Revision history for this message
Tom Reynolds (tomreyn) wrote :

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802917 discusses how the version Ubuntu offers to all currently supported Ubuntu releases reintroduces the vulnerability described in CVE-2013-6890

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello archive admins, this package feels unmaintained enough that it might be worth excluding from future releases.

Thanks

Revision history for this message
Steve Langasek (vorlon) wrote :

Removing packages from eoan:
 denyhosts 2.10-2 in eoan
  denyhosts 2.10-2 in eoan amd64
  denyhosts 2.10-2 in eoan arm64
  denyhosts 2.10-2 in eoan armhf
  denyhosts 2.10-2 in eoan i386
  denyhosts 2.10-2 in eoan ppc64el
  denyhosts 2.10-2 in eoan s390x
Comment: Unmaintained, security vulnerabilities, removed from Debian testing; LP: #1613532, Debian bug #833884
1 package successfully removed.

Changed in denyhosts (Ubuntu):
status: Confirmed → Fix Released
Changed in denyhosts (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.