CVE-2006-6301: DoS via log injection
Bug #163257 reported by
William Grant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
denyhosts (Debian) |
Fix Released
|
Unknown
|
|||
denyhosts (Gentoo Linux) |
Fix Released
|
Low
|
|||
denyhosts (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Edgy |
Fix Released
|
Undecided
|
William Grant |
Bug Description
Binary package hint: denyhosts
DenyHosts 2.5 does not properly parse sshd log files, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in to ssh using a login name containing certain strings with an IP address, which is not properly handled by a regular expression.
Edgy is unfixed, and we should probably throw this in with the other two fixes.
Related branches
CVE References
Changed in denyhosts: | |
status: | New → Fix Released |
assignee: | nobody → fujitsu |
status: | New → In Progress |
Changed in denyhosts: | |
status: | Unknown → Fix Released |
Changed in denyhosts: | |
status: | In Progress → Fix Committed |
Changed in denyhosts: | |
status: | Fix Committed → Fix Released |
Changed in denyhosts: | |
status: | Unknown → Fix Released |
Changed in denyhosts (Gentoo Linux): | |
importance: | Unknown → Low |
To post a comment you must log in.