diff -u denyhosts-2.5/debian/control denyhosts-2.5/debian/control --- denyhosts-2.5/debian/control +++ denyhosts-2.5/debian/control @@ -1,7 +1,8 @@ Source: denyhosts Section: net Priority: optional -Maintainer: Marco Bertorello +Maintainer: Ubuntu MOTU Developers +XSBC-Original-Maintainer: Marco Bertorello Uploaders: Marco Nenciarini Build-Depends: cdbs (>= 0.4.43), debhelper (>= 5.0.37.1), dpatch, python, python-central (>= 0.5) Standards-Version: 3.7.2.0 diff -u denyhosts-2.5/debian/changelog denyhosts-2.5/debian/changelog --- denyhosts-2.5/debian/changelog +++ denyhosts-2.5/debian/changelog @@ -1,3 +1,17 @@ +denyhosts (2.5-3ubuntu0.1) edgy-security; urgency=low + + * SECURITY UPDATE: hosts not denied (LP: #133569), and possible denial of + service (LP: #163257, #162406). + * debian/patches/{05_CVE-2007-5715,06_CVE-2007-4323}.dpatch: Add patches + from Debian. + * debian/patches/07_CVE-2006-6301.dpatch: Add, backported from 2.6. + * References + CVE-2007-5715 + CVE-2007-4323 + CVE-2006-6301 + + -- William Grant Sat, 17 Nov 2007 12:42:11 +1100 + denyhosts (2.5-3) unstable; urgency=low [ Marco Nenciarini ] diff -u denyhosts-2.5/debian/patches/00list denyhosts-2.5/debian/patches/00list --- denyhosts-2.5/debian/patches/00list +++ denyhosts-2.5/debian/patches/00list @@ -4,0 +5,3 @@ +05_CVE-2007-5715.dpatch +06_CVE-2007-4323.dpatch +07_CVE-2006-6301.dpatch only in patch2: unchanged: --- denyhosts-2.5.orig/debian/patches/07_CVE-2006-6301.dpatch +++ denyhosts-2.5/debian/patches/07_CVE-2006-6301.dpatch @@ -0,0 +1,34 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 07_CVE-2006-6301.dpatch by William Grant +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad denyhosts-2.5~/DenyHosts/regex.py denyhosts-2.5/DenyHosts/regex.py +--- denyhosts-2.5~/DenyHosts/regex.py 2007-11-17 12:48:04.000000000 +1100 ++++ denyhosts-2.5/DenyHosts/regex.py 2007-11-17 12:50:04.000000000 +1100 +@@ -9,17 +9,17 @@ + SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P.*)""") + #SSHD_FORMAT_REGEX = re.compile(r""".* sshd.*: (?P.*)""") + +-FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P.*) for (?Pinvalid user |illegal user )?(?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P.*) for (?Pinvalid user |illegal user )?(?P.*?) .*from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") + +-FAILED_ENTRY_REGEX2 = re.compile(r"""(?P(Illegal|Invalid)) user (?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX2 = re.compile(r"""(?P(Illegal|Invalid)) user (?P.*?) .*from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") + +-FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P.*) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P.*) .*from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") + +-FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P.*) from (?P.*)""") ++FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P.*) .*from (?P.*)""") + +-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) from (?P.*) not allowed because none of user's groups are listed in AllowGroups$""") ++FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups$""") + +-FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") + + FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P.*) .*from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""") + only in patch2: unchanged: --- denyhosts-2.5.orig/debian/patches/06_CVE-2007-4323.dpatch +++ denyhosts-2.5/debian/patches/06_CVE-2007-4323.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 06_CVE-2007-4323.dpatch by William Grant +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad denyhosts-2.5~/DenyHosts/regex.py denyhosts-2.5/DenyHosts/regex.py +--- denyhosts-2.5~/DenyHosts/regex.py 2006-03-17 11:22:51.000000000 +1100 ++++ denyhosts-2.5/DenyHosts/regex.py 2007-11-13 23:44:16.000000000 +1100 +@@ -17,7 +17,7 @@ + + FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P.*) from (?P.*)""") + +-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) from (?P.*) not allowed because none of user's groups are listed in AllowGroups""") ++FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) from (?P.*) not allowed because none of user's groups are listed in AllowGroups$""") + + FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") + only in patch2: unchanged: --- denyhosts-2.5.orig/debian/patches/05_CVE-2007-5715.dpatch +++ denyhosts-2.5/debian/patches/05_CVE-2007-5715.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 05_CVE-2007-5715.dpatch by William Grant +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad denyhosts-2.5~/DenyHosts/regex.py denyhosts-2.5/DenyHosts/regex.py +--- denyhosts-2.5~/DenyHosts/regex.py 2006-03-17 11:22:51.000000000 +1100 ++++ denyhosts-2.5/DenyHosts/regex.py 2007-11-13 23:40:58.000000000 +1100 +@@ -21,7 +21,7 @@ + + FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") + +-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P.*) not allowed because not listed in AllowUsers""") ++FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P.*) .*from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""") + + + # these are reserved for future versions