LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Three short stories, all about Android

LWN.net Weekly Edition for February 4, 2010

Samba with Active Directory: getting closer

Security in the 20-teens

LWN.net Weekly Edition for January 28, 2010

Printable page
Archives Kernel Security Distributions Search
Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

denyhosts: denial of service

Package(s):denyhosts CVE #(s):CVE-2006-6301
Created:January 3, 2007 Updated:January 3, 2007
Description: A botched regular expression allows a remote attacker to add arbitrary hosts to the denyhosts blacklist, causing those hosts to be unable to make ssh connections to the target system.
Alerts:
Gentoo 200701-01 2007-01-03
(Log in to post comments)

denyhosts: denial of service

Posted Jan 4, 2007 5:29 UTC (Thu) by yarikoptic (subscriber, #36795) [Link]

Debian rules -- its users foreseen similar problem in analogous fail2ban loong ago, so Debian-shipped fail2ban has been running without such a vulnerability for more than a year (recent upstream released of fail2ban adopted Debian-introduced solution). denyhosts is a younger party in Debian thus gentoo people got to the problem first.

denyhosts: denial of service

Posted Jan 4, 2007 17:24 UTC (Thu) by epithumia (subscriber, #23370) [Link]

This was fixed upstream and in Fedora Extras back on December 8. Unfortunately the folks who discovered the bug neglected to inform the upstream author [1], but I brought it to the denyhosts mailing list and got a new upstream release in a few minutes.

1) http://sourceforge.net/mailarchive/message.php?msg_id=376...

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds