Your message dated Sat, 21 Jan 2006 22:17:11 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#349303: fixed in lsh-utils 2.0.1cdbs-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 22 Jan 2006 05:15:04 +0000
>From [EMAIL PROTECTED] Sat Jan 21 21:15:04 2006
Return-path: <[EMAIL PROTECTED]>
Received: from zenon.ls-hosting.de ([85.10.196.146] ident=foobar)
by spohr.debian.org with esmtp (Exim 4.50)
id 1F0XZA-0001F2-MM
for [EMAIL PROTECTED]; Sat, 21 Jan 2006 21:15:04 -0800
Date: Sun, 22 Jan 2006 06:14:59 +0100
From: Stefan Pfetzing <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: lsh-server: lshd leaks fd:s to user shells
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-Reportbug-Version: 3.18
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.11
Sender: Stefan Pfetzing <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: lsh-server
Version: 2.0.1cdbs-3
Severity: grave
Tags: security
Tags: sarge
Tags: confirmed
Tags: pending
Justification: denial of service
As reported by Niels Möller, the author of lsh-utils, a user is able to
access fd:s used by lsh.
When logging in through lsh-server a user is able to tamper with
/var/spool/yarrow-seed-file, which can be used to prevent the server
from starting or allow the user guesses about the encryption used by
lsh-server.
Therefore its strongly suggested to apply the patch from Niels.
http://lists.lysator.liu.se/pipermail/lsh-bugs/2006q1/000467.html
Unstable will get a new version including the fix soon.
-- system information excluded
-- debconf information excluded
bye
Stefan Pfetzing
--
http://www.dreamind.de/
Oroborus and Debian GNU/Linux Developer.
---------------------------------------
Received: (at 349303-close) by bugs.debian.org; 22 Jan 2006 06:20:31 +0000
>From [EMAIL PROTECTED] Sat Jan 21 22:20:31 2006
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1F0YXH-0000GB-WE; Sat, 21 Jan 2006 22:17:12 -0800
From: Stefan Pfetzing <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.65 $
Subject: Bug#349303: fixed in lsh-utils 2.0.1cdbs-4
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sat, 21 Jan 2006 22:17:11 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: lsh-utils
Source-Version: 2.0.1cdbs-4
We believe that the bug you reported is fixed in the latest version of
lsh-utils, which is due to be installed in the Debian FTP archive:
lsh-client_2.0.1cdbs-4_i386.deb
to pool/main/l/lsh-utils/lsh-client_2.0.1cdbs-4_i386.deb
lsh-server_2.0.1cdbs-4_i386.deb
to pool/main/l/lsh-utils/lsh-server_2.0.1cdbs-4_i386.deb
lsh-utils-doc_2.0.1cdbs-4_all.deb
to pool/main/l/lsh-utils/lsh-utils-doc_2.0.1cdbs-4_all.deb
lsh-utils_2.0.1cdbs-4.diff.gz
to pool/main/l/lsh-utils/lsh-utils_2.0.1cdbs-4.diff.gz
lsh-utils_2.0.1cdbs-4.dsc
to pool/main/l/lsh-utils/lsh-utils_2.0.1cdbs-4.dsc
lsh-utils_2.0.1cdbs-4_i386.deb
to pool/main/l/lsh-utils/lsh-utils_2.0.1cdbs-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Pfetzing <[EMAIL PROTECTED]> (supplier of updated lsh-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 22 Jan 2006 06:30:43 +0100
Source: lsh-utils
Binary: lsh-utils lsh-client lsh-utils-doc lsh-server
Architecture: source all i386
Version: 2.0.1cdbs-4
Distribution: unstable
Urgency: high
Maintainer: Simon Law <[EMAIL PROTECTED]>
Changed-By: Stefan Pfetzing <[EMAIL PROTECTED]>
Description:
lsh-client - Secure Shell v2 (SSH2) protocol client
lsh-server - Secure Shell v2 (SSH2) protocol server
lsh-utils - Secure Shell v2 (SSH2) protocol utilities
lsh-utils-doc - Secure Shell v2 (SSH2) client / server / utilities
documentation
Closes: 337026 348822 348844 349180 349303
Changes:
lsh-utils (2.0.1cdbs-4) unstable; urgency=high
.
* Remove silly debconf questions and correct others. (Closes: Bug#337026)
* Switch to dpatch.
* Make lsh-utils build on a grsecurity system.
* Remove /var/spool/lsh upon purge.
* Update Vietnamese debconf translation.
* Update German debconf translation.
* Update Danish debconf translation.
* Update Czech debconf translation.
* Update Dutch debconf translation.
* Update Russian debconf translation. (Closes: Bug#349180)
* Update French debconf translation. (Closes: Bug#348822)
* Have lsh-server provide ssh-server. (Closes: Bug#348844)
* Update the watch file format version to the latest (3).
* Have uscan remove the "cdbs" version extension.
* Fix fd leak in the lsh-server.
This is to be security related, so upload it with a high urgency.
(Closes: Bug#349303)
Files:
91eb4d44578221b8730c089188cccc58 929 net extra lsh-utils_2.0.1cdbs-4.dsc
6b7233c922cde42f71f69183edced51a 39596 net extra lsh-utils_2.0.1cdbs-4.diff.gz
30c201de019f9080b987cc61e03c4863 105566 doc extra
lsh-utils-doc_2.0.1cdbs-4_all.deb
958f2a7676eb9f03d031c82c9d4ab9d6 726476 net extra
lsh-utils_2.0.1cdbs-4_i386.deb
12cd4839061a6c8bb549c1bc7145dfe1 203794 net extra
lsh-server_2.0.1cdbs-4_i386.deb
9c98e5855e91d484f1d10ddae35c50f8 244636 net extra
lsh-client_2.0.1cdbs-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD0x/hi50xCpfDmMsRAiEgAJ9cqgz/rFsup8Bh1Lx+ouM5s5SfswCdH3gK
Lvt291GQtGxIa70k/wnmu9Y=
=ZYU5
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
