Bug#349303: lsh-server: lshd leaks fd:s to user shells
Stefan Pfetzing wrote: Package: lsh-server Version: 2.0.1cdbs-3 Severity: grave Tags: security Tags: sarge Tags: confirmed Tags: pending Justification: denial of service As reported by Niels Möller, the author of lsh-utils, a user is able to access fd:s used by lsh. When logging in through lsh-server a user is able to tamper with /var/spool/yarrow-seed-file, which can be used to prevent the server from starting or allow the user guesses about the encryption used by lsh-server. Therefore its strongly suggested to apply the patch from Niels. http://lists.lysator.liu.se/pipermail/lsh-bugs/2006q1/000467.html Unstable will get a new version including the fix soon. Please let us know which version in sid will fix the problem. I've requested a CVE name and will provide it asap. Regards, Joey -- Have you ever noticed that General Public Licence contains the word Pub? Please always Cc to me when replying to me on the lists.
Bug#349303: lsh-server: lshd leaks fd:s to user shells
Hi Joey, Am 22.01.2006 um 09:52 schrieb Martin Schulze: Please let us know which version in sid will fix the problem. I've requested a CVE name and will provide it asap. lsh-utilis 2.0.1cdbs-4 includes a dpatch file in debian/patches which fixes the problem. bye Stefan -- http://www.dreamind.de/ Oroborus and Debian GNU/Linux Developer. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#349303: lsh-server: lshd leaks fd:s to user shells
Stefan Pfetzing wrote: Please let us know which version in sid will fix the problem. I've requested a CVE name and will provide it asap. lsh-utilis 2.0.1cdbs-4 includes a dpatch file in debian/patches which fixes the problem. Please use CVE-2006-0353 for this vulnerability. Regards, Joey -- Have you ever noticed that General Public Licence contains the word Pub? Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#349303: lsh-server: lshd leaks fd:s to user shells
Package: lsh-server Version: 2.0.1cdbs-3 Severity: grave Tags: security Tags: sarge Tags: confirmed Tags: pending Justification: denial of service As reported by Niels Möller, the author of lsh-utils, a user is able to access fd:s used by lsh. When logging in through lsh-server a user is able to tamper with /var/spool/yarrow-seed-file, which can be used to prevent the server from starting or allow the user guesses about the encryption used by lsh-server. Therefore its strongly suggested to apply the patch from Niels. http://lists.lysator.liu.se/pipermail/lsh-bugs/2006q1/000467.html Unstable will get a new version including the fix soon. -- system information excluded -- debconf information excluded bye Stefan Pfetzing -- http://www.dreamind.de/ Oroborus and Debian GNU/Linux Developer. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
