Hi, I intend to upload an NMU to fix this problem, attached is a patch which should fix CVE-2007-4323 I know its a bit early for an NMU announce but I thought it might be useful since it also includes a patch for the problem. So feel free to use it and upload yourself.
The patch is also archived on: http://people.debian.org/~nion/nmu-diff/denyhosts-2.6-2_2.6-2.1.patch Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -Nurad denyhosts-2.6~/debian/changelog denyhosts-2.6/debian/changelog
--- denyhosts-2.6~/debian/changelog 2007-08-16 02:43:11.000000000 +0200
+++ denyhosts-2.6/debian/changelog 2007-08-16 02:42:47.000000000 +0200
@@ -1,3 +1,11 @@
+denyhosts (2.6-2.1) unstable; urgency=high
+
+ * Non-maintainer upload for testing security team
+ * Included 07_fix_CVE-2007-4323.dpatch to fix
+ CVE-2007-4323 (Closes: #438162).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Thu, 16 Aug 2007 02:41:59 +0200
+
denyhosts (2.6-2) unstable; urgency=low
* Added a patch from RedHat bugzilla that fix a regex error
diff -Nurad denyhosts-2.6~/debian/patches/00list denyhosts-2.6/debian/patches/00list
--- denyhosts-2.6~/debian/patches/00list 2007-08-16 02:43:11.000000000 +0200
+++ denyhosts-2.6/debian/patches/00list 2007-08-16 02:48:46.000000000 +0200
@@ -4,3 +4,4 @@
04_migrate_warning.dpatch
05_does-not-install-useless.dpatch
06_permit_rootlogin_no.dpatch
+07_fix_CVE-2007-4323
diff -Nurad denyhosts-2.6~/debian/patches/07_fix_CVE-2007-4323.dpatch denyhosts-2.6/debian/patches/07_fix_CVE-2007-4323.dpatch
--- denyhosts-2.6~/debian/patches/07_fix_CVE-2007-4323.dpatch 1970-01-01 01:00:00.000000000 +0100
+++ denyhosts-2.6/debian/patches/07_fix_CVE-2007-4323.dpatch 2007-08-16 02:48:35.000000000 +0200
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 07_fix_CVE-2007-4323.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad denyhosts-2.6~/DenyHosts/regex.py denyhosts-2.6/DenyHosts/regex.py
+--- denyhosts-2.6~/DenyHosts/regex.py 2006-12-07 20:47:04.000000000 +0100
++++ denyhosts-2.6/DenyHosts/regex.py 2007-08-16 02:48:29.000000000 +0200
+@@ -17,7 +17,7 @@
+
+ FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
+
+-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""")
++FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""")
+
+ FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+
pgprqmwQKbZw3.pgp
Description: PGP signature
