Stefan Pfetzing wrote: > Package: lsh-server > Version: 2.0.1cdbs-3 > Severity: grave > Tags: security > Tags: sarge > Tags: confirmed > Tags: pending > Justification: denial of service > > As reported by Niels Möller, the author of lsh-utils, a user is able to > access fd:s used by lsh. > > When logging in through lsh-server a user is able to tamper with > /var/spool/yarrow-seed-file, which can be used to prevent the server > from starting or allow the user guesses about the encryption used by > lsh-server. > > Therefore its strongly suggested to apply the patch from Niels. > > http://lists.lysator.liu.se/pipermail/lsh-bugs/2006q1/000467.html > > Unstable will get a new version including the fix soon.
Please let us know which version in sid will fix the problem. I've requested a CVE name and will provide it asap. Regards, Joey -- Have you ever noticed that "General Public Licence" contains the word "Pub"? Please always Cc to me when replying to me on the lists.