Stefan Pfetzing wrote:
> Package: lsh-server
> Version: 2.0.1cdbs-3
> Severity: grave
> Tags: security
> Tags: sarge
> Tags: confirmed
> Tags: pending
> Justification: denial of service
>
> As reported by Niels Möller, the author of lsh-utils, a user is able to
> access fd:s used by lsh.
>
> When logging in through lsh-server a user is able to tamper with
> /var/spool/yarrow-seed-file, which can be used to prevent the server
> from starting or allow the user guesses about the encryption used by
> lsh-server.
>
> Therefore its strongly suggested to apply the patch from Niels.
>
> http://lists.lysator.liu.se/pipermail/lsh-bugs/2006q1/000467.html
>
> Unstable will get a new version including the fix soon.
Please let us know which version in sid will fix the problem.
I've requested a CVE name and will provide it asap.
Regards,
Joey
--
Have you ever noticed that "General Public Licence" contains the word "Pub"?
Please always Cc to me when replying to me on the lists.
