Package: lsh-server Version: 2.0.1cdbs-3 Severity: grave Tags: security Tags: sarge Tags: confirmed Tags: pending Justification: denial of service
As reported by Niels Möller, the author of lsh-utils, a user is able to access fd:s used by lsh. When logging in through lsh-server a user is able to tamper with /var/spool/yarrow-seed-file, which can be used to prevent the server from starting or allow the user guesses about the encryption used by lsh-server. Therefore its strongly suggested to apply the patch from Niels. http://lists.lysator.liu.se/pipermail/lsh-bugs/2006q1/000467.html Unstable will get a new version including the fix soon. -- system information excluded -- debconf information excluded bye Stefan Pfetzing -- http://www.dreamind.de/ Oroborus and Debian GNU/Linux Developer. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
