denyhosts: security fix cve-2013-6890
This commit is contained in:
parent
85d8efa346
commit
ec7cb6c098
@ -1,2 +1,6 @@
|
||||
fc2365305a9402886a2b0173d1beb7df DenyHosts-2.6.tar.gz
|
||||
a0abe102add4420e766cc90d0709f425 denyhosts-2.6-config.patch
|
||||
67e0d788356f9f7183c217a2eae71bf1 denyhosts-2.6-cve-2013-6890.patch
|
||||
79abdfcd7ce0859f2f3f134598a89209 denyhosts-2.6-log-injection-regex.patch
|
||||
6ed4e279640b8a5c0c04dd4193ac15e2 denyhosts-2.6-plugin_deny.patch
|
||||
dfd91828e48d97af2e77e009c67c4754 denyhosts-2.6-single_config_switch.patch
|
||||
|
@ -6,13 +6,23 @@
|
||||
|
||||
name=denyhosts
|
||||
version=2.6
|
||||
release=1
|
||||
release=2
|
||||
source=(http://downloads.sourceforge.net/project/$name/$name/$version/DenyHosts-$version.tar.gz
|
||||
denyhosts-$version-config.patch)
|
||||
denyhosts-$version-config.patch
|
||||
denyhosts-2.6-cve-2013-6890.patch
|
||||
denyhosts-2.6-log-injection-regex.patch
|
||||
denyhosts-2.6-single_config_switch.patch
|
||||
denyhosts-2.6-plugin_deny.patch)
|
||||
|
||||
build() {
|
||||
cd DenyHosts-$version
|
||||
|
||||
patch -p0 -i $SRC/$name-$version-config.patch
|
||||
patch -p1 -i $SRC/denyhosts-2.6-log-injection-regex.patch
|
||||
patch -p1 -i $SRC/denyhosts-2.6-single_config_switch.patch
|
||||
patch -p1 -i $SRC/denyhosts-2.6-plugin_deny.patch
|
||||
patch -p1 -i $SRC/denyhosts-2.6-cve-2013-6890.patch
|
||||
|
||||
/usr/bin/python setup.py install --root=$PKG
|
||||
|
||||
rm $PKG/usr/share/denyhosts/*.txt
|
||||
|
60
denyhosts/denyhosts-2.6-cve-2013-6890.patch
Normal file
60
denyhosts/denyhosts-2.6-cve-2013-6890.patch
Normal file
@ -0,0 +1,60 @@
|
||||
Subject: address remote denial of service CVE-2013-6890
|
||||
From: Helmut Grohne <helmut () subdivi de>
|
||||
|
||||
ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21
|
||||
|
||||
results in a log lines
|
||||
|
||||
sshd[123]: Invalid user Invalid user root from 123.123.123.123 from 21.21.21.21
|
||||
sshd[123]: input_userauth_request: invalid user Invalid user root from 123.123.123.123 [preauth]
|
||||
sshd[123]: Connection closed by 21.21.21.21 [preauth]
|
||||
|
||||
and causes denyhosts to block both ips 21.21.21.21 and 123.123.123.123.
|
||||
|
||||
This patch tightens the regular expressions used to avoid these and similar
|
||||
injections.
|
||||
|
||||
Index: denyhosts-2.6/DenyHosts/regex.py
|
||||
===================================================================
|
||||
--- denyhosts-2.6.orig/DenyHosts/regex.py 2013-12-22 11:54:42.000000000 +0100
|
||||
+++ denyhosts-2.6/DenyHosts/regex.py 2013-12-22 11:55:05.000000000 +0100
|
||||
@@ -6,22 +6,22 @@
|
||||
|
||||
#DATE_FORMAT_REGEX = re.compile(r"""(?P<month>[A-z]{3,3})\s*(?P<day>\d+)""")
|
||||
|
||||
-SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""")
|
||||
+SSHD_FORMAT_REGEX = re.compile(r""".*? (sshd.*?:|\[sshd\]) (?P<message>.*)""")
|
||||
#SSHD_FORMAT_REGEX = re.compile(r""".* sshd.*: (?P<message>.*)""")
|
||||
|
||||
-FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
|
||||
+FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
|
||||
|
||||
-FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
|
||||
+FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
|
||||
|
||||
-FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
|
||||
+FAILED_ENTRY_REGEX3 = None
|
||||
|
||||
-FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
|
||||
+FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) from (::ffff:)?(?P<host>\S+)$""")
|
||||
|
||||
-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""")
|
||||
+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because none of user's groups are listed in AllowGroups$""")
|
||||
|
||||
-FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
|
||||
+FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
|
||||
|
||||
-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""")
|
||||
+FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because not listed in AllowUsers$""")
|
||||
|
||||
|
||||
# these are reserved for future versions
|
||||
@@ -42,7 +42,7 @@
|
||||
FAILED_ENTRY_REGEX_MAP[i] = rx
|
||||
|
||||
|
||||
-SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>.*) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
|
||||
+SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>\S+) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
|
||||
|
||||
TIME_SPEC_REGEX = re.compile(r"""(?P<units>\d*)\s*(?P<period>[smhdwy])?""")
|
||||
|
21
denyhosts/denyhosts-2.6-log-injection-regex.patch
Normal file
21
denyhosts/denyhosts-2.6-log-injection-regex.patch
Normal file
@ -0,0 +1,21 @@
|
||||
Address Log injection reported at
|
||||
|
||||
http://bugs.gentoo.org/show_bug.cgi?id=181213
|
||||
|
||||
diff -ur a/DenyHosts/regex.py b/DenyHosts/regex.py
|
||||
--- a/DenyHosts/regex.py 2006-12-07 13:47:04.000000000 -0600
|
||||
+++ b/DenyHosts/regex.py 2007-06-19 18:51:54.000000000 -0500
|
||||
@@ -17,11 +17,11 @@
|
||||
|
||||
FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
|
||||
|
||||
-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""")
|
||||
+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""")
|
||||
|
||||
FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
|
||||
|
||||
-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""")
|
||||
+FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""")
|
||||
|
||||
|
||||
# these are reserved for future versions
|
23
denyhosts/denyhosts-2.6-plugin_deny.patch
Normal file
23
denyhosts/denyhosts-2.6-plugin_deny.patch
Normal file
@ -0,0 +1,23 @@
|
||||
From: Marco Bertorello <marco@bertorello.ns0.it>
|
||||
Date: Thu, 14 Apr 2011 00:11:35 +0200
|
||||
Subject: 09_plugin_deny
|
||||
|
||||
Correct the upstream bug http://sourceforge.net/tracker/index.php?func=detail&aid=1734736&group_id=131204&atid=720419
|
||||
---
|
||||
DenyHosts/deny_hosts.py | 2 +-
|
||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/DenyHosts/deny_hosts.py b/DenyHosts/deny_hosts.py
|
||||
index f308264..0f5f48d 100644
|
||||
--- a/DenyHosts/deny_hosts.py
|
||||
+++ b/DenyHosts/deny_hosts.py
|
||||
@@ -443,7 +443,7 @@ allowed based on your %s file""" % (self.__prefs.get("HOSTS_DENY"),
|
||||
self.__report.add_section(msg, new_denied_hosts)
|
||||
if self.__sync_server: self.sync_add_hosts(new_denied_hosts)
|
||||
plugin_deny = self.__prefs.get('PLUGIN_DENY')
|
||||
- if plugin_deny: plugin.execute(plugin_deny, deny_hosts)
|
||||
+ if plugin_deny: plugin.execute(plugin_deny, new_denied_hosts)
|
||||
|
||||
new_suspicious_logins = login_attempt.get_new_suspicious_logins()
|
||||
if new_suspicious_logins:
|
||||
--
|
24
denyhosts/denyhosts-2.6-single_config_switch.patch
Normal file
24
denyhosts/denyhosts-2.6-single_config_switch.patch
Normal file
@ -0,0 +1,24 @@
|
||||
From: Marco Bertorello <marco@bertorello.ns0.it>
|
||||
Date: Thu, 14 Apr 2011 00:11:35 +0200
|
||||
Subject: 11_single_config_switch
|
||||
|
||||
A patch to prevent denyhosts running with a double --config switch
|
||||
---
|
||||
daemon-control-dist | 3 ++-
|
||||
1 files changed, 2 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/daemon-control-dist b/daemon-control-dist
|
||||
index 9f42b60..14d0f70 100755
|
||||
--- a/daemon-control-dist
|
||||
+++ b/daemon-control-dist
|
||||
@@ -144,7 +144,8 @@ if __name__ == '__main__':
|
||||
|
||||
try:
|
||||
if option in ('start', 'restart', 'condrestart'):
|
||||
- if '--config' not in args and '-c' not in args:
|
||||
+ anystartswith = lambda prefix, xs: any(map(lambda x: x.startswith(prefix), xs))
|
||||
+ if not anystartswith('--config', args) and '-c' not in args:
|
||||
args.append("--config=%s" % DENYHOSTS_CFG)
|
||||
|
||||
cmd = cases[option]
|
||||
--
|
Loading…
Reference in New Issue
Block a user