Red Hat Bugzilla – Bug 218824
CVE-2006-6301: denyhosts 2.5 hosts.deny DoS
Last modified: 2007-11-30 17:11:51 EST
"DenyHosts 2.5 does not properly parse sshd logs file, which allows remote
attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial
of service by adding arbitrary IP addresses to the sshd log file, as
demonstrated by loggig in to ssh using a login name containing certain strings
with an IP address, which is not properly handled by a regular expression."
Based on version numbers, affects FE-3+ and EPEL-4+
Upstream has released DenyHosts 2.6 to correct this issue; currently building
for rawhide and if successful will be pushed on all branches later today.
Updates (package version 2.6-2) pushed for FC-3, FC-4, FC-5, FC-6, EL-4, EL-5