ubuntu-vm-builder: uses vulnerable ssh daemon (doesn't draw from security repo)
Disconnect
ubbugs at sigkill.net
Fri Oct 10 13:44:43 UTC 2008
Package: ubuntu-vm-builder
Version: 0.4-0ubuntu0.1
Severity: grave
Justification: user security hole
Tags: security
*** Please type your report below this line ***
Doesn't use security or updates repo, so the opensshd daemon generates
bad keys. (And massive updates and a restart are needed after vm is
built - old kernel, etc.)
-- System Information:
Debian Release: lenny/sid
APT prefers hardy-updates
APT policy: (500, 'hardy-updates'), (500, 'hardy-security'), (500,
'hardy-backports'), (500, 'hardy')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.24-19-server (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ubuntu-vm-builder depends on:
ii debootstrap 1.0.9~hardy1 Bootstrap a basic Debian system
ii kpartx 0.4.8-7ubuntu2 create device mappings for
partiti
ii parted 1.7.1-5.1ubuntu9.1 The GNU Parted disk
partition resi
ii qemu 0.9.1-1ubuntu1 fast processor emulator
ubuntu-vm-builder recommends no packages.
-- no debconf information
More information about the ubuntu-users
mailing list