ubuntu-vm-builder: uses vulnerable ssh daemon (doesn't draw from security repo)

Disconnect ubbugs at sigkill.net
Fri Oct 10 13:44:43 UTC 2008

Package: ubuntu-vm-builder
Version: 0.4-0ubuntu0.1
Severity: grave
Justification: user security hole
Tags: security

*** Please type your report below this line ***
Doesn't use security or updates repo, so the opensshd daemon generates 
bad keys. (And massive updates and a restart are needed after vm is 
built - old kernel, etc.)

-- System Information:
Debian Release: lenny/sid
   APT prefers hardy-updates
   APT policy: (500, 'hardy-updates'), (500, 'hardy-security'), (500, 
'hardy-backports'), (500, 'hardy')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24-19-server (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ubuntu-vm-builder depends on:
ii  debootstrap           1.0.9~hardy1       Bootstrap a basic Debian system
ii  kpartx                0.4.8-7ubuntu2     create device mappings for 
ii  parted                1.7.1-5.1ubuntu9.1 The GNU Parted disk 
partition resi
ii  qemu                  0.9.1-1ubuntu1     fast processor emulator

ubuntu-vm-builder recommends no packages.

-- no debconf information

More information about the ubuntu-users mailing list