Stefan Pfetzing

**Name of the Vulnerable Software and Affected Versions** lsh-server versions 2.0.1 and earlier lsh-client versions 2.0.1 and earlier lsh-utils versions 2.0.1 and earlier lsh-utils-doc versions 2.0.1 and earlier **Description** The issue concerns multiple vulnerabilities in the lsh package of the Debian GNU/Linux operating system, which can lead to breaches of confidentiality and availability of protected information. These vulnerabilities can be exploited by a local attacker. Specifically, in lshd for lsh 2.0.1, the unix random.c file leaks file descriptors related to the randomness generator. This allows local users to cause a denial of service by truncating the seed file, preventing the server from starting, or obtain sensitive seed information that could be used to crack keys. **Recommendations** For lsh-server version 2.0.1 and earlier, consider updating to a newer version to mitigate the risk. For lsh-client version 2.0.1 and earlier, consider updating to a newer version to mitigate the risk. For lsh-utils version 2.0.1 and earlier, consider updating to a newer version to mitigate the risk. For lsh-utils-doc version 2.0.1 and earlier, consider updating to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the `unix random.c` file to minimize the risk of exploitation.