Your message dated Thu, 5 Aug 2021 21:36:46 +0200 with message-id <31dc2748-889b-78f2-5ae9-2545704d0613@debian.org> and subject line Re: Bug#991781: RFR: fail2ban can't send e-mail using mail from bsd-mailx has caused the Debian Bug report #991781, regarding fail2ban is broken with mail from bsd-mailx to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 991781: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991781 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: fix for CVE-2021-32749 breaks systems with mail from bsd-mailx
- From: Thorsten Alteholz <debian@alteholz.de>
- Date: Fri, 23 Jul 2021 19:44:08 +0000 (UTC)
- Message-id: <alpine.DEB.2.21.2107231942370.19779@postfach.intern.alteholz.me>
Package: fail2ban Version: 0.11.2-2 Severity: importantAccording to upstreams security advisory [1] CVE-2021-32749 only affects systems where the mail utility from the mailutils package is installed. The recommended fix [2] is to add a new parameter "-E" to the invocation of mail. Unfortunately this fix breaks other implementations of mail, especially the version from package bsd-mailx. Thus upstream recommends in the Workaround section of the advisory to only manually patch thesystems where the mailutils-mail is used.According to popcon the numbers of systems where mailutils-mail and bsd-mailx-mail are used is about even. So applying upstreams fix now breaks about half of the systems using fail2ban.The corresponding upstream bug #3069 [3] did not get any attention yet. Thorsten[1] https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm [2] https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844[3] https://github.com/fail2ban/fail2ban/issues/3069
--- End Message ---
--- Begin Message ---
- To: 991781-done@bugs.debian.org
- Subject: Re: Bug#991781: RFR: fail2ban can't send e-mail using mail from bsd-mailx
- From: Paul Gevers <elbrus@debian.org>
- Date: Thu, 5 Aug 2021 21:36:46 +0200
- Message-id: <31dc2748-889b-78f2-5ae9-2545704d0613@debian.org>
- In-reply-to: <[🔎] 20210805043719.GA4053@jbr.me.uk>
- References: <alpine.DEB.2.21.2107231942370.19779@postfach.intern.alteholz.me> <[🔎] 30ed3f39-3dc8-3771-f2b3-09fcf3cf7b22@debian.org> <[🔎] 20210805043719.GA4053@jbr.me.uk>
Hi, On 05-08-2021 06:37, Justin B Rye wrote: > Paul Gevers wrote: > Don't these need to be <systemitem role="package">? I'm not sure what > <systemitem> on its own does. > >> + <systemitem>bsd-mailx</systemitem> that wish > > English fix: I'd prefer who wish > >> + <systemitem>fail2ban</systemitem> to send out e-mail, should > > English fix: better without a comma here ^ > >> + either switch to a different provide for <command>mail</command> > > English fix: typo provider > > (but if there's no other provider, we might as well say "switch > to mailutils") > >> + or manually unapply <ulink >> + url="https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844";>the >> + upstream commit</ulink> (all files are in >> + <filename>/etc/fail2ban/action.d/</filename>). >> + </para> >> + </section> >> + > > A suggestion for a slightly more detailed version: > > or manually unapply <ulink > url="https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844";>the > upstream commit</ulink> (which inserted the string > "<literal>-E 'set escape'</literal>" in multiple places under > <filename>/etc/fail2ban/action.d/</filename>). Pushed with those changes. PaulAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---