[DLA-0021-1] fail2ban security update

To: debian-lts-announce@lists.debian.org
Subject: [DLA-0021-1] fail2ban security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sat, 26 Jul 2014 12:35:59 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.64.1407261223390.13232@tor.gallien.in-chemnitz.de>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package        : fail2ban
Version        : 0.8.4-3+squeeze3
CVE ID         : CVE-2013-7176 CVE-2013-7177

  * Use anchored failregex for filters to avoid possible DoS.  Manually
    picked up from the current status of 0.8 branch (as of
    0.8.13-29-g09b2016):
    - CVE-2013-7176: postfix.conf - anchored on the front, expects
      "postfix/smtpd" prefix in the log line
    - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and
      refactored to have a single failregex
    - couriersmtp.conf - anchored on both sides
    - exim.conf - front-anchored versions picked up from exim.conf
      and exim-spam.conf
    - lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf
    (copied from the Wheezy version)
  * Catch also failed logins via secured (imaps/pop3s) for cyrus-imap.
    Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
    Debian bug #755173
  * cyrus-imap: catch "user not found" attempts


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFT04SU02K2KlS5mJARAuvKAJ49sMZOvLjzHgf3IeQDRYq9XDjDogCghxvE
VxmpRmEQ5Mvok7od+knaeQU=
=qZCO
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [DLA-0018-1] php5 security update
Next by Date: [DLA-0019-1] postgresql-8.4 update
Previous by thread: [DLA-0018-1] php5 security update
Next by thread: [DLA-0019-1] postgresql-8.4 update
Index(es):
- Date
- Thread