fail2ban uploaded into sid fixing security issue
Dear Release Team,
Yesterday fresh bug report [1] spoiled my day.
It concerns with ability to run DoS on a victim through injection of
victim's IP into domain name...
I've uploaded fixed versions both into sid and experimental with version in sid:
fail2ban (0.8.3-2sid1) unstable; urgency=low
* BF: anchoring regex for IP with " *$" at the end + adjust regexp for
<HOST> (closes: #514163)
* NF: adding unittests for previous commit
Unfortunately sid's version was already 1 debian revision ahead of
lenny's, but that revision is also a bug fix although not-security
related:
fail2ban (0.8.3-2) unstable; urgency=low
* BF in apache-noscript.conf - regexp matched in referer (Closes: #492319).
Thanks Bernd Zeimetz.
* BF: extended apache-noscript with additional regexp
-- Yaroslav Halchenko <debian@onerussian.com> Fri, 25 Jul 2008 13:33:56 -0400
As you can see change in -2 has been in sid for half-year without additional
bug reports about introduced changes.
I wonder if it would be possible to push (0.8.3-2sid1) version into lenny
or should I prep yet another version ((0.8.3-1lenny1) with only
security-related change in it?
P.S. team@security was already contacted with necessary diff against etch
(stable-security).
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514163
--
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student Ph.D. @ CS Dept. NJIT
Office: (973) 353-1412 | FWD: 82823 | Fax: (973) 353-1171
101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW: http://www.linkedin.com/in/yarik
Reply to: