[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: fail2ban wheezy security update

I run a postfix at home, and I just installed your new package.  It does
look pretty good so far.  Also reminds me I should pay more attention to
my logs.  There are a lot of attempts to connect from unauthorized
people.  Of course I'm sure that happens everywhere, which is why we use
fail2ban in the first place!

On Mon, 2014-07-07 at 17:55 -0400, Yaroslav Halchenko wrote:
> Dear Security Enthusiasts,
> Would someone be kind to verify correct operation of a perspective security
> update for the Fail2Ban package in wheezy.  Especially if you are using
> postfix, cyrus imap, courier smtp, exim, or lighttpd.  Unfortunately amount of
> changes to those filters definitions was quite large, and I have tried to do my
> best to verify their correct operation on sample log lines we have in recent
> Fail2Ban, but I could have missed something obvious since I have no working
> deployments of postfix etc.
> These changes will later me reapplied (where applicable) on top of the
> squeeze LTS version as well (haven't looked into it yet).
> I am attaching the debdiff and the .deb package could be found at
> http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb
> signature: http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb.asc
> sha256sum: 815b28ffdfcfbf0c8983facad46d54edffce63df2269ef9dc79b60886e747794
> If you prefer to review changes online, here is the corresponding
> pull request: https://github.com/fail2ban/fail2ban/pull/757
> Corresponding changelog, hinting on those filters which were affected by
> the fixes -- the rest of the fail2ban should have not been affected
> fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high
>   * Use anchored failregex for filters to avoid possible DoS.  Manually
>     picked up from the current status of 0.8 branch (as of
>     0.8.13-29-g09b2016):
>     - CVE-2013-7176: postfix.conf - anchored on the front, expects
>       "postfix/smtpd" prefix in the log line
>     - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and
>       refactored to have a single failregex
>     - couriersmtp.conf - anchored on both sides
>     - exim.conf - front-anchored versions picked up from exim.conf
>       and exim-spam.conf
>     - lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf
>  -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 22 Jun 2014 11:56:54 -0400
> Thank you very much and please CC me.
> Best regards,

Reply to: