Re: RFC: fail2ban wheezy security update

To: Yaroslav Halchenko <debian@onerussian.com>
Cc: debian-security@lists.debian.org, Moritz Mühlenhoff <jmm@inutil.org>
Subject: Re: RFC: fail2ban wheezy security update
From: Jason Fergus <leech@thefnords.org>
Date: Mon, 07 Jul 2014 16:41:04 -0600
Message-id: <[🔎] 1404772864.2925.3.camel@jfergusdeb.proofpoint.com>
In-reply-to: <[🔎] 20140707215528.GK19216@onerussian.com>
References: <[🔎] 20140707215528.GK19216@onerussian.com>

I run a postfix at home, and I just installed your new package.  It does
look pretty good so far.  Also reminds me I should pay more attention to
my logs.  There are a lot of attempts to connect from unauthorized
people.  Of course I'm sure that happens everywhere, which is why we use
fail2ban in the first place!

On Mon, 2014-07-07 at 17:55 -0400, Yaroslav Halchenko wrote:
> Dear Security Enthusiasts,
> 
> Would someone be kind to verify correct operation of a perspective security
> update for the Fail2Ban package in wheezy.  Especially if you are using
> postfix, cyrus imap, courier smtp, exim, or lighttpd.  Unfortunately amount of
> changes to those filters definitions was quite large, and I have tried to do my
> best to verify their correct operation on sample log lines we have in recent
> Fail2Ban, but I could have missed something obvious since I have no working
> deployments of postfix etc.
> 
> These changes will later me reapplied (where applicable) on top of the
> squeeze LTS version as well (haven't looked into it yet).
> 
> I am attaching the debdiff and the .deb package could be found at
> http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb
> signature: http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb.asc
> sha256sum: 815b28ffdfcfbf0c8983facad46d54edffce63df2269ef9dc79b60886e747794
> 
> If you prefer to review changes online, here is the corresponding
> pull request: https://github.com/fail2ban/fail2ban/pull/757
> 
> Corresponding changelog, hinting on those filters which were affected by
> the fixes -- the rest of the fail2ban should have not been affected
> 
> fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high
> 
>   * Use anchored failregex for filters to avoid possible DoS.  Manually
>     picked up from the current status of 0.8 branch (as of
>     0.8.13-29-g09b2016):
>     - CVE-2013-7176: postfix.conf - anchored on the front, expects
>       "postfix/smtpd" prefix in the log line
>     - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and
>       refactored to have a single failregex
>     - couriersmtp.conf - anchored on both sides
>     - exim.conf - front-anchored versions picked up from exim.conf
>       and exim-spam.conf
>     - lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf
> 
>  -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 22 Jun 2014 11:56:54 -0400
> 
> Thank you very much and please CC me.
> 
> Best regards,

Reply to:

Follow-Ups:
- Re: RFC: fail2ban wheezy security update
  - From: Tomasz Ciolek <tmc@vandradlabs.com.au>

References:
- RFC: fail2ban wheezy security update
  - From: Yaroslav Halchenko <debian@onerussian.com>

Prev by Date: AUTO: Jan Hübner ist außer Haus (Rückkehr am 28.07.2014)
Next by Date: Re: concrete steps for improving apt downloading security and privacy
Previous by thread: RFC: fail2ban wheezy security update
Next by thread: Re: RFC: fail2ban wheezy security update
Index(es):
- Date
- Thread