Re: RFC: fail2ban wheezy security update
I run a postfix at home, and I just installed your new package. It does
look pretty good so far. Also reminds me I should pay more attention to
my logs. There are a lot of attempts to connect from unauthorized
people. Of course I'm sure that happens everywhere, which is why we use
fail2ban in the first place!
On Mon, 2014-07-07 at 17:55 -0400, Yaroslav Halchenko wrote:
> Dear Security Enthusiasts,
>
> Would someone be kind to verify correct operation of a perspective security
> update for the Fail2Ban package in wheezy. Especially if you are using
> postfix, cyrus imap, courier smtp, exim, or lighttpd. Unfortunately amount of
> changes to those filters definitions was quite large, and I have tried to do my
> best to verify their correct operation on sample log lines we have in recent
> Fail2Ban, but I could have missed something obvious since I have no working
> deployments of postfix etc.
>
> These changes will later me reapplied (where applicable) on top of the
> squeeze LTS version as well (haven't looked into it yet).
>
> I am attaching the debdiff and the .deb package could be found at
> http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb
> signature: http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb.asc
> sha256sum: 815b28ffdfcfbf0c8983facad46d54edffce63df2269ef9dc79b60886e747794
>
> If you prefer to review changes online, here is the corresponding
> pull request: https://github.com/fail2ban/fail2ban/pull/757
>
> Corresponding changelog, hinting on those filters which were affected by
> the fixes -- the rest of the fail2ban should have not been affected
>
> fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high
>
> * Use anchored failregex for filters to avoid possible DoS. Manually
> picked up from the current status of 0.8 branch (as of
> 0.8.13-29-g09b2016):
> - CVE-2013-7176: postfix.conf - anchored on the front, expects
> "postfix/smtpd" prefix in the log line
> - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and
> refactored to have a single failregex
> - couriersmtp.conf - anchored on both sides
> - exim.conf - front-anchored versions picked up from exim.conf
> and exim-spam.conf
> - lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf
>
> -- Yaroslav Halchenko <debian@onerussian.com> Sun, 22 Jun 2014 11:56:54 -0400
>
> Thank you very much and please CC me.
>
> Best regards,
Reply to: