Your message dated Thu, 20 Jan 2022 22:34:04 +0000
with message-id <[email protected]>
and subject line Bug#991449: fixed in fail2ban 0.11.2-5
has caused the Debian Bug report #991449,
regarding fix for CVE-2021-32749 breaks systems with mail from bsd-mailx
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
991449: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991449
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: fail2ban
Version:  0.11.2-2
Severity: important

According to upstreams security advisory [1] CVE-2021-32749 only affects systems where the mail utility from the mailutils package is installed. The recommended fix [2] is to add a new parameter "-E" to the invocation of mail. Unfortunately this fix breaks other implementations of mail, especially the version from package bsd-mailx. Thus upstream recommends in the Workaround section of the advisory to only manually patch the
systems where the mailutils-mail is used.

According to popcon the numbers of systems where mailutils-mail and bsd-mailx-mail are used is about even. So applying upstreams fix now breaks about half of the systems using fail2ban.

The corresponding upstream bug #3069 [3] did not get any attention yet.

  Thorsten



[1] https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm [2] https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844
[3] https://github.com/fail2ban/fail2ban/issues/3069

--- End Message ---
--- Begin Message ---
Source: fail2ban
Source-Version: 0.11.2-5
Done: Sylvestre Ledru <[email protected]>

We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sylvestre Ledru <[email protected]> (supplier of updated fail2ban package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 20 Jan 2022 23:21:44 +0100
Source: fail2ban
Architecture: source
Version: 0.11.2-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Sylvestre Ledru <[email protected]>
Closes: 991449
Changes:
 fail2ban (0.11.2-5) unstable; urgency=medium
 .
   * Revert the CVE-2021-32749 fix (Closes: #991449)
     Debian bookworm has the mailutils version with the proper fix
Checksums-Sha1:
 e8621ee29543828d5aafc99a39ae1f1d96a95220 2045 fail2ban_0.11.2-5.dsc
 b70db24159edda4d9d0d4eaae8405fb80f8e6676 31272 fail2ban_0.11.2-5.debian.tar.xz
 9fc79fc15a61b122c2418edf0114223d07b005c3 6740 fail2ban_0.11.2-5_amd64.buildinfo
Checksums-Sha256:
 07a49a571b3eb9c5f00005973b7870c864f3972cca2302be0525f3eaba7f4254 2045 
fail2ban_0.11.2-5.dsc
 89871941c3d806981a9f9ad5cb31d0787751651c55feddf982854a963cf5bbf7 31272 
fail2ban_0.11.2-5.debian.tar.xz
 f3bd4416a802b2d1c3093cf9b2fba6a5269ccae06c76517f2f063ca6991c0c2c 6740 
fail2ban_0.11.2-5_amd64.buildinfo
Files:
 fd46b16e284d4f78db5e49b95fc9949d 2045 net optional fail2ban_0.11.2-5.dsc
 41b96eefbc2cb82b1c4119ae68afdfc8 31272 net optional 
fail2ban_0.11.2-5.debian.tar.xz
 ccf4bb39fdda162c227ffc27d2802abd 6740 net optional 
fail2ban_0.11.2-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtg21mU05vsTRqVzPfmUo2nUvG+EFAmHp4Q8ACgkQfmUo2nUv
G+GQCw//V4CH94zXa++zLpU0KPTQEy1Fvoz8Kont9tSnw31zq8oUqB0e95xDfhkF
HEAt3AlkorGejm8kq+p9g/mkonTfUw+FWePKotWcmkgaunknsVFe3GG80v9sgrUs
+7LSxmFQgTHSs0ek4OfyZWgMwPhXyUsHU75F7KsokwsVIkR6vuztgAcGDgFFo8TR
u63UhnkLAmKxidBDXkGLm1xpFwYeTm72T8Jp9QUwo8A7B6hhFciWFKEsWZDjKMIw
mt6g7Cp8XVcZ91piYPN3owVXnAx1amYKE/h9XVzVmvzcy0Q6roqnxdhDXQdzDEdo
XamSp646hGqXcfNqVezx/Xrsrc8JUqoqRVMv0bv207mTo6knMRdcCMYwWXx0m+Lk
NpiXbckkWb4JS3S+GfqqdDepbqlnxpucLswb/DcMA7EDmQiMH9smgQ6zZ7adT3rT
UNj8GlupX2flYSkMYb3axQSYCvV+BU2WIjPwTGvdFXhqnYP7gWDOseTmBoUxmhbW
aZR7q2OEkPeRA98dS7VXoBxEbRLxuWNkF9RW79Byc5hQgixA/PR9Ys2/agC4CIQi
pigiDSb/N8KM77r4IVpmqXOMD6NhGjWuR6VVzrjpqbdG2oSUd2Q66pd5nk5x22EI
RMmrqvmpLvoUhjgKj1MRs+ibrmxYP2w6SOjDoQ1LCSiBXYc7RYM=
=C73b
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to