Hi, this is my debdiff for fixing CVE-2013-7176 and CVE-2013-7177 in fail2ban.
Please give the packages from [1] some real-world testing before I upload them to squeeze-lts.
Thanks! Thorsten [1] http://people.debian.org/~alteholz/packages/fail2ban/ diff -u fail2ban-0.8.4/debian/changelog fail2ban-0.8.4/debian/changelog --- fail2ban-0.8.4/debian/changelog +++ fail2ban-0.8.4/debian/changelog @@ -1,3 +1,20 @@ +fail2ban (0.8.4-3+squeeze3) squeeze-lts; urgency=high + + * Use anchored failregex for filters to avoid possible DoS. Manually + picked up from the current status of 0.8 branch (as of + 0.8.13-29-g09b2016): + - CVE-2013-7176: postfix.conf - anchored on the front, expects + "postfix/smtpd" prefix in the log line + - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and + refactored to have a single failregex + - couriersmtp.conf - anchored on both sides + - exim.conf - front-anchored versions picked up from exim.conf + and exim-spam.conf + - lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf + (copied from the Wheezy version) + + -- Thorsten Alteholz <deb...@alteholz.de> Sun, 20 Jul 2014 16:00:00 +0200 + fail2ban (0.8.4-3+squeeze2) squeeze-security; urgency=high * Anchor apache- filters failregexes to avoid possible DoS on servers only in patch2: unchanged: --- fail2ban-0.8.4.orig/config/filter.d/lighttpd-fastcgi.conf +++ fail2ban-0.8.4/config/filter.d/lighttpd-fastcgi.conf @@ -3,13 +3,23 @@ # Author: Arturo 'Buanzo' Busleiman <bua...@buanzo.com.ar> # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + [Definition] # Option: failregex # Notes.: regex to match ALERTS as notified by lighttpd's FastCGI Module # Values: TEXT # -failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\' +_daemon = (?:lighttpd|suhosin) + +_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s) + +failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. only in patch2: unchanged: --- fail2ban-0.8.4.orig/config/filter.d/exim.conf +++ fail2ban-0.8.4/config/filter.d/exim.conf @@ -14,7 +14,14 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address) + +# In versions >= 0.8.11 below strings defined in exim-common.conf + +host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )? +pid = ( \[\d+\])? + +failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: Unrouteable address\s*$ + ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. only in patch2: unchanged: --- fail2ban-0.8.4.orig/config/filter.d/cyrus-imap.conf +++ fail2ban-0.8.4/config/filter.d/cyrus-imap.conf @@ -4,6 +4,11 @@ # # $Revision: 728 $ # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf [Definition] @@ -14,10 +19,9 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$ - : badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$ - : badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$ - : badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$ +_daemon = (?:cyrus/)?(?:imapd?|pop3d?) + +failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. only in patch2: unchanged: --- fail2ban-0.8.4.orig/config/filter.d/couriersmtp.conf +++ fail2ban-0.8.4/config/filter.d/couriersmtp.conf @@ -5,6 +5,12 @@ # $Revision: 728 $ # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + [Definition] # Option: failregex @@ -14,7 +20,9 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = error,relay=<HOST>,.*550 User unknown +_daemon = courieresmtpd + +failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User unknown\.$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. only in patch2: unchanged: --- fail2ban-0.8.4.orig/config/filter.d/postfix.conf +++ fail2ban-0.8.4/config/filter.d/postfix.conf @@ -5,6 +5,12 @@ # $Revision: 728 $ # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + [Definition] # Option: failregex @@ -14,7 +20,9 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = reject: RCPT from (.*)\[<HOST>\]: 554 +_daemon = postfix/smtpd + +failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/alpine.deb.2.02.1407201654050.15...@jupiter.server.alteholz.net
