Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
unblock fail2ban/0.8.6-3wheezy1 Please unblock package fail2ban -- addressed a CVE (through a cherry-pick from "upstream" changes released in 0.8.8, in experimental). likelihood that anyone running vulnerable version was affected is close to 0, since it requires a custom configuration enabling use of <matches>. Here is a debdiff -- seems to be working fine ;-) ~/deb/builds/fail2ban$ debdiff 0.8.6-3/fail2ban_0.8.6-3.dsc 0.8.6-3wheezy1/fail2ban_0.8.6-3wheezy1.dsc diff -u fail2ban-0.8.6/debian/changelog fail2ban-0.8.6/debian/changelog --- fail2ban-0.8.6/debian/changelog +++ fail2ban-0.8.6/debian/changelog @@ -1,3 +1,12 @@ +fail2ban (0.8.6-3wheezy1) unstable; urgency=high + + * CVE-2012-5642: Escape the content of <matches> since its value could + contain arbitrary symbols (Closes: #696184) + * Since package source format remained 1.0, manpages patch + (deb_manpages_reportbug) was not applied -- fold it into .diff.gz + + -- Yaroslav Halchenko <deb...@onerussian.com> Mon, 17 Dec 2012 13:19:32 -0500 + fail2ban (0.8.6-3) unstable; urgency=low * Added dovecot section to Debian's jail.conf. Thanks to Laurent diff -u fail2ban-0.8.6/debian/gbp.conf fail2ban-0.8.6/debian/gbp.conf --- fail2ban-0.8.6/debian/gbp.conf +++ fail2ban-0.8.6/debian/gbp.conf @@ -2,7 +2,7 @@ # the default branch for upstream sources: upstream-branch = upstream # the default branch for the debian patch: -debian-branch = debian +debian-branch = debian-releases/wheezy # use pristine-tar pristine-tar = True # the default tag formats used: reverted: --- fail2ban-0.8.6/debian/patches/series +++ fail2ban-0.8.6.orig/debian/patches/series @@ -1 +0,0 @@ -deb_manpages_reportbug reverted: --- fail2ban-0.8.6/debian/patches/deb_manpages_reportbug +++ fail2ban-0.8.6.orig/debian/patches/deb_manpages_reportbug @@ -1,28 +0,0 @@ -From: Yaroslav Halchenko <deb...@onerussian.com> -Date: Fri, 8 Feb 2008 00:40:57 -0500 -Subject: tune ups in upstream manpages to direct users to use reportbug - ---- a/man/fail2ban-client.1 -+++ b/man/fail2ban-client.1 -@@ -251,7 +251,8 @@ action <ACT> for <JAIL> - Written by Cyril Jaquier <cyril.jaqu...@fail2ban.org>. - Many contributions by Yaroslav O. Halchenko <deb...@onerussian.com>. - .SH "REPORTING BUGS" --Report bugs to <cyril.jaqu...@fail2ban.org> -+Please report bugs via Debian bug tracking system -+http://www.debian.org/Bugs/. - .SH COPYRIGHT - Copyright \(co 2004-2008 Cyril Jaquier - .br ---- a/man/fail2ban-server.1 -+++ b/man/fail2ban-server.1 -@@ -35,7 +35,8 @@ print the version - Written by Cyril Jaquier <cyril.jaqu...@fail2ban.org>. - Many contributions by Yaroslav O. Halchenko <deb...@onerussian.com>. - .SH "REPORTING BUGS" --Report bugs to <cyril.jaqu...@fail2ban.org> -+Please report bugs via Debian bug tracking system -+http://www.debian.org/Bugs/. - .SH COPYRIGHT - Copyright \(co 2004-2008 Cyril Jaquier - .br only in patch2: unchanged: --- fail2ban-0.8.6.orig/man/fail2ban-server.1 +++ fail2ban-0.8.6/man/fail2ban-server.1 @@ -35,7 +35,8 @@ Written by Cyril Jaquier <cyril.jaqu...@fail2ban.org>. Many contributions by Yaroslav O. Halchenko <deb...@onerussian.com>. .SH "REPORTING BUGS" -Report bugs to <cyril.jaqu...@fail2ban.org> +Please report bugs via Debian bug tracking system +http://www.debian.org/Bugs/. .SH COPYRIGHT Copyright \(co 2004-2008 Cyril Jaquier .br only in patch2: unchanged: --- fail2ban-0.8.6.orig/man/fail2ban-client.1 +++ fail2ban-0.8.6/man/fail2ban-client.1 @@ -251,7 +251,8 @@ Written by Cyril Jaquier <cyril.jaqu...@fail2ban.org>. Many contributions by Yaroslav O. Halchenko <deb...@onerussian.com>. .SH "REPORTING BUGS" -Report bugs to <cyril.jaqu...@fail2ban.org> +Please report bugs via Debian bug tracking system +http://www.debian.org/Bugs/. .SH COPYRIGHT Copyright \(co 2004-2008 Cyril Jaquier .br only in patch2: unchanged: --- fail2ban-0.8.6.orig/server/action.py +++ fail2ban-0.8.6/server/action.py @@ -230,7 +230,14 @@ def execActionStop(self): stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo) return Action.executeCmd(stopCmd) - + + def escapeTag(tag): + for c in '\\#&;`|*?~<>^()[]{}$\n': + if c in tag: + tag = tag.replace(c, '\\' + c) + return tag + escapeTag = staticmethod(escapeTag) + ## # Replaces tags in query with property values in aInfo. # @@ -243,8 +250,13 @@ """ Replace tags in query """ string = query - for tag in aInfo: - string = string.replace('<' + tag + '>', str(aInfo[tag])) + for tag, value in aInfo.iteritems(): + value = str(value) # assure string + if tag == 'matches': + # That one needs to be escaped since its content is + # out of our control + value = Action.escapeTag(value) + string = string.replace('<' + tag + '>', value) # New line string = string.replace("<br>", '\n') return string -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130103050457.1843.60603.report...@novo.onerussian.com
