Re: fail2ban (0.8.4-3+squeeze2)
On Mon, Jun 02, 2014 at 11:10:54PM +0200, matteo filippetto wrote:
> Hi,
>
> I was looking at CVE-2009-5023 of fail2ban: as reported in this page
> https://security-tracker.debian.org/tracker/source-package/fail2ban
> squeeze should be vulnerable.
>
> But looking at the code (apt-get source fail2ban) I saw no evidence of
> the bug...so I installed fail2ban and the config files (
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=544232 ) are
> correct (i.e. use /var/run/failban and not /tmp )
>
> Moreover
>
> http://metadata.ftp-master.debian.org/changelogs//main/f/fail2ban/fail2ban_0.8.4-3+squeeze2_changelog
>
> states that #544232 was closed in fail2ban (0.8.4-3+squeeze1).
>
> Maybe I'm wrong ... if so, please tell me what I'm missing.
You're right, the security tracker data is incomplete here. Do you want
to update the data yourself?
If so, please create an Alioth handle and tell us the username (it should
end in -guest if you're not a DD). Then make an SVN checkout and edit
the squeeze entry for CVE-2009-5023 in data/CVE/list (the format is explained
in greater detail in https://security-tracker.debian.org/tracker/data/report
Cheers,
Moritz
Reply to: