Debian Security Advisory
DLA-0021-1 fail2ban -- LTS security update
- Date Reported:
- 26 Jul 2014
- Affected Packages:
- fail2ban
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2013-7176, CVE-2013-7177.
- More information:
-
- Use anchored failregex for filters to avoid possible DoS. Manually
picked up from the current status of 0.8 branch (as of
0.8.13-29-g09b2016):
- CVE-2013-7176: postfix.conf - anchored on the front, expects "postfix/smtpd" prefix in the log line
- CVE-2013-7177: cyrus-imap.conf - anchored on the front, and refactored to have a single failregex
- couriersmtp.conf - anchored on both sides
- exim.conf - front-anchored versions picked up from exim.conf and exim-spam.conf
- lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf (copied from the Wheezy version)
- Catch also failed logins via secured (imaps/pop3s) for cyrus-imap. Regression was introduced while strengthening failregex in 0.8.11 (bd175f) Debian bug #755173
- cyrus-imap: catch
user not found
attempts
For Debian 6
Squeeze
, these issues have been fixed in fail2ban version 0.8.4-3+squeeze3 - Use anchored failregex for filters to avoid possible DoS. Manually
picked up from the current status of 0.8 branch (as of
0.8.13-29-g09b2016):