Thank you my consciousness ;) Just a note: this issue is very unlikely to hit anyone since
<matches> is not used by default in any shipped action file and it was only recently introduced so I doubt it was adopted by more than a handful deployments. But indeed -- wheezy should get a patched version. Meanwhile -- anyone in need to run fail2ban on their boxes -- use 0.8.8 from sid or backports from neuro.debian.net repository Cheers, On Mon, 17 Dec 2012, Henri Salo wrote: > Package: fail2ban > Version: 0.8.6-3 > Severity: important > Information from CVE request: > http://www.openwall.com/lists/oss-security/2012/12/17/1 > The release notes for fail2ban 0.8.8 indicate: > * [83109bc] IMPORTANT: escape the content of <matches> (if used in > custom action files) since its value could contain arbitrary > symbols. Thanks for discovery go to the NBS System security > team > This could cause issues on the system running fail2ban as it scans log > files, depending on what content is matched. There isn't much more > detail about this issue than what is described above, so I think it may > largely depend on the type of regexp used (what it matches) and the > contents of the log file being scanned (whether or not an attacher could > insert something that could be used in a malicious way). > References: > https://raw.github.com/fail2ban/fail2ban/master/ChangeLog > http://sourceforge.net/mailarchive/message.php?msg_id=30193056 > https://github.com/fail2ban/fail2ban/commit/83109bc > https://bugzilla.redhat.com/show_bug.cgi?id=887914 > https://bugs.gentoo.org/show_bug.cgi?id=447572 > - Henri Salo -- Yaroslav O. Halchenko Postdoctoral Fellow, Department of Psychological and Brain Sciences Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
