Hi Yaroslav, > I am emailing you since you are among the ones who raised the concern > about issues in fail2ban 0.7.5-2 which is currently in etch.
I've taken a look as a member of the security team. Given your changelog:
* NOT RELEASED YET
* Propagated fix for asctime pattern from 0.7.8 release (closes: #421848)
I do not see the security implications of this bug.
* Propagated fix for not closed log files from 0.7.8-1
(closes: #439962,434368)
Surely a critical bug, but does it have security implications?
* Propagated fix for "reload" bug which is as sever as #439962 and just
never was hit by any Debian user yet
It's unclear to me what issue this is exactly.
* Added patch 00_numeric_iptables-L to avoid possible DoS attacks
(introduced upstream in 0.7.6)
This sounds security-related.
* Propagated "Fixed removal of host in hosts.deny" from 0.7.6, to prevent
possible DoS
Also security-related.
* Rigid call to python2.4 instead of via /usr/bin/env to prevent
in-the-middle attack via environment poisoning
Is this theoretical or is it a realistic scenario? Can you give an example?
* Anchored sshd and vsftpd failregex at the end of line to prevent DoS on
those services, which is related to CVE-2007-4321 and closed in sid
438187.
This is also a security issue.
So concluding, this update seems to mix security and non-security issues, and
that is not acceptable to us. For an update through security.debian.org you
need to make a version that only includes real security fixes.
Other critical fixes can be sent for review to the stable release managers at
[EMAIL PROTECTED]
thanks,
Thijs
pgpLup53iA9Hw.pgp
Description: PGP signature
