Hi Yaroslav, On Saturday 29 December 2007 04:01, Yaroslav Halchenko wrote: > I would like to pursue security upload of security-related fixes to etch's > version of fail2ban. > > I am attaching tentative diff on top of etch's version. > > Thijs already had a look and raised his concern about few changes I have > included into this upload. I have provided my reasoning behind them, but > unfortunately our discussion stalled, thus I decided to buzz entire > security team. you can get through our discussion at the bugreport > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=439962
I'm sorry for the delay in taking this issue on. Here's my response to your patch. In short, I think most issues are more relevant to a stable update than to a security update. + * NOT RELEASED YET + * Propagated fix for asctime pattern from 0.7.8 release (closes: #421848) As you say yourself in that bugreport - it's not really a security issue and only for a specific filter of Apache. This may be a candidate for a stable update (check with SRM) but please leave it out of the security update. + * Propagated fix for not closed log files from 0.7.8-1 + (closes: #439962,434368) + * Propagated fix for "reload" bug which is as sever as #439962 and just + never was hit by any Debian user yet As you said in your other mail, these issues are related to fail2ban stalling upon reload. That is a serious bug but not a security issue. Of course fail2ban not functioning in itself can be considered as a security issue because it's specifically designed to prevent other attacks. However, there's no concrete attack possible because of fail2ban failing to ban. + * Added patch 00_numeric_iptables-L to avoid possible DoS attacks + (introduced upstream in 0.7.6) If I understand this correctly, this makes iptables not do DNS lookups. While that's obviously a useful fix, I think it's not a serious security issue. There's lots of services doing one or more DNS lookup when something external connects to them, and skipping that where possible is good, but not something I would add to a security update, I'm sorry. Again, maybe the SRM's are willing to include this. + * Propagated "Fixed removal of host in hosts.deny" from 0.7.6, to prevent + possible DoS This fix seems appropriate to a security update. + * Rigid call to python2.4 instead of via /usr/bin/env to prevent + in-the-middle attack via environment poisoning I think this is out of scope for a security update, or even a stable update if you ask me. Please do not include it in the security update at least, and discuss with the stable release team if you want it included in etch still. + * Anchored sshd and vsftpd failregex at the end of line to prevent DoS on + those services, which is related to CVE-2007-4321 and closed in sid + 438187. This is a good fix and it should be included. Concluding: please prepare a package for stable with the two mentioned issues fixed (please include relevant CVE id and bug numbers in the changelog) and send us the debdiff for a last review. Then, if all is right, put the rest of the changes into a new version and propose that to the SRM's. Thank you for your work! Thijs
pgpA0mzO1WygS.pgp
Description: PGP signature
