[DLA-0021-1] fail2ban security update

ID DEBIAN:DLA-0021-1:46361
Type debian
Reporter Debian
Modified 2014-07-26T10:35:59


Package : fail2ban Version : 0.8.4-3+squeeze3 CVE ID : CVE-2013-7176 CVE-2013-7177

  • Use anchored failregex for filters to avoid possible DoS. Manually picked up from the current status of 0.8 branch (as of 0.8.13-29-g09b2016):
    • CVE-2013-7176: postfix.conf - anchored on the front, expects "postfix/smtpd" prefix in the log line
    • CVE-2013-7177: cyrus-imap.conf - anchored on the front, and refactored to have a single failregex
    • couriersmtp.conf - anchored on both sides
    • exim.conf - front-anchored versions picked up from exim.conf and exim-spam.conf
    • lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf (copied from the Wheezy version)
  • Catch also failed logins via secured (imaps/pop3s) for cyrus-imap. Regression was introduced while strengthening failregex in 0.8.11 (bd175f) Debian bug #755173
  • cyrus-imap: catch "user not found" attempts