Your message dated Mon, 24 Dec 2012 18:32:33 +0000
with message-id <[email protected]>
and subject line Bug#696184: fixed in fail2ban 0.8.6-3wheezy1
has caused the Debian Bug report #696184,
regarding fail2ban: CVE-2012-5642: input variable quoting flaw on <matches> 
content
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
696184: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696184
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: fail2ban
Version: 0.8.6-3
Severity: important

Information from CVE request: 
http://www.openwall.com/lists/oss-security/2012/12/17/1

The release notes for fail2ban 0.8.8 indicate:

    * [83109bc] IMPORTANT: escape the content of <matches> (if used in
      custom action files) since its value could contain arbitrary
      symbols.  Thanks for discovery go to the NBS System security
      team

This could cause issues on the system running fail2ban as it scans log
files, depending on what content is matched.  There isn't much more
detail about this issue than what is described above, so I think it may
largely depend on the type of regexp used (what it matches) and the
contents of the log file being scanned (whether or not an attacher could
insert something that could be used in a malicious way).

References:
https://raw.github.com/fail2ban/fail2ban/master/ChangeLog
http://sourceforge.net/mailarchive/message.php?msg_id=30193056
https://github.com/fail2ban/fail2ban/commit/83109bc
https://bugzilla.redhat.com/show_bug.cgi?id=887914
https://bugs.gentoo.org/show_bug.cgi?id=447572

- Henri Salo

--- End Message ---
--- Begin Message ---
Source: fail2ban
Source-Version: 0.8.6-3wheezy1

We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yaroslav Halchenko <[email protected]> (supplier of updated fail2ban 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 17 Dec 2012 13:19:32 -0500
Source: fail2ban
Binary: fail2ban
Architecture: source all
Version: 0.8.6-3wheezy1
Distribution: unstable
Urgency: high
Maintainer: Yaroslav Halchenko <[email protected]>
Changed-By: Yaroslav Halchenko <[email protected]>
Description: 
 fail2ban   - ban hosts that cause multiple authentication errors
Closes: 696184
Changes: 
 fail2ban (0.8.6-3wheezy1) unstable; urgency=high
 .
   * CVE-2012-5642: Escape the content of <matches> since its value could
     contain arbitrary symbols (Closes: #696184)
   * Since package source format remained 1.0, manpages patch
     (deb_manpages_reportbug) was not applied -- fold it into .diff.gz
Checksums-Sha1: 
 b331ee66f0de34feaf74037836f2afdaeeeecf1e 1271 fail2ban_0.8.6-3wheezy1.dsc
 e1c0a268ee1abf8d15bcbab67247285028b2df3e 29532 fail2ban_0.8.6-3wheezy1.diff.gz
 c1526f63e671bba7271c3d99f931fe1fb91c8255 103714 fail2ban_0.8.6-3wheezy1_all.deb
Checksums-Sha256: 
 fc196fb63db5f0bd0d659b4a3cfdb27fa030f8b0ec46231cfc0e2abc231aaf6e 1271 
fail2ban_0.8.6-3wheezy1.dsc
 1d2500643295f5f541e6fbb9e2139fa012058703ee924bf19d791e6dc733e10f 29532 
fail2ban_0.8.6-3wheezy1.diff.gz
 91ae4d5643780d9d7ac2c00d89328a47e21bbcdc973209c1fa1bfac9a8c672f8 103714 
fail2ban_0.8.6-3wheezy1_all.deb
Files: 
 2570fe65017b98f97aa37541ec6b0bf1 1271 net optional fail2ban_0.8.6-3wheezy1.dsc
 eee20e38a11dd704502c346fe99ee7b6 29532 net optional 
fail2ban_0.8.6-3wheezy1.diff.gz
 8c337176e6cf5d1468f9e6cddadccb68 103714 net optional 
fail2ban_0.8.6-3wheezy1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDYnB8ACgkQjRFFY3XAJMhN6wCeIgOK3MjebjHyio2C8BjdBc2E
SsYAoLKF1R9TwVSvRo4rQ1rraa+A4n4K
=gwjY
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to