Your message dated Fri, 04 Jan 2013 19:16:29 +0000
with message-id <[email protected]>
and subject line Re: Bug#697258: unblock: fail2ban/0.8.6-3wheezy1
has caused the Debian Bug report #697258,
regarding unblock: fail2ban/0.8.6-3wheezy1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
697258: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697258
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
unblock fail2ban/0.8.6-3wheezy1
Please unblock package fail2ban -- addressed a CVE (through a cherry-pick from
"upstream" changes released in 0.8.8, in experimental). likelihood that anyone
running vulnerable version was affected is close to 0, since it requires a
custom configuration enabling use of <matches>. Here is a debdiff -- seems to
be working fine ;-)
~/deb/builds/fail2ban$ debdiff 0.8.6-3/fail2ban_0.8.6-3.dsc
0.8.6-3wheezy1/fail2ban_0.8.6-3wheezy1.dsc
diff -u fail2ban-0.8.6/debian/changelog fail2ban-0.8.6/debian/changelog
--- fail2ban-0.8.6/debian/changelog
+++ fail2ban-0.8.6/debian/changelog
@@ -1,3 +1,12 @@
+fail2ban (0.8.6-3wheezy1) unstable; urgency=high
+
+ * CVE-2012-5642: Escape the content of <matches> since its value could
+ contain arbitrary symbols (Closes: #696184)
+ * Since package source format remained 1.0, manpages patch
+ (deb_manpages_reportbug) was not applied -- fold it into .diff.gz
+
+ -- Yaroslav Halchenko <[email protected]> Mon, 17 Dec 2012 13:19:32 -0500
+
fail2ban (0.8.6-3) unstable; urgency=low
* Added dovecot section to Debian's jail.conf. Thanks to Laurent
diff -u fail2ban-0.8.6/debian/gbp.conf fail2ban-0.8.6/debian/gbp.conf
--- fail2ban-0.8.6/debian/gbp.conf
+++ fail2ban-0.8.6/debian/gbp.conf
@@ -2,7 +2,7 @@
# the default branch for upstream sources:
upstream-branch = upstream
# the default branch for the debian patch:
-debian-branch = debian
+debian-branch = debian-releases/wheezy
# use pristine-tar
pristine-tar = True
# the default tag formats used:
reverted:
--- fail2ban-0.8.6/debian/patches/series
+++ fail2ban-0.8.6.orig/debian/patches/series
@@ -1 +0,0 @@
-deb_manpages_reportbug
reverted:
--- fail2ban-0.8.6/debian/patches/deb_manpages_reportbug
+++ fail2ban-0.8.6.orig/debian/patches/deb_manpages_reportbug
@@ -1,28 +0,0 @@
-From: Yaroslav Halchenko <[email protected]>
-Date: Fri, 8 Feb 2008 00:40:57 -0500
-Subject: tune ups in upstream manpages to direct users to use reportbug
-
---- a/man/fail2ban-client.1
-+++ b/man/fail2ban-client.1
-@@ -251,7 +251,8 @@ action <ACT> for <JAIL>
- Written by Cyril Jaquier <[email protected]>.
- Many contributions by Yaroslav O. Halchenko <[email protected]>.
- .SH "REPORTING BUGS"
--Report bugs to <[email protected]>
-+Please report bugs via Debian bug tracking system
-+http://www.debian.org/Bugs/.
- .SH COPYRIGHT
- Copyright \(co 2004-2008 Cyril Jaquier
- .br
---- a/man/fail2ban-server.1
-+++ b/man/fail2ban-server.1
-@@ -35,7 +35,8 @@ print the version
- Written by Cyril Jaquier <[email protected]>.
- Many contributions by Yaroslav O. Halchenko <[email protected]>.
- .SH "REPORTING BUGS"
--Report bugs to <[email protected]>
-+Please report bugs via Debian bug tracking system
-+http://www.debian.org/Bugs/.
- .SH COPYRIGHT
- Copyright \(co 2004-2008 Cyril Jaquier
- .br
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/man/fail2ban-server.1
+++ fail2ban-0.8.6/man/fail2ban-server.1
@@ -35,7 +35,8 @@
Written by Cyril Jaquier <[email protected]>.
Many contributions by Yaroslav O. Halchenko <[email protected]>.
.SH "REPORTING BUGS"
-Report bugs to <[email protected]>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
.SH COPYRIGHT
Copyright \(co 2004-2008 Cyril Jaquier
.br
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/man/fail2ban-client.1
+++ fail2ban-0.8.6/man/fail2ban-client.1
@@ -251,7 +251,8 @@
Written by Cyril Jaquier <[email protected]>.
Many contributions by Yaroslav O. Halchenko <[email protected]>.
.SH "REPORTING BUGS"
-Report bugs to <[email protected]>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
.SH COPYRIGHT
Copyright \(co 2004-2008 Cyril Jaquier
.br
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/server/action.py
+++ fail2ban-0.8.6/server/action.py
@@ -230,7 +230,14 @@
def execActionStop(self):
stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
return Action.executeCmd(stopCmd)
-
+
+ def escapeTag(tag):
+ for c in '\\#&;`|*?~<>^()[]{}$\n':
+ if c in tag:
+ tag = tag.replace(c, '\\' + c)
+ return tag
+ escapeTag = staticmethod(escapeTag)
+
##
# Replaces tags in query with property values in aInfo.
#
@@ -243,8 +250,13 @@
""" Replace tags in query
"""
string = query
- for tag in aInfo:
- string = string.replace('<' + tag + '>', str(aInfo[tag]))
+ for tag, value in aInfo.iteritems():
+ value = str(value) # assure string
+ if tag == 'matches':
+ # That one needs to be escaped since its content is
+ # out of our control
+ value = Action.escapeTag(value)
+ string = string.replace('<' + tag + '>', value)
# New line
string = string.replace("<br>", '\n')
return string
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
On Thu, 2013-01-03 at 00:04 -0500, Yaroslav Halchenko wrote:
> Please unblock package fail2ban -- addressed a CVE (through a cherry-pick from
> "upstream" changes released in 0.8.8, in experimental). likelihood that
> anyone
> running vulnerable version was affected is close to 0, since it requires a
> custom configuration enabling use of <matches>. Here is a debdiff -- seems
> to
> be working fine ;-)
Unblocked; thanks.
Regards,
Adam
--- End Message ---
