Bug#991189: unblock: fail2ban/0.11.2-2

[Salvatore Bonaccorso]

Control: tags -1 - moreinfo

Hi Graham,

On Sat, Jul 17, 2021 at 01:58:57PM +0200, Graham Inggs wrote:
> Control: tags -1 + moreinfo
> 
> Hi Salvatore
> 
> On Fri, 16 Jul 2021 at 21:24, Salvatore Bonaccorso  wrote:
> > fail2ban is affected by CVE-2021-32749, see detailed advisory in
> > https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm,
> > which is a possible remote code execution vulnerability in the mailing
> > action mail-whois.
> 
> fail2ban (0.11.2-2) unstable; urgency=high
> 
>   * Fix a problem with mail
> 
>  -- Sylvestre Ledru   Mon, 12 Jul 2021 06:52:40 +0200
> 
> Would it be better to have the CVE mentioned in the changelog?

Right, the description could have been more descriptive but is caused
by the following: The issue was not yet public at the time of the
upload, nor the CVE, but upstream was fine to Debian first issue an
update and then publish the GHSA. This was the reason that the
changelog entry gives not detail on what is wrong with mail.

We could re-trospectively ask for -3 with a more descriptive changelog
entry and include the CVE, but I would suggest to just unblock what we
have.

Regards,
Salvatore

Bug#991189: unblock: fail2ban/0.11.2-2

[Graham Inggs]

Control: tags -1 + moreinfo

Hi Salvatore

On Fri, 16 Jul 2021 at 21:24, Salvatore Bonaccorso  wrote:
> fail2ban is affected by CVE-2021-32749, see detailed advisory in
> https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm,
> which is a possible remote code execution vulnerability in the mailing
> action mail-whois.

fail2ban (0.11.2-2) unstable; urgency=high

  * Fix a problem with mail

 -- Sylvestre Ledru   Mon, 12 Jul 2021 06:52:40 +0200

Would it be better to have the CVE mentioned in the changelog?

Regards
Graham

Bug#991189: unblock: fail2ban/0.11.2-2

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: car...@debian.org,t...@security.debian.org,sylves...@debian.org

Hi Release Team!

Please unblock package fail2ban

fail2ban is affected by CVE-2021-32749, see detailed advisory in
https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm,
which is a possible remote code execution vulnerability in the mailing
action mail-whois.

The idea is to have it fixed in the upper suite first, later for
buster a point release update could follow.

unblock fail2ban/0.11.2-2

Regards,
Salvatore
diff -Nru fail2ban-0.11.2/debian/changelog fail2ban-0.11.2/debian/changelog
--- fail2ban-0.11.2/debian/changelog2020-11-26 13:47:53.0 +0100
+++ fail2ban-0.11.2/debian/changelog2021-07-12 06:52:40.0 +0200
@@ -1,3 +1,9 @@
+fail2ban (0.11.2-2) unstable; urgency=high
+
+  * Fix a problem with mail
+
+ -- Sylvestre Ledru   Mon, 12 Jul 2021 06:52:40 +0200
+
 fail2ban (0.11.2-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru fail2ban-0.11.2/debian/patches/fix-mail.patch 
fail2ban-0.11.2/debian/patches/fix-mail.patch
--- fail2ban-0.11.2/debian/patches/fix-mail.patch   1970-01-01 
01:00:00.0 +0100
+++ fail2ban-0.11.2/debian/patches/fix-mail.patch   2021-07-12 
06:50:21.0 +0200
@@ -0,0 +1,147 @@
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf  | 2 +-
+ config/action.d/mail-buffered.conf| 8 
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf   | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c..4d73b058 100644
+--- a/config/action.d/complain.conf
 b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+ # Values:  CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+ 
+ # Option:  mailargs
+ # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef3..3d5a7a53 100644
+--- a/config/action.d/dshield.conf
 b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+ # Values:  CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+ 
+ # Option:  mailargs
+ # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf 
b/config/action.d/mail-buffered.conf
+index 325f185b..79b84104 100644
+--- a/config/action.d/mail-buffered.conf
 b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+   The jail  has been started successfully.\n
+   Output will be buffered until  lines are available.\n
+   Regards,\n
+-  Fail2Ban"|mail -s "[Fail2Ban] : started on " 

++  Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started 
on " 
+ 
+ # Option:  actionstop
+ # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f  ]; then
+  These hosts have been banned by Fail2Ban.\n
+  `cat `
+  Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] : Summary from 
" 
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : 
Summary from " 
+  rm 
+  fi
+  printf %%b "Hi,\n
+  The jail  has been stopped.\n
+  Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " 

++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on 
" 
+ 
+ # Option:  actioncheck
+ # Notes.:  command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`:  ( 
failures)\n" >> 
+ These hosts have been banned by Fail2Ban.\n
+ `cat `
+ \nRegards,\n
+-Fail2Ban"|mail -s "[Fail2Ban] : Summary" 
++Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : 
Summary" 
+ rm 
+ fi
+ 
+diff --git a/config/action.d/mail-whois-lines.conf 
b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2..d2818cb9 100644
+--- a/config/action.d/mail-whois-lines.conf
 b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+ # Values:  CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+ 
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c4..ab33b616 100644
+---