** Changed in: fail2ban (Ubuntu Dapper)
Status: Incomplete = Won't Fix
** Changed in: fail2ban (Ubuntu Edgy)
Status: Won't Fix = Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for
this release. Marking Edgy as Won't Fix.
** Changed in: fail2ban (Ubuntu Edgy)
Status: Incomplete = Won't Fix
--
Denial of service through log injection in fail2ban
https://bugs.launchpad.net/bugs/121374
You received
Yaroslav, your comment toward the end of the debian bug report says that
this is fixed in debian prior to 0.6, but here you say it is still
vulnerable. Since ubuntu uses debian source packages, I am confused by
your statements. Can you clarify?
** Changed in: fail2ban (Ubuntu Edgy)
checked the 0.7.6-3 -- indeed it had the bug
but it was fixed later on so debian package is not shipped with it any
longer ;-)
On Wed, 12 Dec 2007, Yaroslav Halchenko wrote:
I never said 'prior to 0.6'. I said that it is fixed in etch version
which is 0.7.5-2, where failregex looks like
I never said 'prior to 0.6'. I said that it is fixed in etch version
which is 0.7.5-2, where failregex looks like
failregex = (?:(?:Authentication failure|Failed [-/\w+]+) for(?:
[iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN
REFUSED) .*(?: from|FROM) HOST
which is different
This is the relevant line from /etc/fail2ban.conf when fail2ban 0.6.0-3
is installed on Ubuntu 6.06 LTS (Dapper).
failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?:
[iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user) .* from
(?:::f{4,6}:)?(?Phost\S*)
This seems to allow any
This seems to allow any non-whitespace characters after host, which I
believe is the nature of the vulnerability described in CVE-2006-6302.
Please correct me if I'm wrong.
being not anchored at the end of the string is the real reason for such
vulnerability imho
--
Yaroslav Halchenko
Yaroslav, this is a quote from you in the Debian report:
This issue had been fixed in debian long ago see bug 330827 I think
debian/changelog for the ubuntu package contains:
fail2ban (0.5.4-5) unstable; urgency=low
* Made failregex'es more specific to don't allow usernames to be used as a
Sorry, I didn't give the complete regexes, only the ROOT LOGIN REFUSED
part.
Anyway, since these are the Debian package versions, do you know if they
are indeed affected? Simply put, Ubuntu did not make any changes to
failregex, so are these versions of the Debian packages affected?
--
Denial
and actually since .* is greedy, vulnerability is not there actually...
could you test on example?
On Wed, 12 Dec 2007, Chris Fryer wrote:
This is the relevant line from /etc/fail2ban.conf when fail2ban 0.6.0-3
is installed on Ubuntu 6.06 LTS (Dapper).
failregex = : (?:(?:Authentication
ok ... a bit more details... that elderly bug fixed in debian's
0.5-whatever is only about disallowing hostaddress appearing anywhere in
the logline. It per se doesn't fix recent vulnerability (see
http://www.ossec.net/en/attacking-loganalysis.html) for more details
for that one 0.8.1 upstream
** Changed in: fail2ban (Debian)
Status: Unknown = Fix Released
--
Denial of service through log injection in fail2ban
https://bugs.launchpad.net/bugs/121374
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs
This particular bug doesn't affect Feisty or Gutsy, but you'll probably
want to create a separate bug for the new vulnerability.
** Changed in: fail2ban (Ubuntu Dapper)
Importance: Undecided = High
Status: New = Confirmed
** Changed in: fail2ban (Ubuntu Edgy)
Importance: Undecided =
** Description changed:
Binary package hint: fail2ban
According to CVE 2006-6302
(http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6302) fail2ban 0.6.1 and
below is vulnerable to log injection techniques, which can lead to the
wrong IP address being banned. This can result in denial of
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2006-6302
--
Denial of service through log injection in fail2ban
https://bugs.launchpad.net/bugs/121374
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
0.8.0-2 is still affected. either upcomming -3 or 0.8.1 should fix the
problem
On Thu, 21 Jun 2007, Chris Fryer wrote:
** Description changed:
Binary package hint: fail2ban
According to CVE 2006-6302
(http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6302) fail2ban 0.6.1 and
below is
** Visibility changed to: Public
** Changed in: fail2ban (Ubuntu)
Importance: Undecided = Medium
Status: Unconfirmed = Confirmed
--
Denial of service through log injection in fail2ban
https://bugs.launchpad.net/bugs/121374
You received this bug notification because you are a member of
17 matches
Mail list logo