Bugzilla – Bug 861504
VUL-0: CVE-2013-7177: fail2ban: remote denial of service in cyrus-imap filter
Last modified: 2014-04-08 19:04:45 UTC
A DoS flaw was found inside the fail2ban cyrus-imap filter. CVE-2013-7177 was assigned to this issue. References: https://bugzilla.redhat.com/show_bug.cgi?id=1059934 https://github.com/fail2ban/fail2ban/blob/master/ChangeLog http://www.kb.cert.org/vuls/id/686662 http://secunia.com/advisories/56691/ https://github.com/fail2ban/fail2ban/commit/bd175f026737d66e7110868fb50b3760ff75e087
bugbot adjusting priority
In version 0.8.11 the changelog says: "In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability. We haven't examined all of these for a potential DoS scenario however it is possible that another DoS vulnerability exists that is fixed by this release. A large number of filters have been updated to include more failure regexs supporting previously unbanned failures and support newer application versions too. We have test cases for most of these now however if you have other examples that demonstrate that a filter is insufficient we welcome your feedback. During the tightening of the regexs to avoid DoS vulnerabilities there is the possibility that we have inadvertently, despite our best intentions, incorrectly allowed a failure to continue." As the last updates possibly influences more jails then noted in the CVEs, I vote to upgrade to version 0.8.11 or even better 0.8.12 which is already available in "security:fail2ban".
*** Bug 861503 has been marked as a duplicate of this bug. ***
a version upgrade should be possible, feel free to submit that. (the config files will not change, right?) but please mention this bug in the .changes file to track the decision.
It's more or less a change in the configs and in the software: for many services there is a regex defined in configuration files to detect break-in-attemts; the issues itself occured in those regexes. Therefore all the configs where checked, adapted and improved and test cases have been added. As long as the users didn't chnage single configs, a rpm update will solve the problems.
then just submit and we see how it turns out :)
This is an autogenerated message for OBS integration: This bug (861504) was mentioned in https://build.opensuse.org/request/show/223812 13.1 / fail2ban
This is an autogenerated message for OBS integration: This bug (861504) was mentioned in https://build.opensuse.org/request/show/223823 12.3 / fail2ban
openSUSE-SU-2014:0348-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 824710,861503,861504 CVE References: CVE-2013-2178,CVE-2013-7176,CVE-2013-7177 Sources used: openSUSE 13.1 (src): fail2ban-0.8.12-2.5.1 openSUSE 12.3 (src): fail2ban-0.8.12-2.12.1
released
openSUSE-SU-2014:0493-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 824710,861503,861504 CVE References: CVE-2013-2178,CVE-2013-7176,CVE-2013-7177 Sources used: openSUSE 11.4 (src): fail2ban-0.8.12-26.1