Red Hat Bugzilla – Bug 244942
Security vulnerablity - log injection
Last modified: 2007-11-30 17:12:08 EST
Description of problem:
As detailed on th fail2ban website, the latest release (0.8) is susceptible to a
log injection vulnerability. More discussion can be found here:
and a patch can be found here:
Actually, of course, that patch mentioned above wouldn't fix the extra regex
line we patch in ourselves. I am posting a patch which does both - this should
replace the previous regex patch.
Created attachment 157447 [details]
Fix DOS vulnerability and AllowUsers issue in sshd.conf
I am currently testing this locally at the moment.
Hm, actually that patch doesn't correctly fix the last regex entry. Need to
think some more.
Created attachment 157459 [details]
Fix regex patterns for sshd.conf to cope with AllowUsers and DOS attacks
This is tested and works fine.
Thanks, new packages have been built and will either get into the repos directly
(fc5, fc6, rawhide) or wait in updates-testing (f7).
fail2ban-0.8.0-9.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.