Bug 252290 - (CVE-2007-4321) CVE-2007-4321 fail2ban DoS
CVE-2007-4321 fail2ban DoS
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: fail2ban (Show other bugs)
7
All Linux
medium Severity medium
: ---
: ---
Assigned To: Axel Thimm
Fedora Extras Quality Assurance
http://www.ossec.net/en/attacking-log...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-15 01:06 EDT by Lubomir Kundrak
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-15 08:52:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2007-08-15 01:06:06 EDT
Name: CVE-2007-4321
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4321
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20070813
Category:
Reference: MISC:http://www.ossec.net/en/attacking-loganalysis.html
Reference: GENTOO:GLSA-200707-13
Reference: URL:http://security.gentoo.org/glsa/glsa-200707-13.xml

fail2ban 0.8 and earlier does not properly parse sshd log files, which
allows remote attackers to add arbitrary hosts to the /etc/hosts.deny
file and cause a denial of service by adding arbitrary IP addresses to
the sshd log file, as demonstrated by logging in via ssh with a client
protocol version identification containing an IP address string, a
different vector than CVE-2006-6302.
Comment 1 Lubomir Kundrak 2007-08-15 06:40:27 EDT
Axel: Please do _not_ ever close any bug (not even security bugs) without
explaining a reason. And do _not_ ever put a entry that definitely describes a
bug into NOTABUG state. Thanks.
Comment 2 Axel Thimm 2007-08-15 08:52:48 EDT
Lubomir: Please do not ever file bugs w/o either

 * _testing_ the package in question,
 * _reviewing_ the actual package's source code or
 * simply going through the trouble to read the package _changelog_.
 * Or maybe even check _bugzilla_ first.

This definitely describes a bug _already fixed_ two months ago with a security
erratum push to teh official updates channel. So before taking a high attitude
please pay attention to what is actually in Fedora, before doing the cut'n'paste
from mitre. Other than doing a proper analysis you'll also save your and my time
as a side-effect. Thanks.

https://www.redhat.com/archives/fedora-package-announce/2007-June/msg00479.html
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244942

* Thu Jun 21 2007 Axel Thimm <Axel Thimm ATrpms net> - 0.8.0-9
- Fix remote log injection (no CVE assignment yet).
Comment 3 Lubomir Kundrak 2007-08-16 03:31:20 EDT
(In reply to comment #2)
> Lubomir: Please do not ever file bugs w/o either
> 
>  * _testing_ the package in question,
>  * _reviewing_ the actual package's source code or
>  * simply going through the trouble to read the package _changelog_.
>  * Or maybe even check _bugzilla_ first.

Axel. If I was doing all this stuff for every CVE that is suspected to affect
us, I'd probably need 50-hours days. If you voluneer for doing this work, you're
welcome. If is usually more efficient if I just file a bug, track the CVE and
maintainer, who usually knows the best either fixes the bug, or just closes the
bug with _an appropriate comment_.

> This definitely describes a bug _already fixed_ two months ago with a security
> erratum push to teh official updates channel. So before taking a high attitude
> please pay attention to what is actually in Fedora, before doing the cut'n'paste
> from mitre. Other than doing a proper analysis you'll also save your and my time
> as a side-effect. Thanks.
> 
> https://www.redhat.com/archives/fedora-package-announce/2007-June/msg00479.html
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244942

Partially my fault, I should have looked thorough updates without a CVE to see
if this was fixed. Again, doing this for each issue without a CVE name we
stumble upon consumes time.

> 
> * Thu Jun 21 2007 Axel Thimm <Axel Thimm ATrpms net> - 0.8.0-9
> - Fix remote log injection (no CVE assignment yet).
> 

If you are fixing a security issue without a CVE name, make sure it gets a CVE
name. Usually it's best to tell fedora-security-list@redhat.com.

<personal rant>If we did not package unuseful crap, we would save us from doing
all this</personal rant>

Note You need to log in before you can comment on or make changes to this bug.