Name: CVE-2007-4321 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4321 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20070813 Category: Reference: MISC:http://www.ossec.net/en/attacking-loganalysis.html Reference: GENTOO:GLSA-200707-13 Reference: URL:http://security.gentoo.org/glsa/glsa-200707-13.xml fail2ban 0.8 and earlier does not properly parse sshd log files, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in via ssh with a client protocol version identification containing an IP address string, a different vector than CVE-2006-6302.
Axel: Please do _not_ ever close any bug (not even security bugs) without explaining a reason. And do _not_ ever put a entry that definitely describes a bug into NOTABUG state. Thanks.
Lubomir: Please do not ever file bugs w/o either * _testing_ the package in question, * _reviewing_ the actual package's source code or * simply going through the trouble to read the package _changelog_. * Or maybe even check _bugzilla_ first. This definitely describes a bug _already fixed_ two months ago with a security erratum push to teh official updates channel. So before taking a high attitude please pay attention to what is actually in Fedora, before doing the cut'n'paste from mitre. Other than doing a proper analysis you'll also save your and my time as a side-effect. Thanks. https://www.redhat.com/archives/fedora-package-announce/2007-June/msg00479.html https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244942 * Thu Jun 21 2007 Axel Thimm <Axel Thimm ATrpms net> - 0.8.0-9 - Fix remote log injection (no CVE assignment yet).
(In reply to comment #2) > Lubomir: Please do not ever file bugs w/o either > > * _testing_ the package in question, > * _reviewing_ the actual package's source code or > * simply going through the trouble to read the package _changelog_. > * Or maybe even check _bugzilla_ first. Axel. If I was doing all this stuff for every CVE that is suspected to affect us, I'd probably need 50-hours days. If you voluneer for doing this work, you're welcome. If is usually more efficient if I just file a bug, track the CVE and maintainer, who usually knows the best either fixes the bug, or just closes the bug with _an appropriate comment_. > This definitely describes a bug _already fixed_ two months ago with a security > erratum push to teh official updates channel. So before taking a high attitude > please pay attention to what is actually in Fedora, before doing the cut'n'paste > from mitre. Other than doing a proper analysis you'll also save your and my time > as a side-effect. Thanks. > > https://www.redhat.com/archives/fedora-package-announce/2007-June/msg00479.html > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244942 Partially my fault, I should have looked thorough updates without a CVE to see if this was fixed. Again, doing this for each issue without a CVE name we stumble upon consumes time. > > * Thu Jun 21 2007 Axel Thimm <Axel Thimm ATrpms net> - 0.8.0-9 > - Fix remote log injection (no CVE assignment yet). > If you are fixing a security issue without a CVE name, make sure it gets a CVE name. Usually it's best to tell fedora-security-list. <personal rant>If we did not package unuseful crap, we would save us from doing all this</personal rant>