A denial of service flaw was found in fail2ban's cyrus-imap filter. A remote attacker could use this flaw to cause an attacker-chosen IP address to be blocked. This issue only affects versions prior to 0.8.11. As such, only the version of fail2ban in EPEL 5 should be affected. The Secunia advisory (http://secunia.com/advisories/56691/) also notes the following: "Some errors in regular expressions within unspecified filters can be exploited to e.g. spoof client IP addresses and subsequently cause arbitrary IP addresses to be banned." This may be the "In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability" part of the 0.8.11 changelog, but I am not sure. Recommend upgrading to 0.8.11 or later. References: https://github.com/fail2ban/fail2ban/blob/master/ChangeLog http://www.kb.cert.org/vuls/id/686662 http://secunia.com/advisories/56691/ https://github.com/fail2ban/fail2ban/commit/bd175f026737d66e7110868fb50b3760ff75e087
Created fail2ban tracking bugs for this issue: Affects: epel-5 [bug 1059936]
Looking in fail2ban-0.8.11-2.fc19.src.rpm: failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$ Is this a problem? Does it need all the entries from <https://github.com/fail2ban/fail2ban/commit/bd175f026737d66e7110868fb50b3760ff75e087>?