Use anchored failregex for filters to avoid possible DoS -- cyrus-imap

pull/757/head
Yaroslav Halchenko 2014-06-22 11:57:45 -04:00
parent aff0f8233f
commit ed0ac76b0d
2 changed files with 15 additions and 6 deletions

View File

@ -5,6 +5,12 @@
# $Revision$
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
@ -14,10 +20,9 @@
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$
: badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
: badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
: badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.

8
debian/changelog vendored
View File

@ -1,10 +1,14 @@
fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high
* Use anchored failregex for filters to avoid possible DoS
* Use anchored failregex for filters to avoid possible DoS. Manually
picked up from the current status of 0.8 branch (as of
0.8.13-29-g09b2016):
- CVE-2013-7176: postfix.conf - anchored on the front, expects
"postfix/smtpd" prefix in the log line
- CVE-2013-7177: cyrus-imap.conf - anchored on the front, and
refactored to have a single failregex
--
-- Yaroslav Halchenko <debian@onerussian.com> Sun, 22 Jun 2014 11:56:54 -0400
fail2ban (0.8.6-3wheezy2) wheezy-security; urgency=high