From ed0ac76b0d55c2a705bdf1f77061822acee19e10 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Sun, 22 Jun 2014 11:57:45 -0400 Subject: [PATCH] Use anchored failregex for filters to avoid possible DoS -- cyrus-imap --- config/filter.d/cyrus-imap.conf | 13 +++++++++---- debian/changelog | 8 ++++++-- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/config/filter.d/cyrus-imap.conf b/config/filter.d/cyrus-imap.conf index 3a8734ee..2cf0491f 100644 --- a/config/filter.d/cyrus-imap.conf +++ b/config/filter.d/cyrus-imap.conf @@ -5,6 +5,12 @@ # $Revision$ # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + [Definition] # Option: failregex @@ -14,10 +20,9 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = : badlogin: .*\[\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$ - : badlogin: .*\[\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$ - : badlogin: .*\[\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$ - : badlogin: .*\[\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$ +_daemon = (?:cyrus/)?(?:imapd?|pop3d?) + +failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/debian/changelog b/debian/changelog index 3540ae15..df24798e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,14 @@ fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high - * Use anchored failregex for filters to avoid possible DoS + * Use anchored failregex for filters to avoid possible DoS. Manually + picked up from the current status of 0.8 branch (as of + 0.8.13-29-g09b2016): - CVE-2013-7176: postfix.conf - anchored on the front, expects "postfix/smtpd" prefix in the log line + - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and + refactored to have a single failregex - -- + -- Yaroslav Halchenko Sun, 22 Jun 2014 11:56:54 -0400 fail2ban (0.8.6-3wheezy2) wheezy-security; urgency=high