Use anchored failregex for filters to avoid possible DoS -- cyrus-imap

config/filter.d/cyrus-imap.conf

@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,10 +20,9 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$
+_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
-	    : badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
+
-	    : badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$
-	    : badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

debian/changelog

@@ -1,10 +1,14 @@
 fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high
 
-  * Use anchored failregex for filters to avoid possible DoS
+  * Use anchored failregex for filters to avoid possible DoS.  Manually
+    picked up from the current status of 0.8 branch (as of
+    0.8.13-29-g09b2016):
     - CVE-2013-7176: postfix.conf - anchored on the front, expects
       "postfix/smtpd" prefix in the log line
+    - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and
+      refactored to have a single failregex
 
- --
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 22 Jun 2014 11:56:54 -0400
 
 fail2ban (0.8.6-3wheezy2) wheezy-security; urgency=high