Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 473118

Summary: <net-analyzer/fail2ban-0.8.10 : remote denial of service due to apache log parsing issue (CVE-2013-2178)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://vndh.net/note:fail2ban-089-denial-service
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=973756
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-06-12 17:00:57 UTC
From ${URL} :

It was reported [1] that fail2ban improperly parses Apache log files, due to improper regular expressions.  This could allow a remote attacker to 
send a crafted URL to a web site which, when parsed by fail2ban, would deny a specific IP address (not the remote attacker's IP).

This was reported against fail2ban 0.8.9, but earlier versions use the same regular expression.  This has not yet been addressed upstream; the 
original report suggests replacement regular expressions, but in my (limited) testing they do not seem to work (testing using fail2ban-regex).


[1] https://vndh.net/note:fail2ban-089-denial-service


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers gentoo-dev 2013-06-13 04:10:04 UTC
Arch teams, please test and mark stable:
=net-analyzer/fail2ban-0.8.10
Stable KEYWORDS : amd64 hppa ppc ppc64 x86
Comment 2 Jeroen Roovers gentoo-dev 2013-06-14 14:26:55 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2013-06-14 18:28:03 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-06-14 18:28:17 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-06-14 18:28:30 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-06-14 18:28:39 UTC
ppc64 stable
Comment 7 Chris Reffett gentoo-dev Security 2013-08-27 03:52:04 UTC
GLSA vote: no.
Comment 8 Sergey Popov gentoo-dev 2013-08-27 07:04:37 UTC
GLSA vote: yes
(we have one pending GLSA request for it)
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 18:13:26 UTC
CVE-2013-2178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2178):
  The apache-auth.conf, apache-nohome.conf, apache-noscript.conf, and
  apache-overflows.conf files in Fail2ban before 0.8.10 do not properly
  validate log messages, which allows remote attackers to block arbitrary IP
  addresses via certain messages in a request.
Comment 10 Sergey Popov gentoo-dev 2013-09-27 09:15:47 UTC
Added to existing GLSA draft
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-06-01 16:01:00 UTC
This issue was resolved and addressed in
 GLSA 201406-03 at http://security.gentoo.org/glsa/glsa-201406-03.xml
by GLSA coordinator Chris Reffett (creffett).