Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 181214 - net-analyzer/fail2ban < 0.8.0-r1 Log injection (CVE-2007-4321)
Summary: net-analyzer/fail2ban < 0.8.0-r1 Log injection (CVE-2007-4321)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] Falco
Depends on:
Reported: 2007-06-07 17:10 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2008-01-09 23:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-07 17:10:26 UTC
Log injection issue in fail2ban. See URL for full details.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-08 17:59:32 UTC
fail2ban-0.8.0-r1 in the tree. And I think it is the time for the 0.7,0.8 branch to go stable.

Arches, please could you test and mark stable fail2ban-0.8.0-r1 if appropriate, thanks. Note that there are elog and upgrade instructions. The config files have totally changed.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2007-06-09 07:15:39 UTC
Stable for HPPA.
Comment 3 Markus Meier gentoo-dev 2007-06-09 11:03:16 UTC
1. emerges on x86
2. passes collision test
3. seems to work

Portage (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.5-r3, i686)
System uname: i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 09 Jun 2007 09:00:01 +0000
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.3.5-r3, 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
LINGUAS="en de en_GB de_CH"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
USE="X a52 aac acl acpi alsa apache2 asf avahi berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode evo fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal kerberos ldap libg++ mad midi mikmod mmx mono mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa"
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2007-06-10 13:24:14 UTC
x86 stable, thanks Markus.
Comment 5 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2007-06-20 16:07:57 UTC

There is a problem with the init script. It has "need logger" in the init script but this fails if there is no logging daemon. It doesn't dep on a logger. The question here is whether or not it is reasonable to assume that if a system has fail2ban it also has a logging daemon. Thoughts?
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-23 17:54:48 UTC
netmon could you please comment/fix comment #5?
Comment 7 Christoph Mende (RETIRED) gentoo-dev 2007-06-23 19:20:07 UTC
no regression here, the older version don't depend on a logger either
amd64 done, thanks Thomas
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-23 21:29:54 UTC
Ready for GLSA vote. I tend to vote NO.
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-25 17:04:27 UTC
since you can deny all ssh attemps to the box ("any" string) i vote Yes.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-25 17:49:56 UTC
Agreed with falco, so another YES vote.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-07-28 22:43:40 UTC
GLSA 200707-13, thanks everybody