Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 473118 - <net-analyzer/fail2ban-0.8.10 : remote denial of service due to apache log parsing issue (CVE-2013-2178)
Summary: <net-analyzer/fail2ban-0.8.10 : remote denial of service due to apache log pa...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2013-06-12 17:00 UTC by Agostino Sarubbo
Modified: 2014-06-01 16:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-06-12 17:00:57 UTC
From ${URL} :

It was reported [1] that fail2ban improperly parses Apache log files, due to improper regular expressions.  This could allow a remote attacker to 
send a crafted URL to a web site which, when parsed by fail2ban, would deny a specific IP address (not the remote attacker's IP).

This was reported against fail2ban 0.8.9, but earlier versions use the same regular expression.  This has not yet been addressed upstream; the 
original report suggests replacement regular expressions, but in my (limited) testing they do not seem to work (testing using fail2ban-regex).


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2013-06-13 04:10:04 UTC
Arch teams, please test and mark stable:
Stable KEYWORDS : amd64 hppa ppc ppc64 x86
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2013-06-14 14:26:55 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2013-06-14 18:28:03 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-06-14 18:28:17 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-06-14 18:28:30 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-06-14 18:28:39 UTC
ppc64 stable
Comment 7 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-27 03:52:04 UTC
GLSA vote: no.
Comment 8 Sergey Popov gentoo-dev 2013-08-27 07:04:37 UTC
GLSA vote: yes
(we have one pending GLSA request for it)
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 18:13:26 UTC
CVE-2013-2178 (
  The apache-auth.conf, apache-nohome.conf, apache-noscript.conf, and
  apache-overflows.conf files in Fail2ban before 0.8.10 do not properly
  validate log messages, which allows remote attackers to block arbitrary IP
  addresses via certain messages in a request.
Comment 10 Sergey Popov gentoo-dev 2013-09-27 09:15:47 UTC
Added to existing GLSA draft
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-06-01 16:01:00 UTC
This issue was resolved and addressed in
 GLSA 201406-03 at
by GLSA coordinator Chris Reffett (creffett).