Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: car...@debian.org,t...@security.debian.org,sylves...@debian.org
Hi Release Team! Please unblock package fail2ban fail2ban is affected by CVE-2021-32749, see detailed advisory in https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm, which is a possible remote code execution vulnerability in the mailing action mail-whois. The idea is to have it fixed in the upper suite first, later for buster a point release update could follow. unblock fail2ban/0.11.2-2 Regards, Salvatore
diff -Nru fail2ban-0.11.2/debian/changelog fail2ban-0.11.2/debian/changelog --- fail2ban-0.11.2/debian/changelog 2020-11-26 13:47:53.000000000 +0100 +++ fail2ban-0.11.2/debian/changelog 2021-07-12 06:52:40.000000000 +0200 @@ -1,3 +1,9 @@ +fail2ban (0.11.2-2) unstable; urgency=high + + * Fix a problem with mail + + -- Sylvestre Ledru <sylves...@debian.org> Mon, 12 Jul 2021 06:52:40 +0200 + fail2ban (0.11.2-1) unstable; urgency=medium * New upstream release diff -Nru fail2ban-0.11.2/debian/patches/fix-mail.patch fail2ban-0.11.2/debian/patches/fix-mail.patch --- fail2ban-0.11.2/debian/patches/fix-mail.patch 1970-01-01 01:00:00.000000000 +0100 +++ fail2ban-0.11.2/debian/patches/fix-mail.patch 2021-07-12 06:50:21.000000000 +0200 @@ -0,0 +1,147 @@ + config/action.d/complain.conf | 2 +- + config/action.d/dshield.conf | 2 +- + config/action.d/mail-buffered.conf | 8 ++++---- + config/action.d/mail-whois-lines.conf | 2 +- + config/action.d/mail-whois.conf | 6 +++--- + config/action.d/mail.conf | 6 +++--- + 6 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf +index 3a5f882c..4d73b058 100644 +--- a/config/action.d/complain.conf ++++ b/config/action.d/complain.conf +@@ -102,7 +102,7 @@ logpath = /dev/null + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Option: mailargs + # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf +index c128bef3..3d5a7a53 100644 +--- a/config/action.d/dshield.conf ++++ b/config/action.d/dshield.conf +@@ -179,7 +179,7 @@ tcpflags = + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Option: mailargs + # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf +index 325f185b..79b84104 100644 +--- a/config/action.d/mail-buffered.conf ++++ b/config/action.d/mail-buffered.conf +@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n + The jail <name> has been started successfully.\n + Output will be buffered until <lines> lines are available.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then + These hosts have been banned by Fail2Ban.\n + `cat <tmpfile>` + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest> + rm <tmpfile> + fi + printf %%b "Hi,\n + The jail <name> has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile> + These hosts have been banned by Fail2Ban.\n + `cat <tmpfile>` + \nRegards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest> + rm <tmpfile> + fi + +diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf +index 3a3e56b2..d2818cb9 100644 +--- a/config/action.d/mail-whois-lines.conf ++++ b/config/action.d/mail-whois-lines.conf +@@ -72,7 +72,7 @@ actionunban = + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Default name of the chain + # +diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf +index 7fea34c4..ab33b616 100644 +--- a/config/action.d/mail-whois.conf ++++ b/config/action.d/mail-whois.conf +@@ -20,7 +20,7 @@ norestored = 1 + actionstart = printf %%b "Hi,\n + The jail <name> has been started successfully.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n + actionstop = printf %%b "Hi,\n + The jail <name> has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n + Here is more information about <ip> :\n + `%(_whois_command)s`\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> + + # Option: actionunban + # Notes.: command executed when unbanning an IP. Take care that the +diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf +index 5d8c0e15..f4838ddc 100644 +--- a/config/action.d/mail.conf ++++ b/config/action.d/mail.conf +@@ -16,7 +16,7 @@ norestored = 1 + actionstart = printf %%b "Hi,\n + The jail <name> has been started successfully.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n + actionstop = printf %%b "Hi,\n + The jail <name> has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n + The IP <ip> has just been banned by Fail2Ban after + <failures> attempts against <name>.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> + + # Option: actionunban + # Notes.: command executed when unbanning an IP. Take care that the diff -Nru fail2ban-0.11.2/debian/patches/series fail2ban-0.11.2/debian/patches/series --- fail2ban-0.11.2/debian/patches/series 2020-11-26 13:47:53.000000000 +0100 +++ fail2ban-0.11.2/debian/patches/series 2021-07-12 06:52:40.000000000 +0200 @@ -6,3 +6,4 @@ python3-test-suite.diff no-python-user.diff roundcube.diff +fix-mail.patch
