Changeset View
Changeset View
Standalone View
Standalone View
security/py-fail2ban/files/patch-CVE-2021-32749
- This file was added.
| From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001 | |||||
| From: sebres <serg.brester@sebres.de> | |||||
| Date: Mon, 21 Jun 2021 17:12:53 +0200 | |||||
| Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable | |||||
| (default tilde) stops consider "~" char after new-line as composing escape | |||||
| sequence | |||||
| --- | |||||
| config/action.d/complain.conf | 2 +- | |||||
| config/action.d/dshield.conf | 2 +- | |||||
| config/action.d/mail-buffered.conf | 8 ++++---- | |||||
| config/action.d/mail-whois-lines.conf | 2 +- | |||||
| config/action.d/mail-whois.conf | 6 +++--- | |||||
| config/action.d/mail.conf | 6 +++--- | |||||
| 6 files changed, 13 insertions(+), 13 deletions(-) | |||||
| diff --git config/action.d/complain.conf config/action.d/complain.conf | |||||
| index 3a5f882c..4d73b058 100644 | |||||
| --- config/action.d/complain.conf | |||||
| +++ config/action.d/complain.conf | |||||
| @@ -102,7 +102,7 @@ logpath = /dev/null | |||||
| # Notes.: Your system mail command. Is passed 2 args: subject and recipient | |||||
| # Values: CMD | |||||
| # | |||||
| -mailcmd = mail -s | |||||
| +mailcmd = mail -E 'set escape' -s | |||||
| # Option: mailargs | |||||
| # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: | |||||
| diff --git config/action.d/dshield.conf config/action.d/dshield.conf | |||||
| index c128bef3..3d5a7a53 100644 | |||||
| --- config/action.d/dshield.conf | |||||
| +++ config/action.d/dshield.conf | |||||
| @@ -179,7 +179,7 @@ tcpflags = | |||||
| # Notes.: Your system mail command. Is passed 2 args: subject and recipient | |||||
| # Values: CMD | |||||
| # | |||||
| -mailcmd = mail -s | |||||
| +mailcmd = mail -E 'set escape' -s | |||||
| # Option: mailargs | |||||
| # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: | |||||
| diff --git config/action.d/mail-buffered.conf config/action.d/mail-buffered.conf | |||||
| index 325f185b..79b84104 100644 | |||||
| --- config/action.d/mail-buffered.conf | |||||
| +++ config/action.d/mail-buffered.conf | |||||
| @@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n | |||||
| The jail <name> has been started successfully.\n | |||||
| Output will be buffered until <lines> lines are available.\n | |||||
| Regards,\n | |||||
| - Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> | |||||
| + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> | |||||
| # Option: actionstop | |||||
| # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) | |||||
| @@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then | |||||
| These hosts have been banned by Fail2Ban.\n | |||||
| `cat <tmpfile>` | |||||
| Regards,\n | |||||
| - Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest> | |||||
| + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest> | |||||
| rm <tmpfile> | |||||
| fi | |||||
| printf %%b "Hi,\n | |||||
| The jail <name> has been stopped.\n | |||||
| Regards,\n | |||||
| - Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> | |||||
| + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> | |||||
| # Option: actioncheck | |||||
| # Notes.: command executed once before each actionban command | |||||
| @@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile> | |||||
| These hosts have been banned by Fail2Ban.\n | |||||
| `cat <tmpfile>` | |||||
| \nRegards,\n | |||||
| - Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest> | |||||
| + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest> | |||||
| rm <tmpfile> | |||||
| fi | |||||
| diff --git config/action.d/mail-whois-lines.conf config/action.d/mail-whois-lines.conf | |||||
| index 3a3e56b2..d2818cb9 100644 | |||||
| --- config/action.d/mail-whois-lines.conf | |||||
| +++ config/action.d/mail-whois-lines.conf | |||||
| @@ -72,7 +72,7 @@ actionunban = | |||||
| # Notes.: Your system mail command. Is passed 2 args: subject and recipient | |||||
| # Values: CMD | |||||
| # | |||||
| -mailcmd = mail -s | |||||
| +mailcmd = mail -E 'set escape' -s | |||||
| # Default name of the chain | |||||
| # | |||||
| diff --git config/action.d/mail-whois.conf config/action.d/mail-whois.conf | |||||
| index 7fea34c4..ab33b616 100644 | |||||
| --- config/action.d/mail-whois.conf | |||||
| +++ config/action.d/mail-whois.conf | |||||
| @@ -20,7 +20,7 @@ norestored = 1 | |||||
| actionstart = printf %%b "Hi,\n | |||||
| The jail <name> has been started successfully.\n | |||||
| Regards,\n | |||||
| - Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> | |||||
| + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> | |||||
| # Option: actionstop | |||||
| # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) | |||||
| @@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n | |||||
| actionstop = printf %%b "Hi,\n | |||||
| The jail <name> has been stopped.\n | |||||
| Regards,\n | |||||
| - Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> | |||||
| + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> | |||||
| # Option: actioncheck | |||||
| # Notes.: command executed once before each actionban command | |||||
| @@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n | |||||
| Here is more information about <ip> :\n | |||||
| `%(_whois_command)s`\n | |||||
| Regards,\n | |||||
| - Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> | |||||
| + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> | |||||
| # Option: actionunban | |||||
| # Notes.: command executed when unbanning an IP. Take care that the | |||||
| diff --git config/action.d/mail.conf config/action.d/mail.conf | |||||
| index 5d8c0e15..f4838ddc 100644 | |||||
| --- config/action.d/mail.conf | |||||
| +++ config/action.d/mail.conf | |||||
| @@ -16,7 +16,7 @@ norestored = 1 | |||||
| actionstart = printf %%b "Hi,\n | |||||
| The jail <name> has been started successfully.\n | |||||
| Regards,\n | |||||
| - Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> | |||||
| + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> | |||||
| # Option: actionstop | |||||
| # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) | |||||
| @@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n | |||||
| actionstop = printf %%b "Hi,\n | |||||
| The jail <name> has been stopped.\n | |||||
| Regards,\n | |||||
| - Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> | |||||
| + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> | |||||
| # Option: actioncheck | |||||
| # Notes.: command executed once before each actionban command | |||||
| @@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n | |||||
| The IP <ip> has just been banned by Fail2Ban after | |||||
| <failures> attempts against <name>.\n | |||||
| Regards,\n | |||||
| - Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> | |||||
| + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> | |||||
| # Option: actionunban | |||||
| # Notes.: command executed when unbanning an IP. Take care that the | |||||
| -- | |||||
| 2.33.1 | |||||