Changeset View
Changeset View
Standalone View
Standalone View
security/py-fail2ban/files/patch-CVE-2021-32749
- This file was added.
From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001 | |||||
From: sebres <serg.brester@sebres.de> | |||||
Date: Mon, 21 Jun 2021 17:12:53 +0200 | |||||
Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable | |||||
(default tilde) stops consider "~" char after new-line as composing escape | |||||
sequence | |||||
--- | |||||
config/action.d/complain.conf | 2 +- | |||||
config/action.d/dshield.conf | 2 +- | |||||
config/action.d/mail-buffered.conf | 8 ++++---- | |||||
config/action.d/mail-whois-lines.conf | 2 +- | |||||
config/action.d/mail-whois.conf | 6 +++--- | |||||
config/action.d/mail.conf | 6 +++--- | |||||
6 files changed, 13 insertions(+), 13 deletions(-) | |||||
diff --git config/action.d/complain.conf config/action.d/complain.conf | |||||
index 3a5f882c..4d73b058 100644 | |||||
--- config/action.d/complain.conf | |||||
+++ config/action.d/complain.conf | |||||
@@ -102,7 +102,7 @@ logpath = /dev/null | |||||
# Notes.: Your system mail command. Is passed 2 args: subject and recipient | |||||
# Values: CMD | |||||
# | |||||
-mailcmd = mail -s | |||||
+mailcmd = mail -E 'set escape' -s | |||||
# Option: mailargs | |||||
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail: | |||||
diff --git config/action.d/dshield.conf config/action.d/dshield.conf | |||||
index c128bef3..3d5a7a53 100644 | |||||
--- config/action.d/dshield.conf | |||||
+++ config/action.d/dshield.conf | |||||
@@ -179,7 +179,7 @@ tcpflags = | |||||
# Notes.: Your system mail command. Is passed 2 args: subject and recipient | |||||
# Values: CMD | |||||
# | |||||
-mailcmd = mail -s | |||||
+mailcmd = mail -E 'set escape' -s | |||||
# Option: mailargs | |||||
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail: | |||||
diff --git config/action.d/mail-buffered.conf config/action.d/mail-buffered.conf | |||||
index 325f185b..79b84104 100644 | |||||
--- config/action.d/mail-buffered.conf | |||||
+++ config/action.d/mail-buffered.conf | |||||
@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n | |||||
The jail <name> has been started successfully.\n | |||||
Output will be buffered until <lines> lines are available.\n | |||||
Regards,\n | |||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> | |||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> | |||||
# Option: actionstop | |||||
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) | |||||
@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then | |||||
These hosts have been banned by Fail2Ban.\n | |||||
`cat <tmpfile>` | |||||
Regards,\n | |||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest> | |||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest> | |||||
rm <tmpfile> | |||||
fi | |||||
printf %%b "Hi,\n | |||||
The jail <name> has been stopped.\n | |||||
Regards,\n | |||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> | |||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> | |||||
# Option: actioncheck | |||||
# Notes.: command executed once before each actionban command | |||||
@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile> | |||||
These hosts have been banned by Fail2Ban.\n | |||||
`cat <tmpfile>` | |||||
\nRegards,\n | |||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest> | |||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest> | |||||
rm <tmpfile> | |||||
fi | |||||
diff --git config/action.d/mail-whois-lines.conf config/action.d/mail-whois-lines.conf | |||||
index 3a3e56b2..d2818cb9 100644 | |||||
--- config/action.d/mail-whois-lines.conf | |||||
+++ config/action.d/mail-whois-lines.conf | |||||
@@ -72,7 +72,7 @@ actionunban = | |||||
# Notes.: Your system mail command. Is passed 2 args: subject and recipient | |||||
# Values: CMD | |||||
# | |||||
-mailcmd = mail -s | |||||
+mailcmd = mail -E 'set escape' -s | |||||
# Default name of the chain | |||||
# | |||||
diff --git config/action.d/mail-whois.conf config/action.d/mail-whois.conf | |||||
index 7fea34c4..ab33b616 100644 | |||||
--- config/action.d/mail-whois.conf | |||||
+++ config/action.d/mail-whois.conf | |||||
@@ -20,7 +20,7 @@ norestored = 1 | |||||
actionstart = printf %%b "Hi,\n | |||||
The jail <name> has been started successfully.\n | |||||
Regards,\n | |||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> | |||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> | |||||
# Option: actionstop | |||||
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) | |||||
@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n | |||||
actionstop = printf %%b "Hi,\n | |||||
The jail <name> has been stopped.\n | |||||
Regards,\n | |||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> | |||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> | |||||
# Option: actioncheck | |||||
# Notes.: command executed once before each actionban command | |||||
@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n | |||||
Here is more information about <ip> :\n | |||||
`%(_whois_command)s`\n | |||||
Regards,\n | |||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> | |||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> | |||||
# Option: actionunban | |||||
# Notes.: command executed when unbanning an IP. Take care that the | |||||
diff --git config/action.d/mail.conf config/action.d/mail.conf | |||||
index 5d8c0e15..f4838ddc 100644 | |||||
--- config/action.d/mail.conf | |||||
+++ config/action.d/mail.conf | |||||
@@ -16,7 +16,7 @@ norestored = 1 | |||||
actionstart = printf %%b "Hi,\n | |||||
The jail <name> has been started successfully.\n | |||||
Regards,\n | |||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> | |||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> | |||||
# Option: actionstop | |||||
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) | |||||
@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n | |||||
actionstop = printf %%b "Hi,\n | |||||
The jail <name> has been stopped.\n | |||||
Regards,\n | |||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> | |||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> | |||||
# Option: actioncheck | |||||
# Notes.: command executed once before each actionban command | |||||
@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n | |||||
The IP <ip> has just been banned by Fail2Ban after | |||||
<failures> attempts against <name>.\n | |||||
Regards,\n | |||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> | |||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> | |||||
# Option: actionunban | |||||
# Notes.: command executed when unbanning an IP. Take care that the | |||||
-- | |||||
2.33.1 | |||||