SB2014020101 - Multiple vulnerabilities in Fail2ban
Published: February 1, 2014 Updated: August 10, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2013-7176)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
config/filter.d/postfix.conf in the postfix filter in Fail2ban before 0.8.11 allows remote attackers to trigger the blocking of an arbitrary IP address via a crafted e-mail address that matches an improperly designed regular expression.
2) Input validation error (CVE-ID: CVE-2013-7177)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
config/filter.d/cyrus-imap.conf in the cyrus-imap filter in Fail2ban before 0.8.11 allows remote attackers to trigger the blocking of an arbitrary IP address via a crafted e-mail address that matches an improperly designed regular expression.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-updates/2014-03/msg00021.html
- http://www.debian.org/security/2014/dsa-2979
- http://www.kb.cert.org/vuls/id/686662
- https://github.com/fail2ban/fail2ban/commit/eb2f0c927257120dfc32d2450fd63f1962f38821
- https://github.com/fail2ban/fail2ban/commit/bd175f026737d66e7110868fb50b3760ff75e087