diff options
author | sebres <serg.brester@sebres.de> | 2021-06-21 17:12:53 +0200 |
---|---|---|
committer | sebres <serg.brester@sebres.de> | 2021-07-07 11:46:28 +0200 |
commit | 2ed414ed09b3bb4c478abc9366a1ff22024a33c9 (patch) | |
tree | d9855243d7d511f608b48fbfe90589a13826d73e | |
parent | 5430091acb5ba0ec7cc9cbb50a4346ec9e5c896a (diff) | |
download | fail2ban-0.9.tar.gz |
fixed possible RCE vulnerability, unset escape variable (default tilde) stops consider "~" char after new-line as composing escape sequence0.9
closes GHSA-m985-3f3v-cwmm for 0.9
-rw-r--r-- | config/action.d/complain.conf | 2 | ||||
-rw-r--r-- | config/action.d/dshield.conf | 2 | ||||
-rw-r--r-- | config/action.d/mail-buffered.conf | 8 | ||||
-rw-r--r-- | config/action.d/mail-whois-lines.conf | 12 | ||||
-rw-r--r-- | config/action.d/mail-whois.conf | 6 | ||||
-rw-r--r-- | config/action.d/mail.conf | 6 |
6 files changed, 21 insertions, 15 deletions
diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf index 9247803e..993a31e4 100644 --- a/config/action.d/complain.conf +++ b/config/action.d/complain.conf @@ -79,7 +79,7 @@ logpath = /dev/null # Notes.: Your system mail command. Is passed 2 args: subject and recipient # Values: CMD # -mailcmd = mail -s +mailcmd = mail -E 'set escape' -s # Option: mailargs # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf index a0041986..ae7014fa 100644 --- a/config/action.d/dshield.conf +++ b/config/action.d/dshield.conf @@ -176,7 +176,7 @@ tcpflags = # Notes.: Your system mail command. Is passed 2 args: subject and recipient # Values: CMD # -mailcmd = mail -s +mailcmd = mail -E 'set escape' -s # Option: mailargs # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf index 914d4a5a..f530e958 100644 --- a/config/action.d/mail-buffered.conf +++ b/config/action.d/mail-buffered.conf @@ -14,7 +14,7 @@ actionstart = printf %%b "Hi,\n The jail <name> has been started successfully.\n Output will be buffered until <lines> lines are available.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on `uname -n`" <dest> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban @@ -25,13 +25,13 @@ actionstop = if [ -f <tmpfile> ]; then These hosts have been banned by Fail2Ban.\n `cat <tmpfile>` Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from `uname -n`" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from `uname -n`" <dest> rm <tmpfile> fi printf %%b "Hi,\n The jail <name> has been stopped.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest> # Option: actioncheck # Notes.: command executed once before each actionban command @@ -52,7 +52,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile> These hosts have been banned by Fail2Ban.\n `cat <tmpfile>` \nRegards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest> rm <tmpfile> fi diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf index 6e39c605..39f78957 100644 --- a/config/action.d/mail-whois-lines.conf +++ b/config/action.d/mail-whois-lines.conf @@ -17,7 +17,7 @@ before = mail-whois-common.conf actionstart = printf %%b "Hi,\n The jail <name> has been started successfully.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest> + Fail2Ban" | <mailcmd> "[Fail2Ban] <name>: started on `uname -n`" <dest> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban @@ -26,7 +26,7 @@ actionstart = printf %%b "Hi,\n actionstop = printf %%b "Hi,\n The jail <name> has been stopped.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest> + Fail2Ban" | <mailcmd> "[Fail2Ban] <name>: stopped on `uname -n`" <dest> # Option: actioncheck # Notes.: command executed once before each actionban command @@ -48,7 +48,7 @@ actionban = printf %%b "Hi,\n Lines containing IP:<ip> in <logpath>\n `grep -E <grepopts> '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest> + Fail2Ban" | <mailcmd> "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -60,6 +60,12 @@ actionunban = [Init] +# Option: mailcmd +# Notes.: Your system mail command. Is passed 2 args: subject and recipient +# Values: CMD +# +mailcmd = mail -E 'set escape' -s + # Default name of the chain # name = default diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf index 018c327d..2c346bfe 100644 --- a/config/action.d/mail-whois.conf +++ b/config/action.d/mail-whois.conf @@ -17,7 +17,7 @@ before = mail-whois-common.conf actionstart = printf %%b "Hi,\n The jail <name> has been started successfully.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on `uname -n`" <dest> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban @@ -26,7 +26,7 @@ actionstart = printf %%b "Hi,\n actionstop = printf %%b "Hi,\n The jail <name> has been stopped.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest> # Option: actioncheck # Notes.: command executed once before each actionban command @@ -46,7 +46,7 @@ actionban = printf %%b "Hi,\n Here is more information about <ip> :\n `%(_whois_command)s`\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf index 7bf51a1d..9755f097 100644 --- a/config/action.d/mail.conf +++ b/config/action.d/mail.conf @@ -13,7 +13,7 @@ actionstart = printf %%b "Hi,\n The jail <name> has been started successfully.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on `uname -n`" <dest> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban @@ -22,7 +22,7 @@ actionstart = printf %%b "Hi,\n actionstop = printf %%b "Hi,\n The jail <name> has been stopped.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest> # Option: actioncheck # Notes.: command executed once before each actionban command @@ -40,7 +40,7 @@ actionban = printf %%b "Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the |