<html><head><meta name="color-scheme" content="light dark"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
From: sebres &lt;serg.brester@sebres.de&gt;
Date: Mon, 21 Jun 2021 17:12:53 +0200
Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
 (default tilde) stops consider "~" char after new-line as composing escape
 sequence

---
 config/action.d/complain.conf         | 2 +-
 config/action.d/dshield.conf          | 2 +-
 config/action.d/mail-buffered.conf    | 8 ++++----
 config/action.d/mail-whois-lines.conf | 2 +-
 config/action.d/mail-whois.conf       | 6 +++---
 config/action.d/mail.conf             | 6 +++---
 6 files changed, 13 insertions(+), 13 deletions(-)

--- a/config/action.d/complain.conf
+++ b/config/action.d/complain.conf
@@ -102,7 +102,7 @@ logpath = /dev/null
 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
 # Values:  CMD
 #
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
 
 # Option:  mailargs
 # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
--- a/config/action.d/dshield.conf
+++ b/config/action.d/dshield.conf
@@ -179,7 +179,7 @@ tcpflags =
 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
 # Values:  CMD
 #
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
 
 # Option:  mailargs
 # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
--- a/config/action.d/mail-buffered.conf
+++ b/config/action.d/mail-buffered.conf
@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
               The jail &lt;name&gt; has been started successfully.\n
               Output will be buffered until &lt;lines&gt; lines are available.\n
               Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] &lt;name&gt;: started on &lt;fq-hostname&gt;" &lt;dest&gt;
+              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] &lt;name&gt;: started on &lt;fq-hostname&gt;" &lt;dest&gt;
 
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
@@ -28,13 +28,13 @@ actionstop = if [ -f &lt;tmpfile&gt; ]; then
                  These hosts have been banned by Fail2Ban.\n
                  `cat &lt;tmpfile&gt;`
                  Regards,\n
-                 Fail2Ban"|mail -s "[Fail2Ban] &lt;name&gt;: Summary from &lt;fq-hostname&gt;" &lt;dest&gt;
+                 Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] &lt;name&gt;: Summary from &lt;fq-hostname&gt;" &lt;dest&gt;
                  rm &lt;tmpfile&gt;
              fi
              printf %%b "Hi,\n
              The jail &lt;name&gt; has been stopped.\n
              Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] &lt;name&gt;: stopped on &lt;fq-hostname&gt;" &lt;dest&gt;
+             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] &lt;name&gt;: stopped on &lt;fq-hostname&gt;" &lt;dest&gt;
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: &lt;ip&gt; (&lt;f
                 These hosts have been banned by Fail2Ban.\n
                 `cat &lt;tmpfile&gt;`
                 \nRegards,\n
-                Fail2Ban"|mail -s "[Fail2Ban] &lt;name&gt;: Summary" &lt;dest&gt;
+                Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] &lt;name&gt;: Summary" &lt;dest&gt;
                 rm &lt;tmpfile&gt;
             fi
 
--- a/config/action.d/mail-whois-lines.conf
+++ b/config/action.d/mail-whois-lines.conf
@@ -72,7 +72,7 @@ actionunban =
 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
 # Values:  CMD
 #
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
 
 # Default name of the chain
 #
--- a/config/action.d/mail-whois.conf
+++ b/config/action.d/mail-whois.conf
@@ -20,7 +20,7 @@ norestored = 1
 actionstart = printf %%b "Hi,\n
               The jail &lt;name&gt; has been started successfully.\n
               Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] &lt;name&gt;: started on &lt;fq-hostname&gt;" &lt;dest&gt;
+              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] &lt;name&gt;: started on &lt;fq-hostname&gt;" &lt;dest&gt;
 
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
 actionstop = printf %%b "Hi,\n
              The jail &lt;name&gt; has been stopped.\n
              Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] &lt;name&gt;: stopped on &lt;fq-hostname&gt;" &lt;dest&gt;
+             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] &lt;name&gt;: stopped on &lt;fq-hostname&gt;" &lt;dest&gt;
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
             Here is more information about &lt;ip&gt; :\n
             `%(_whois_command)s`\n
             Regards,\n
-            Fail2Ban"|mail -s "[Fail2Ban] &lt;name&gt;: banned &lt;ip&gt; from &lt;fq-hostname&gt;" &lt;dest&gt;
+            Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] &lt;name&gt;: banned &lt;ip&gt; from &lt;fq-hostname&gt;" &lt;dest&gt;
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
--- a/config/action.d/mail.conf
+++ b/config/action.d/mail.conf
@@ -16,7 +16,7 @@ norestored = 1
 actionstart = printf %%b "Hi,\n
               The jail &lt;name&gt; has been started successfully.\n
               Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] &lt;name&gt;: started  on &lt;fq-hostname&gt;" &lt;dest&gt;
+              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] &lt;name&gt;: started  on &lt;fq-hostname&gt;" &lt;dest&gt;
 
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
 actionstop = printf %%b "Hi,\n
              The jail &lt;name&gt; has been stopped.\n
              Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] &lt;name&gt;: stopped on &lt;fq-hostname&gt;" &lt;dest&gt;
+             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] &lt;name&gt;: stopped on &lt;fq-hostname&gt;" &lt;dest&gt;
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
             The IP &lt;ip&gt; has just been banned by Fail2Ban after
             &lt;failures&gt; attempts against &lt;name&gt;.\n
             Regards,\n
-            Fail2Ban"|mail -s "[Fail2Ban] &lt;name&gt;: banned &lt;ip&gt; from &lt;fq-hostname&gt;" &lt;dest&gt;
+            Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] &lt;name&gt;: banned &lt;ip&gt; from &lt;fq-hostname&gt;" &lt;dest&gt;
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
</pre></body></html>