Accepting request 853311 from security
OBS-URL: https://build.opensuse.org/request/show/853311 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=60
This commit is contained in:
commit
010def5836
@ -1,19 +0,0 @@
|
||||
diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in
|
||||
--- fail2ban-0.10.4-orig/files/fail2ban.service.in 2019-08-12 11:18:27.754395688 +0200
|
||||
+++ fail2ban-0.10.4/files/fail2ban.service.in 2019-08-12 11:18:49.150908423 +0200
|
||||
@@ -7,13 +7,13 @@
|
||||
[Service]
|
||||
Type=simple
|
||||
EnvironmentFile=-/etc/sysconfig/fail2ban
|
||||
-ExecStartPre=/bin/mkdir -p /var/run/fail2ban
|
||||
+ExecStartPre=/bin/mkdir -p /run/fail2ban
|
||||
ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start
|
||||
# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
|
||||
# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
|
||||
ExecStop=/usr/bin/fail2ban-client stop
|
||||
ExecReload=/usr/bin/fail2ban-client reload
|
||||
-PIDFile=/var/run/fail2ban/fail2ban.pid
|
||||
+PIDFile=/run/fail2ban/fail2ban.pid
|
||||
Restart=on-failure
|
||||
RestartPreventExitStatus=0 255
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:71d2a52b66bb0f87ac3812246bdd3819ec561913cd44afd39130a342f043aa6d
|
||||
size 538660
|
@ -1,11 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCAAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAl4Z0VwACgkQaDvxvr0K
|
||||
iCwvyQf/WMmE8sJLQYA/mfKkVIRA/2GAsvq44hQD+/DghIU/My5RKfWtjSZO+/II
|
||||
Tg31w63CQ619PLtf/IKLa2CpckKs5v1IIB6nunjU4Q/jKjruA6kOALAgwMlA0Ymf
|
||||
HnaFIW4AheXk+DGErLOPwPHWtk2skZI9hAjzuqYc6Ig4Z30dSqmBgxb7UmVRxjba
|
||||
J8n5DWA2W4VAAb9gBiL6RsBVBPRNPZhiw1Y+ejUWzqD3mqnc0tgJnVfpb5GvG+Xc
|
||||
4kUEiZb822Phw/vwyBycAhYthNAcVEWI5BIoEFbkYmCe7z7TWsQGLpuJNIT2heSC
|
||||
mzGOdU0MCwxNCy9/RGSAdctlAi+cFg==
|
||||
=6cDo
|
||||
-----END PGP SIGNATURE-----
|
3
fail2ban-0.11.2.tar.gz
Normal file
3
fail2ban-0.11.2.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:383108e5f8644cefb288537950923b7520f642e7e114efb843f6e7ea9268b1e0
|
||||
size 559552
|
11
fail2ban-0.11.2.tar.gz.asc
Normal file
11
fail2ban-0.11.2.tar.gz.asc
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCAAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAl+8IJUACgkQaDvxvr0K
|
||||
iCx3lQf+Ko0DK0UCpcyQMD2eAkOSw9gReD8g6CgqubQe76SmJedUC25AX4BhtbnB
|
||||
lcWnoNP6txHHe4SglEPDqA2QPp05V7NrC0Jv6EHuIqs/tDYQOrPeHfj9zIdo8Xpm
|
||||
tuvEdJR9642RR7LRZprAMTMkdJG0DSAPeigpuL54GbbXrRMrZk6oe5JXy5kormYb
|
||||
X26odhekUOWCh7cSSFkOoc5fKeLQZkjRECMo4zr9TMCuG9q+PCokK2ZlUK2k+FKX
|
||||
Z82pPzxYn3XH9rOhgVPST2nyeZjb4xSMmsVNTO4FXytq/MwpdZW52cAbpgxMESWV
|
||||
9ziop+UtjS9z+WcsxKZEmpVJHSxk/Q==
|
||||
=1dk3
|
||||
-----END PGP SIGNATURE-----
|
@ -1,8 +1,7 @@
|
||||
Index: config/jail.conf
|
||||
===================================================================
|
||||
--- config/jail.conf.orig
|
||||
+++ config/jail.conf
|
||||
@@ -688,7 +688,7 @@ backend = %(syslog_backend)s
|
||||
diff -ur fail2ban-0.11.2-orig/config/jail.conf fail2ban-0.11.2/config/jail.conf
|
||||
--- fail2ban-0.11.2-orig/config/jail.conf 2020-11-23 21:43:03.000000000 +0100
|
||||
+++ fail2ban-0.11.2/config/jail.conf 2020-11-29 10:14:13.229200191 +0100
|
||||
@@ -731,7 +731,7 @@
|
||||
# filter = named-refused
|
||||
# port = domain,953
|
||||
# protocol = udp
|
||||
@ -11,7 +10,7 @@ Index: config/jail.conf
|
||||
|
||||
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
|
||||
# This jail blocks TCP traffic for DNS requests.
|
||||
@@ -696,7 +696,7 @@ backend = %(syslog_backend)s
|
||||
@@ -739,7 +739,7 @@
|
||||
[named-refused]
|
||||
|
||||
port = domain,953
|
||||
@ -20,11 +19,11 @@ Index: config/jail.conf
|
||||
|
||||
|
||||
[nsd]
|
||||
Index: config/paths-common.conf
|
||||
===================================================================
|
||||
--- config/paths-common.conf.orig
|
||||
+++ config/paths-common.conf
|
||||
@@ -90,7 +90,7 @@ solidpop3d_log = %(syslog_local0)s
|
||||
Nur in fail2ban-0.11.2/config: jail.conf.orig.
|
||||
diff -ur fail2ban-0.11.2-orig/config/paths-common.conf fail2ban-0.11.2/config/paths-common.conf
|
||||
--- fail2ban-0.11.2-orig/config/paths-common.conf 2020-11-23 21:43:03.000000000 +0100
|
||||
+++ fail2ban-0.11.2/config/paths-common.conf 2020-11-29 10:14:13.237200352 +0100
|
||||
@@ -90,7 +90,7 @@
|
||||
mysql_log = %(syslog_daemon)s
|
||||
mysql_backend = %(default_backend)s
|
||||
|
||||
|
@ -1,23 +1,27 @@
|
||||
--- a/files/fail2ban.service.in 2020-01-11 11:01:00.000000000 +0100
|
||||
+++ b/files/fail2ban.service.in 2020-05-21 09:48:12.049645909 +0200
|
||||
@@ -6,13 +6,14 @@
|
||||
diff -ur fail2ban-0.11.2-orig/files/fail2ban.service.in fail2ban-0.11.2/files/fail2ban.service.in
|
||||
--- fail2ban-0.11.2-orig/files/fail2ban.service.in 2020-11-23 21:43:03.000000000 +0100
|
||||
+++ fail2ban-0.11.2/files/fail2ban.service.in 2020-12-05 18:22:01.503018894 +0100
|
||||
@@ -2,17 +2,18 @@
|
||||
Description=Fail2Ban Service
|
||||
Documentation=man:fail2ban(1)
|
||||
After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
|
||||
-PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
|
||||
+PartOf=firewalld.service ipset.service nftables.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
-ExecStartPre=/bin/mkdir -p /run/fail2ban
|
||||
-ExecStart=@BINDIR@/fail2ban-server -xf start
|
||||
+EnvironmentFile=-/etc/sysconfig/fail2ban
|
||||
+ExecStartPre=/bin/mkdir -p /var/run/fail2ban
|
||||
Environment="PYTHONNOUSERSITE=1"
|
||||
ExecStartPre=/bin/mkdir -p /run/fail2ban
|
||||
-ExecStart=@BINDIR@/fail2ban-server -xf start
|
||||
+ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start
|
||||
# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
|
||||
-# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start
|
||||
-ExecStop=@BINDIR@/fail2ban-client stop
|
||||
-ExecReload=@BINDIR@/fail2ban-client reload
|
||||
-PIDFile=/run/fail2ban/fail2ban.pid
|
||||
+# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
|
||||
+ExecStop=/usr/bin/fail2ban-client stop
|
||||
+ExecReload=/usr/bin/fail2ban-client reload
|
||||
+PIDFile=/var/run/fail2ban/fail2ban.pid
|
||||
PIDFile=/run/fail2ban/fail2ban.pid
|
||||
Restart=on-failure
|
||||
RestartPreventExitStatus=0 255
|
||||
|
||||
|
@ -1,3 +1,81 @@
|
||||
-------------------------------------------------------------------
|
||||
Sat Dec 5 17:25:17 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
||||
|
||||
- Integrate change to resolve bnc#1146856
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
||||
|
||||
- Update to 0.11.2
|
||||
increased stability, filter and action updates
|
||||
|
||||
- New Features and Enhancements
|
||||
* fail2ban-regex:
|
||||
- speedup formatted output (bypass unneeded stats creation)
|
||||
- extended with prefregex statistic
|
||||
- more informative output for `datepattern` (e. g. set from filter) - pattern : description
|
||||
* parsing of action in jail-configs considers space between action-names as separator also
|
||||
(previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b`
|
||||
* new filter and jail for GitLab recognizing failed application logins (gh#fail2ban/fail2ban#2689)
|
||||
* new filter and jail for Grafana recognizing failed application logins (gh#fail2ban/fail2ban#2855)
|
||||
* new filter and jail for SoftEtherVPN recognizing failed application logins (gh#fail2ban/fail2ban#2723)
|
||||
* `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured
|
||||
(gh#fail2ban/fail2ban#2631)
|
||||
* `filter.d/bitwarden.conf` enhanced to support syslog (gh#fail2ban/fail2ban#2778)
|
||||
* introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex;
|
||||
* datetemplate: improved anchor detection for capturing groups `(^...)`;
|
||||
* datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc)
|
||||
as well as some warnings signaling user about invalid pattern or zone (gh#fail2ban/fail2ban#2814):
|
||||
- filter gets mode in-operation, which gets activated if filter starts processing of new messages;
|
||||
in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much
|
||||
from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected
|
||||
bypass of failure (previously exceeding `findtime`);
|
||||
- better interaction with non-matching optional datepattern or invalid timestamps;
|
||||
- implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages,
|
||||
whereas filter will use now as timestamp (gh#fail2ban/fail2ban#2802)
|
||||
* performance optimization of `datepattern` (better search algorithm in datedetector, especially for single template);
|
||||
* fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh#fail2ban/fail2ban#2791;
|
||||
* extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag
|
||||
prefix `<F-TUPLE_`, that would combine value of `<F-V>` with all value of `<F-TUPLE_V?_n?>` tags (gh#fail2ban/fail2ban#2755)
|
||||
|
||||
- Fixes
|
||||
* [stability] prevent race condition - no ban if filter (backend) is continuously busy if
|
||||
too many messages will be found in log, e. g. initial scan of large log-file or journal (gh#fail2ban/fail2ban#2660)
|
||||
* pyinotify-backend sporadically avoided initial scanning of log-file by start
|
||||
* python 3.9 compatibility (and Travis CI support)
|
||||
* restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed
|
||||
* manual ban is written to database, so can be restored by restart (gh#fail2ban/fail2ban#2647)
|
||||
* `jail.conf`: don't specify `action` directly in jails (use `action_` or `banaction` instead)
|
||||
* no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified
|
||||
per jail or in default section in jail.local), closes gh#fail2ban/fail2ban#2357
|
||||
* ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh#fail2ban/fail2ban#2686)
|
||||
* don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes),
|
||||
so would bother the action interpolation
|
||||
* fixed type conversion in config readers (take place after all interpolations get ready), that allows to
|
||||
specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters.
|
||||
* `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy
|
||||
between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh#fail2ban/fail2ban#2703)
|
||||
* `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line chars and optionally real json-parsing
|
||||
with `jq`, gh#fail2ban/fail2ban#2140, gh#fail2ban/fail2ban#2656)
|
||||
* `action.d/nftables.conf` (type=multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2763)
|
||||
* `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2821)
|
||||
* `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh#fail2ban/fail2ban#2836)
|
||||
* `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line`
|
||||
should be interpolated in definition section (inside the filter-config, gh#fail2ban/fail2ban#2650)
|
||||
* `filter.d/dovecot.conf`:
|
||||
- add managesieve and submission support (gh#fail2ban/fail2ban#2795);
|
||||
- accept messages with more verbose logging (gh#fail2ban/fail2ban#2573);
|
||||
* `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh#fail2ban/fail2ban#2697)
|
||||
* `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle
|
||||
the match of username differently (gh#fail2ban/fail2ban#2693):
|
||||
- `normal`: matches 401 with supplied username only
|
||||
- `ddos`: matches 401 without supplied username only
|
||||
- `aggressive`: matches 401 and any variant (with and without username)
|
||||
* `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh#fail2ban/fail2ban#2749)
|
||||
|
||||
- Rebased patches
|
||||
- Removed upstream patch fail2ban-0.10.4-upstream-pid-file-location.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 19 09:04:12 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||
|
||||
|
@ -22,13 +22,13 @@
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: fail2ban
|
||||
Version: 0.11.1
|
||||
Version: 0.11.2
|
||||
Release: 0
|
||||
Summary: Bans IP addresses that make too many authentication failures
|
||||
License: GPL-2.0-or-later
|
||||
Group: Productivity/Networking/Security
|
||||
URL: http://www.fail2ban.org/
|
||||
Source0: https://github.com/fail2ban/fail2ban/archive/%{version}/%{name}-%{version}.tar.gz
|
||||
Source0: https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
||||
Source1: https://github.com/fail2ban/fail2ban/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
|
||||
Source2: %{name}.sysconfig
|
||||
Source3: %{name}.logrotate
|
||||
@ -47,8 +47,6 @@ Patch101: %{name}-opensuse-service.patch
|
||||
Patch200: %{name}-disable-iptables-w-option.patch
|
||||
# PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor
|
||||
Patch201: %{name}-0.10.4-env-script-interpreter.patch
|
||||
# PATH-FIX-UPSTREAM fail2ban-0.10.4-upstream-pid-file-location.patch boo#1145181 jweberhofer@weberhofer.at -- changed fail2ban pid file location (gh#fail2ban/fail2ban#2474)
|
||||
Patch202: %{name}-0.10.4-upstream-pid-file-location.patch
|
||||
# PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch jweberhofer@weberhofer.at -- start after SuSEfirewall2 only for older distributions
|
||||
Patch300: fail2ban-opensuse-service-sfw.patch
|
||||
BuildRequires: fdupes
|
||||
@ -126,13 +124,12 @@ install -m644 %{SOURCE8} config/paths-opensuse.conf
|
||||
# Use openSUSE paths
|
||||
sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
|
||||
|
||||
%patch100
|
||||
%patch100 -p1
|
||||
%patch101 -p1
|
||||
%if 0%{?suse_version} < 1310
|
||||
%patch200 -p1
|
||||
%endif
|
||||
%patch201 -p1
|
||||
%patch202 -p1
|
||||
%if !0%{?suse_version} > 1500
|
||||
%patch300 -p1
|
||||
%endif
|
||||
|
Loading…
Reference in New Issue
Block a user