Accepting request 495373 from home:weberho:branches:security

- Update to 0.9.7 - fixes for bnc#1036928 OBS-URL: https://build.opensuse.org/request/show/495373 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=79
2017-05-16 14:44:12 +00:00 · 2017-05-16 14:44:12 +00:00 · 2109aac4ea
commit 2109aac4ea
parent 7b81f19e35
5 changed files with 92 additions and 6 deletions
--- a/607568f.patch
+++ b/607568f.patch
@ -0,0 +1,34 @@
+From 607568f5da9e6b962c43d59280d72bd678c08afa Mon Sep 17 00:00:00 2001
+From: Filippo Tessarotto <zoeslam@gmail.com>
+Date: Tue, 7 Feb 2017 12:58:04 +0100
+Subject: [PATCH] Postfix RBL: 554 & SMTP
+
+---
+ config/filter.d/postfix-rbl.conf      | 2 +-
+ fail2ban/tests/files/logs/postfix-rbl | 3 +++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/config/filter.d/postfix-rbl.conf b/config/filter.d/postfix-rbl.conf
+index c3f8c33..0a9078f 100644
+--- a/config/filter.d/postfix-rbl.conf
+++ b/config/filter.d/postfix-rbl.conf
+@@ -12,7 +12,7 @@ before = common.conf
+ 
+ _daemon = postfix(-\w+)?/smtpd
+ 
+-failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
+failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
+ 
+ ignoreregex =
+ 
+diff --git a/fail2ban/tests/files/logs/postfix-rbl b/fail2ban/tests/files/logs/postfix-rbl
+index eff01bf..6aeac03 100644
+--- a/fail2ban/tests/files/logs/postfix-rbl
+++ b/fail2ban/tests/files/logs/postfix-rbl
+@@ -3,3 +3,6 @@ Dec 30 18:19:15 xxx postfix/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.examp
+ 
+ # failJSON: { "time": "2004-12-30T18:19:15", "match": true , "host": "93.184.216.34" }
+ Dec 30 18:19:15 xxx postfix-incoming/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.example.com[93.184.216.34]: 454 4.7.1 Service unavailable; Client host [93.184.216.34] blocked using rbl.example.com; http://www.example.com/query?ip=93.184.216.34; from=<spammer@example.com> to=<goodguy@example.com> proto=ESMTP helo=<badguy.example.com>
+
+# failJSON: { "time": "2005-02-07T12:25:45", "match": true , "host": "87.236.233.182" }
+Feb  7 12:25:45 xxx12345 postfix/smtpd[13275]: NOQUEUE: reject: RCPT from unknown[87.236.233.182]: 554 5.7.1 Service unavailable; Client host [87.236.233.182] blocked using rbl.example.com; https://www.example.com/query/ip/87.236.233.182; from=<spammer@example.com> to=<goodguy@example.com> proto=SMTP helo=<WIN-5N8GBBS0R5I>
--- a/fail2ban-0.9.6.tar.gz
+++ b/fail2ban-0.9.6.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1712e4eda469513fb2f44951957a4159e0fa62cb9da16ed48e7f4f4037f0b976
-size 352125
--- a/fail2ban-0.9.7.tar.gz
+++ b/fail2ban-0.9.7.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2817eb0d4f670bef2a79a5a9cfb824b41a4445f5a92a307a453ac95f497c7440
+size 356374
--- a/fail2ban.changes
+++ b/fail2ban.changes
@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Mon May 15 12:11:23 UTC 2017 - jweberhofer@weberhofer.at
+
+- added 607568f.patch from upstream: "Postfix RBL: 554 & SMTP"
+  this fixes bnc#1036928 " fail2ban-rbl regex incorrect, takes no 
+  action as a result"
+
+- Update to 0.9.7
+  * Fixed a systemd-journal handling in fail2ban-regex 
+    (gh#fail2ban/fail2ban#1657)
+  * filter.d/sshd.conf
+    - Fixed non-anchored part of failregex (misleading match of colon inside
+      IPv6 address instead of `: ` in the reason-part by missing space, 
+      gh#fail2ban/fail2ban#1658)
+      (0.10th resp. IPv6 relevant only, amend for gh#fail2ban/fail2ban#1479)
+  * config/pathes-freebsd.conf
+    - Fixed filenames for apache and nginx log files (gh#fail2ban/fail2ban#1667)
+  * filter.d/exim.conf
+    - optional part `(...)` after host-name before `[IP]` 
+      (gh#fail2ban/fail2ban#1751)
+    - new reason "Unrouteable address" for "rejected RCPT" regex 
+      (gh#fail2ban/fail2ban#1762)
+    - match of complex time like `D=2m42s` in regex "no MAIL in SMTP 
+      connection" (gh#fail2ban/fail2ban#1766)
+  * filter.d/sshd.conf
+    - new aggressive rules (gh#fail2ban/fail2ban#864):
+      - Connection reset by peer (multi-line rule during authorization process)
+      - No supported authentication methods available
+    - single line and multi-line expression optimized, added optional prefixes
+      and suffix (logged from several ssh versions), according 
+      to gh#fail2ban/fail2ban#1206;
+    - fixed expression received disconnect auth fail (optional space after port
+      part, gh#fail2ban/fail2ban#1652)
+      and suffix (logged from several ssh versions), according to gh#fail2ban/fail2ban#1206;
+  * filter.d/suhosin.conf
+    - greedy catch-all before `<HOST>` fixed (potential vulnerability)
+  * filter.d/cyrus-imap.conf
+    - accept entries without login-info resp. hostname before IP address (#fail2ban/fail2ban#707)
+  * Filter tests extended with check of all config-regexp, that contains greedy catch-all
+    before `<HOST>`, that is hard-anchored at end or precise sub expression after `<HOST>`
+
+* New Actions:
+  - action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh#fail2ban/fail2ban#1663)
+
+* New Filters:
+  - filter.d/domino-smtp: IBM Domino SMTP task (gh#fail2ban/fail2ban#1603)
+
+* Introduced new log-level `MSG` (as INFO-2, equivalent to 18)
+
 -------------------------------------------------------------------
 Sun Mar  5 12:56:10 UTC 2017 - wagner-thomas@gmx.at

--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -17,7 +17,7 @@


 Name:           fail2ban
-Version:        0.9.6
+Version:        0.9.7
 Release:        0
 Summary:        Bans IP addresses that make too many authentication failures
 License:        GPL-2.0+
@ -37,6 +37,8 @@ Source200:      %{name}-rpmlintrc
 Patch100:       %{name}-opensuse-locations.patch
 # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
 Patch101:       %{name}-opensuse-service.patch
+# PATCH-UPSTREAM 607568f.patch bnc#1036928 jweberhofer@weberhofer.at -- Postfix RBL: 554 & SMTP
+Patch102:       607568f.patch
 # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
 Patch200:       %{name}-disable-iptables-w-option.patch
 BuildRequires:  fdupes
@ -97,8 +99,8 @@ reason, i.e. SFW will always run first because it does a table flush.
 %define         nagios_plugindir %{_libexecdir}/nagios/plugins
 Summary:        Check fail2ban server and how many IPs are currently banned
 Group:          System/Monitoring
-Provides:       nagios-plugins-%{name}=%{version}
-Obsoletes:      nagios-plugins-%{name}<%{version}
+Provides:       nagios-plugins-%{name} = %{version}
+Obsoletes:      nagios-plugins-%{name} < %{version}

 %description -n monitoring-plugins-%{name}
 This plugin checks if the fail2ban server is running and how many IPs are
@ -119,6 +121,7 @@ sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf

 %patch100
 %patch101
+%patch102 -p1
 %if 0%{?suse_version} < 1310
 %patch200 -p1
 %endif