From a495133311d85381ac160e3bc060d9b9ef9f301a824894dcbe9aa39786a0f2ab Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Sat, 21 Apr 2018 11:24:52 +0000 Subject: [PATCH] Accepting request 599593 from home:weberho:branches:security - Updated to version 0.10.3.1. Changelog: https://github.com/fail2ban/fail2ban/blob/0.10.3.1/ChangeLog * fixed JSON serialization for the set-object within dump into database (gh-2103). - Updated to version 0.10.3. Changelog: https://github.com/fail2ban/fail2ban/blob/0.10.3/ChangeLog - Fixes * `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060); * `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048); * `filter.d/recidive.conf`: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069; * `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` : - fixed failregex, sendmail uses prefix 'IPv6:' logging of IPv6 addresses (gh-2064); * `filter.d/sshd.conf`: - failregex got an optional space in order to match new log-format (see gh-2061); - fixed ddos-mode regex to match refactored message (some versions can contain port now, see gh-2062); - fixed root login refused regex (optional port before preauth, gh-2080); - avoid banning of legitimate users when pam_unix used in combination with other password method, so bypass pam_unix failures if accepted available for this user gh-2070; - amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly); - mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode it counts failure on closing connection within preauth-stage (gh-2085); * `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101); * `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059); * `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066); * (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054); - New Features * several stability and performance optimizations, more effective filter parsing, etc; * stable runnable within python versions 3.6 (as well as within 3.7-dev); - Enhancements * `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097); * `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073); * date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029); * possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038); the epoch-pattern similar to `{DATE}` patterns does the capture and cuts out the match of whole pattern from the log-line, e. g. date-pattern `^\[{LEPOCH}\]\s+:` will match and cut out `[1516469849551000] :` from begin of the log-line. * badips.py now uses https instead of plain http when requesting badips.com (gh-2057); * add support for "any" badips.py bancategory, to be able to retrieve IPs from all categories with a desired score (gh-2056); * Introduced new parameter `padding` for logging within fail2ban-server (default on, excepting SYSLOG): Usage `logtarget = target[padding=on|off]` OBS-URL: https://build.opensuse.org/request/show/599593 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=90 --- fail2ban-0.10.2.tar.gz | 3 --- fail2ban-0.10.3.1.tar.gz | 3 +++ fail2ban.changes | 47 ++++++++++++++++++++++++++++++++++++++++ fail2ban.spec | 4 ++-- 4 files changed, 52 insertions(+), 5 deletions(-) delete mode 100644 fail2ban-0.10.2.tar.gz create mode 100644 fail2ban-0.10.3.1.tar.gz diff --git a/fail2ban-0.10.2.tar.gz b/fail2ban-0.10.2.tar.gz deleted file mode 100644 index b90215f..0000000 --- a/fail2ban-0.10.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1c1a969137c56f7e8b90e5f14d78b80214d34d67209787bfddc8d5804ceb29cc -size 474624 diff --git a/fail2ban-0.10.3.1.tar.gz b/fail2ban-0.10.3.1.tar.gz new file mode 100644 index 0000000..e484d8a --- /dev/null +++ b/fail2ban-0.10.3.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7ee3fd0e94d58c94298718b25e6bcfa96932712b7aa683580e162403f68d40c8 +size 485803 diff --git a/fail2ban.changes b/fail2ban.changes index b7d28ff..e387c23 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,3 +1,50 @@ +------------------------------------------------------------------- +Sat Apr 21 06:02:12 UTC 2018 - jweberhofer@weberhofer.at + +- Updated to version 0.10.3.1. Changelog: + https://github.com/fail2ban/fail2ban/blob/0.10.3.1/ChangeLog + + * fixed JSON serialization for the set-object within dump into database (gh-2103). + +- Updated to version 0.10.3. Changelog: + https://github.com/fail2ban/fail2ban/blob/0.10.3/ChangeLog + +- Fixes + * `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060); + * `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048); + * `filter.d/recidive.conf`: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069; + * `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` : + - fixed failregex, sendmail uses prefix 'IPv6:' logging of IPv6 addresses (gh-2064); + * `filter.d/sshd.conf`: + - failregex got an optional space in order to match new log-format (see gh-2061); + - fixed ddos-mode regex to match refactored message (some versions can contain port now, see gh-2062); + - fixed root login refused regex (optional port before preauth, gh-2080); + - avoid banning of legitimate users when pam_unix used in combination with other password method, so + bypass pam_unix failures if accepted available for this user gh-2070; + - amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly); + - mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode + it counts failure on closing connection within preauth-stage (gh-2085); + * `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101); + * `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059); + * `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066); + * (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054); + +- New Features + * several stability and performance optimizations, more effective filter parsing, etc; + * stable runnable within python versions 3.6 (as well as within 3.7-dev); + +- Enhancements + * `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097); + * `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073); + * date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029); + * possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038); + the epoch-pattern similar to `{DATE}` patterns does the capture and cuts out the match of whole pattern from the log-line, + e. g. date-pattern `^\[{LEPOCH}\]\s+:` will match and cut out `[1516469849551000] :` from begin of the log-line. + * badips.py now uses https instead of plain http when requesting badips.com (gh-2057); + * add support for "any" badips.py bancategory, to be able to retrieve IPs from all categories with a desired score (gh-2056); + * Introduced new parameter `padding` for logging within fail2ban-server (default on, excepting SYSLOG): + Usage `logtarget = target[padding=on|off]` + ------------------------------------------------------------------- Tue Feb 20 08:19:07 UTC 2018 - jweberhofer@weberhofer.at diff --git a/fail2ban.spec b/fail2ban.spec index d07c1b7..e951d67 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -23,10 +23,10 @@ %{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create} Name: fail2ban -Version: 0.10.2 +Version: 0.10.3.1 Release: 0 Summary: Bans IP addresses that make too many authentication failures -License: GPL-2.0+ +License: GPL-2.0-or-later Group: Productivity/Networking/Security Url: http://www.fail2ban.org/ Source0: https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz