Accepting request 453007 from security

1 OBS-URL: https://build.opensuse.org/request/show/453007 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=46
2017-01-31 11:42:01 +00:00 · 2017-01-31 11:42:01 +00:00 · 873cbbfa82
commit 873cbbfa82
parent fff3d95b42 499398214d
6 changed files with 122 additions and 43 deletions
--- a/fail2ban-0.9.5.tar.gz
+++ b/fail2ban-0.9.5.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:888ca1d8c5245b6f23391dd8e3b0e0a4279b682e966326a6572a330496ca8ee8
-size 342263
--- a/fail2ban-0.9.6.tar.gz
+++ b/fail2ban-0.9.6.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1712e4eda469513fb2f44951957a4159e0fa62cb9da16ed48e7f4f4037f0b976
+size 352125
--- a/fail2ban-opensuse-locations.patch
+++ b/fail2ban-opensuse-locations.patch
@ -1,7 +1,8 @@
-diff -Nur fail2ban-0.9.4-orig/config/jail.conf fail2ban-0.9.4/config/jail.conf
--- fail2ban-0.9.4-orig/config/jail.conf	2016-03-08 03:50:10.000000000 +0100
-+++ fail2ban-0.9.4/config/jail.conf	2016-03-10 09:38:46.382071358 +0100
-@@ -669,7 +669,7 @@
+Index: config/jail.conf
+===================================================================
+--- config/jail.conf.orig
+++ config/jail.conf
+@@ -670,7 +670,7 @@ backend = %(syslog_backend)s
 # filter   = named-refused
 # port     = domain,953
 # protocol = udp
@ -10,7 +11,7 @@ diff -Nur fail2ban-0.9.4-orig/config/jail.conf fail2ban-0.9.4/config/jail.conf
 
 # IMPORTANT: see filter.d/named-refused for instructions to enable logging
 # This jail blocks TCP traffic for DNS requests.
-@@ -677,7 +677,7 @@
+@@ -678,7 +678,7 @@ backend = %(syslog_backend)s
 [named-refused]
 
 port     = domain,953
@ -19,10 +20,11 @@ diff -Nur fail2ban-0.9.4-orig/config/jail.conf fail2ban-0.9.4/config/jail.conf
 
 
 [nsd]
-diff -Nur fail2ban-0.9.4-orig/config/paths-common.conf fail2ban-0.9.4/config/paths-common.conf
--- fail2ban-0.9.4-orig/config/paths-common.conf	2016-03-08 03:50:10.000000000 +0100
-+++ fail2ban-0.9.4/config/paths-common.conf	2016-03-10 09:36:00.690852425 +0100
-@@ -74,7 +74,7 @@
+Index: config/paths-common.conf
+===================================================================
+--- config/paths-common.conf.orig
+++ config/paths-common.conf
+@@ -75,7 +75,7 @@ solidpop3d_log = %(syslog_local0)s
 mysql_log = %(syslog_daemon)s
 mysql_backend = %(default_backend)s
 
--- a/fail2ban-opensuse-service.patch
+++ b/fail2ban-opensuse-service.patch
@ -1,6 +1,7 @@
-diff -Nur fail2ban-0.9.4-orig/files/fail2ban.service fail2ban-0.9.4/files/fail2ban.service
--- fail2ban-0.9.4-orig/files/fail2ban.service	2016-03-08 03:50:10.000000000 +0100
-+++ fail2ban-0.9.4/files/fail2ban.service	2016-03-10 10:33:48.834063007 +0100
+Index: files/fail2ban.service
+===================================================================
+--- files/fail2ban.service.orig
+++ files/fail2ban.service
@@ -1,12 +1,13 @@
 [Unit]
 Description=Fail2Ban Service
--- a/fail2ban.changes
+++ b/fail2ban.changes
@ -1,3 +1,78 @@
+-------------------------------------------------------------------
+Thu Jan 26 23:16:49 UTC 2017 - chris@computersalat.de
+
+- Update to 0.9.6 (2016/12/10)
+
+### Fixes
+* Misleading add resp. enable of (already available) jail in database, that
+  induced a subsequent error: last position of log file will be never retrieved (gh-795)
+* Fixed a distribution related bug within testReadStockJailConfForceEnabled
+  (e.g. test-cases faults on Fedora, see gh-1353)
+* Fixed pythonic filters and test scripts (running via wrong python version,
+  uses "fail2ban-python" now);
+* Fixed test case "testSetupInstallRoot" for not default python version (also
+  using direct call, out of virtualenv);
+* Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
+* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
+* Monit config: scripting is not supported in path (gh-1556)
+* `filter.d/apache-modsecurity.conf`
+    - Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all
+      replaced for safer match, unneeded catch-all anchoring removed, non-capturing
+* `filter.d/asterisk.conf`
+    - Fixed to match different asterisk log prefix (source file: method:)
+* `filter.d/dovecot.conf`
+    - Fixed failregex ignores failures through some not relevant info (gh-1623)
+* `filter.d/ignorecommands/apache-fakegooglebot`
+    - Fixed error within apache-fakegooglebot, that will be called
+      with wrong python version (gh-1506)
+* `filter.d/assp.conf`
+    - Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
+* `filter.d/postfix-sasl.conf`
+    - Allow for having no trailing space after 'failed:' (gh-1497)
+* `filter.d/vsftpd.conf`
+    - Optional reason part in message after FAIL LOGIN (gh-1543)
+* `filter.d/sendmail-reject.conf`
+    - removed mandatory double space (if dns-host available, gh-1579)
+* filter.d/sshd.conf
+    - recognized "Failed publickey for" (gh-1477);
+    - optimized failregex to match all of "Failed any-method for ... from <HOST>" (gh-1479)
+    - eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
+    - optional port part after host (see gh-1533, gh-1581)
+
+### New Features
+* New Actions:
+    - `action.d/npf.conf` for NPF, the latest packet filter for NetBSD
+* New Filters:
+    - `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine)
+      (gh-1586, gh-1606 and gh-1607)
+
+### Enhancements
+* DateTemplate regexp extended with the word-end boundary, additionally to
+  word-start boundary
+* Introduces new command "fail2ban-python", as automatically created symlink to
+  python executable, where fail2ban currently installed (resp. its modules are located):
+    - allows to use the same version, fail2ban currently running, e.g. in
+      external scripts just via replace python with fail2ban-python:
+      ```diff
+      -#!/usr/bin/env python
+      +#!/usr/bin/env fail2ban-python
+      ```
+    - always the same pickle protocol
+    - the same (and also guaranteed available) fail2ban modules
+    - simplified stand-alone install, resp. stand-alone installation possibility
+      via setup (like gh-1487) is getting closer
+* Several test cases rewritten using new methods assertIn, assertNotIn
+* New forward compatibility method assertRaisesRegexp (normally python >= 2.7).
+  Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged
+  are test covered now
+* Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
+  examples:
+    - `backend = systemd[journalpath=/run/log/journal/machine-1]`
+    - `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]`
+    - `backend = systemd[journalflags=2]`
+
+- rebase fail2ban-opensuse-locations.patch, fail2ban-opensuse-service.patch
+
 -------------------------------------------------------------------
 Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at

--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -1,7 +1,7 @@
 #
 # spec file for package fail2ban
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@


 Name:           fail2ban
-Version:        0.9.5
+Version:        0.9.6
 Release:        0
 Summary:        Bans IP addresses that make too many authentication failures
 License:        GPL-2.0+
@ -34,11 +34,11 @@ Source8:        paths-opensuse.conf
 # ignore some rpm-lint messages
 Source200:      %{name}-rpmlintrc
 # PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028 jweberhofer@weberhofer.at -- update default locations for logfiles
-Patch100:       fail2ban-opensuse-locations.patch
+Patch100:       %{name}-opensuse-locations.patch
 # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
-Patch101:       fail2ban-opensuse-service.patch
+Patch101:       %{name}-opensuse-service.patch
 # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
-Patch200:       fail2ban-disable-iptables-w-option.patch
+Patch200:       %{name}-disable-iptables-w-option.patch
 BuildRequires:  fdupes
 BuildRequires:  logrotate
 BuildRequires:  python-devel
@ -81,19 +81,19 @@ reject the IP address, can send e-mails, or set host.deny entries.  These rules
 can be defined by the user. Fail2Ban can read multiple log files such as sshd
 or Apache web server ones.

-%package -n SuSEfirewall2-fail2ban
+%package -n SuSEfirewall2-%{name}
 Summary:        Files for integrating fail2ban into SuSEfirewall2 via systemd
 Group:          Productivity/Networking/Security
 Requires:       SuSEfirewall2
 Requires:       fail2ban
 Recommends:     packageand(SuSEfirewall2:fail2ban)

-%description -n SuSEfirewall2-fail2ban
+%description -n SuSEfirewall2-%{name}
 This package ships systemd files which will cause fail2ban to be ordered in
 relation to SuSEfirewall2 such that the two can be run concurrently within
 reason, i.e. SFW will always run first because it does a table flush.

-%package -n nagios-plugins-fail2ban
+%package -n nagios-plugins-%{name}
 %define         nagios_plugindir %{_libexecdir}/nagios/plugins
 Summary:        Check fail2ban server and how many IPs are currently banned
 Group:          System/Monitoring
@ -115,8 +115,8 @@ install -m644 %{SOURCE8} config/paths-opensuse.conf
 # Use openSUSE paths
 sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf

-%patch100 -p1
-%patch101 -p1
+%patch100
+%patch101
 %if 0%{?suse_version} < 1310
 %patch200 -p1
 %endif
@ -127,7 +127,7 @@ rm 	config/paths-debian.conf \
 	config/paths-osx.conf

 # correct doc-path
-sed -i -e 's|%{_datadir}/doc/fail2ban|%{_docdir}/%{name}|' setup.py
+sed -i -e 's|%{_datadir}/doc/%{name}|%{_docdir}/%{name}|' setup.py

 # remove syslogd-logger settings for older distributions
 %if 0%{?suse_version} < 1230
@ -179,13 +179,13 @@ ln -sf %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name}

 echo "# Do all your modifications to the jail's configuration in jail.local!" > %{buildroot}%{_sysconfdir}/%{name}/jail.local

-install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
+install -d -m 0755 %{buildroot}%{_localstatedir}/lib/%{name}/

 install -d -m 755 %{buildroot}%{_localstatedir}/adm/fillup-templates
 install -p -m 644 %{SOURCE2} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}

 install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
-install -p -m 644 %{SOURCE3}  %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban
+install -p -m 644 %{SOURCE3}  %{buildroot}%{_sysconfdir}/logrotate.d/%{name}

 %if 0%{?_unitdir:1}
 install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \
@ -193,7 +193,7 @@ install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \
 install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \
 	"%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf"
 %endif
-install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_fail2ban
+install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_%{name}

 # install docs using the macro
 rm -r %{buildroot}%{_docdir}/%{name}
@ -241,10 +241,10 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf
 %endif

 %if 0%{?_unitdir:1}
-%post -n SuSEfirewall2-fail2ban
+%post -n SuSEfirewall2-%{name}
 %{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :

-%postun -n SuSEfirewall2-fail2ban
+%postun -n SuSEfirewall2-%{name}
 %{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
 %endif

@ -252,22 +252,22 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf
 %defattr(-, root, root)
 %dir %{_sysconfdir}/%{name}
 %dir %{_sysconfdir}/%{name}/action.d
-%dir %{_sysconfdir}/%{name}/fail2ban.d
+%dir %{_sysconfdir}/%{name}/%{name}.d
 %dir %{_sysconfdir}/%{name}/filter.d
 %dir %{_sysconfdir}/%{name}/jail.d
 #
 %config %{_sysconfdir}/%{name}/action.d/*
 %config %{_sysconfdir}/%{name}/filter.d/*
 #
-%config(noreplace) %{_sysconfdir}/%{name}/fail2ban.conf
+%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
 %config %{_sysconfdir}/%{name}/jail.conf
 %config %{_sysconfdir}/%{name}/paths-common.conf
 %config %{_sysconfdir}/%{name}/paths-opensuse.conf
 #
 %config(noreplace) %{_sysconfdir}/%{name}/jail.local
 #
-%config %{_sysconfdir}/logrotate.d/fail2ban
-%dir %{_localstatedir}/lib/fail2ban/
+%config %{_sysconfdir}/logrotate.d/%{name}
+%dir %{_localstatedir}/lib/%{name}/
 %if 0%{?suse_version} > 1310
 # use /run directory
 %ghost /run/%{name}
@ -284,9 +284,10 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf
 %{_initddir}/%{name}
 %endif
 %{_sbindir}/rc%{name}
-%{_bindir}/fail2ban-server
-%{_bindir}/fail2ban-client
-%{_bindir}/fail2ban-regex
+%{_bindir}/%{name}-server
+%{_bindir}/%{name}-client
+%{_bindir}/%{name}-python
+%{_bindir}/%{name}-regex
 %{python_sitelib}/%{name}
 %exclude %{python_sitelib}/%{name}/tests
 %{python_sitelib}/%{name}-*
@ -296,21 +297,21 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf
 %doc README.md TODO ChangeLog COPYING doc/*.txt

 # do not include tests as they are executed during the build process
-%exclude %{_bindir}/fail2ban-testcases
+%exclude %{_bindir}/%{name}-testcases
 %exclude %{python_sitelib}/%{name}/tests

 %if 0%{?_unitdir:1}
-%files -n SuSEfirewall2-fail2ban
+%files -n SuSEfirewall2-%{name}
 %defattr(-,root,root)
 %{_unitdir}/SuSEfirewall2.service.d
-%{_unitdir}/fail2ban.service.d
+%{_unitdir}/%{name}.service.d
 %endif

-%files -n nagios-plugins-fail2ban
+%files -n nagios-plugins-%{name}
 %defattr(-,root,root)
 %doc files/nagios/README COPYING
 %dir %{_libexecdir}/nagios
 %dir %{nagios_plugindir}
-%{nagios_plugindir}/check_fail2ban
+%{nagios_plugindir}/check_%{name}

 %changelog