Accepting request 214671 from home:weberho:branches:security

Update to version 0.8.12

OBS-URL: https://build.opensuse.org/request/show/214671
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=39

fail2ban-0.8.11.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d8fa2bd1b106b65ad2bffd41c191f80a97bc3e9456b192d1714c4ee023af5e32
-size 156411

fail2ban-0.8.12.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2cdd7cbbf8b770715ce0068aec9dd8857388cd4d690fd5211907d7f2f3bdcde4
+size 169644

fail2ban.changes

@@ -1,3 +1,67 @@
+-------------------------------------------------------------------
+Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at
+
+- Update to version 0.8.12
+
+  * Log rotation can now occur with the command "flushlogs" rather than
+    reloading fail2ban or keeping the logtarget settings consistent in
+    jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798).
+
+  * Added ignorecommand option for allowing dynamic determination as to ignore
+    and IP or not.
+
+  * Remove indentation of name and loglevel while logging to SYSLOG to resolve
+    syslog(-ng) parsing problems. (dep#730202). Log lines now also
+    report "[PID]" after the name portion too.
+
+  * Epoch dates can now be enclosed within []
+
+  * New actions: badips, firewallcmd-ipset, ufw, blocklist_de
+
+  * New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid,
+    ejabberd, openwebmail, groupoffice
+
+  * Filter improvements:
+    - apache-noscript now includes php cgi scripts
+    - exim-spam filter to match spamassassin log entry for option SAdevnull.
+    - Added to sshd filter expression for 
+      "Received disconnect from : 3: Auth fail"
+    - Improved ACL-handling for Asterisk
+    - Added improper command pipelining to postfix filter.
+
+  * General fixes:
+    - Added lots of jail.conf entries for missing filters that creaped in 
+      over the last year.
+    - synchat changed to use push method which verifies whether all data was
+      send. This ensures that all data is sent before closing the connection.
+    - Fixed python 2.4 compatibility (as sub-second in date patterns weren't 
+      2.4 compatible)
+    - Complain/email actions fixed to only include relevant IPs to reporting
+
+  * Filter fixes:
+    - Added HTTP referrer bit of the apache access log to the apache filters.
+    - Apache 2.4 perfork regexes fixed
+    - Kernel syslog expression can have leading spaces
+    - allow for ",milliseconds" in the custom date format of proftpd.log
+    - recidive jail to block all protocols
+    - smtps not a IANA standard so may be missing from /etc/services. Due to 
+      (still) common use 465 has been used as the explicit port number
+    - Filter dovecot reordered session and TLS items in regex with wider scope
+      for session characters
+
+  * Ugly Fixes (Potentially incompatible changes):
+
+    - Unfortunately at the end of last release when the action
+      firewall-cmd-direct-new was added it was too long and had a broken action
+      check. The action was renamed to firewallcmd-new to fit within jail name
+      name length. (gh#fail2ban/fail2ban#395).
+
+    - Last release added mysqld-syslog-iptables as a jail configuration. This
+      jailname was too long and it has been renamed to mysqld-syslog.
+
+- Fixed formating of github references in changelog
+- reformatted spec-file
+ 
 -------------------------------------------------------------------
 Thu Nov 14 05:14:35 UTC 2013 - jweberhofer@weberhofer.at
 
@@ -32,17 +96,17 @@ Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at
 - Fixes
   * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
     failregex at the beginning (and where applicable at the end).
-    Addresses a possible DoS. Closes gh-248, bnc#824710
+    Addresses a possible DoS. Closes gh#fail2ban/fail2ban#248, bnc#824710
   * action.d/{route,shorewall}.conf - blocktype must be defined
-    within [Init].  Closes gh-232
+    within [Init].  Closes gh#fail2ban/fail2ban#232
 
 - Enhancements
   * jail.conf -- assure all jails have actions and remove unused
     ports specifications
   * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
   * files/suse-initd -- update to the copy from stock SUSE
-  * Updates to asterisk filter. Closes gh-227/gh-230.
-  * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.
+  * Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227/gh#fail2ban/fail2ban#230.
+  * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh#fail2ban/fail2ban#244.
 
 ------------------------------------------------------------------
 Tue May 28 06:46:54 UTC 2013 - jweberhofer@weberhofer.at
@@ -60,59 +124,59 @@ Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at
 - Fixes: Yaroslav Halchenko
    * [6f4dad46] python-2.4 is the minimal version.
    * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
-     on Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
+     on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the bug report.
    * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
-     insight. Closes gh-103.
+     insight. Closes gh#fail2ban/fail2ban#103.
    * [ab044b75] delay check for the existence of config directory until read.
    * [3b4084d4] fixing up for handling of TAI64N timestamps.
    * [154aa38e] do not shutdown logging until all jails stop.
-   * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184.
+   * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh#fail2ban/fail2ban#184.
      Thanks to Jon Foster for report and troubleshooting.
   Orion Poplawski
    * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
      newly created directories.
   Nicolas Collignon
-   * [39667ff6] Avoid leaking file descriptors. Closes gh-167.
+   * [39667ff6] Avoid leaking file descriptors. Closes gh#fail2ban/fail2ban#167.
   Sergey Brester
    * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
      sorting template list.
   Steven Hiscocks
    * [7a442f07] When changing log target with python2.{4,5} handle KeyError.
-     Closes gh-147, gh-148.
-   * [b6a68f51] Fix delaction on server side. Closes gh-124.
+     Closes gh#fail2ban/fail2ban#147, gh#fail2ban/fail2ban#148.
+   * [b6a68f51] Fix delaction on server side. Closes gh#fail2ban/fail2ban#124.
   Daniel Black
    * [f0610c01] Allow more that a one word command when changing and Action via
-     the fail2ban-client. Closes gh-134.
+     the fail2ban-client. Closes gh#fail2ban/fail2ban#134.
    * [945ad3d9] Fix dates on email actions to work in different locals. Closes
-     gh-70. Thanks to iGeorgeX for the idea.
+     gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea.
   blotus
-   * [96eb8986] ' and " should also be escaped in action tags Closes gh-109
+   * [96eb8986] ' and " should also be escaped in action tags Closes gh#fail2ban/fail2ban#109
   Christoph Theis, Nick Hilliard, Daniel Black
    * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
 - New features:
   Yaroslav Halchenko
    * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
      to provide additional flexibility to system adminstrators. Thanks to
-     beilber for the idea. Closes gh-114.
+     beilber for the idea. Closes gh#fail2ban/fail2ban#114.
    * [3ce53e87] Add exim filter.
   Erwan Ben Souiden
    * [d7d5228] add nagios integration documentation and script to ensure
-     fail2ban is running. Closes gh-166.
+     fail2ban is running. Closes gh#fail2ban/fail2ban#166.
   Artur Penttinen
-   * [29d0df5] Add mysqld filter. Closes gh-152.
+   * [29d0df5] Add mysqld filter. Closes gh#fail2ban/fail2ban#152.
   ArndRaphael Brandes
-   * [bba3fd8] Add Sogo filter. Closes gh-117.
+   * [bba3fd8] Add Sogo filter. Closes gh#fail2ban/fail2ban#117.
   Michael Gebetsriother
    * [f9b78ba] Add action route to block at routing level.
   Teodor Micu & Yaroslav Halchenko
    * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
   Daniel Black
-   * [be06b1b] Add action for iptables-ipsets. Closes gh-102.
+   * [be06b1b] Add action for iptables-ipsets. Closes gh#fail2ban/fail2ban#102.
   Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
    * [b6d0e8a] Add and enhance the bsd-ipfw action from
      FreeBSD ports.
   Soulard Morgan
-   * [f336d9f] Add filter for webmin. Closes gh-99.
+   * [f336d9f] Add filter for webmin. Closes gh#fail2ban/fail2ban#99.
   Steven Hiscocks
    * [..746c7d9] bash interactive shell completions for fail2ban-*'s
   Nick Hilliard
@@ -122,23 +186,23 @@ Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at
    * [24a8d07] Added new date format for ASSP SMTP Proxy.
   Steven Hiscocks
    * [3d6791f] Ensure restart of Actions after a check fails occurs
-     consistently. Closes gh-172.
+     consistently. Closes gh#fail2ban/fail2ban#172.
    * [MANY] Improvements to test cases, travis, and code coverage (coveralls).
-   * [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
+   * [b36835f] Add get cinfo to fail2ban-client. Closes gh#fail2ban/fail2ban#124.
    * [ce3ab34] Added ability to specify PID file.
   Orion Poplawski
    * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
-     Closes gh-142.
+     Closes gh#fail2ban/fail2ban#142.
   Yaroslav Halchenko
    * [MANY] Lots of improvements to log messages, man pages and test cases.
    * [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
-     Closes gh-126. Bug report by Michael Heuberger.
+     Closes gh#fail2ban/fail2ban#126. Bug report by Michael Heuberger.
    * [40c5a2d] adding more of diagnostic messages into -client while starting
      the daemon.
    * [8e63d4c] Compare against None with 'is' instead of '=='.
    * [6fef85f] Strip CR and LF while analyzing the log line
   Daniel Black
-   * [3aeb1a9] Add jail.conf manual page. Closes gh-143.
+   * [3aeb1a9] Add jail.conf manual page. Closes gh#fail2ban/fail2ban#143.
    * [MANY] man page edits.
    * [7cd6dab] Added help command to fail2ban-client.
    * [c8c7b0b,23bbc60] Better logging of log file read errors.
@@ -171,21 +235,21 @@ would be at a significant security risk.
 - Fixes:
   Alan Jenkins
    * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
-     banning due to misconfigured DNS. Close gh-64
+     banning due to misconfigured DNS. Close gh#fail2ban/fail2ban#64
   Yaroslav Halchenko
    * [83109bc] IMPORTANT: escape the content of <matches> (if used in
      custom action files) since its value could contain arbitrary
      symbols.  Thanks for discovery go to the NBS System security
      team
-   * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh-83
+   * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh#fail2ban/fail2ban#83
    * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
    * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
-     in the console. Close gh-91
+     in the console. Close gh#fail2ban/fail2ban#91
 
 - New features:
   David Engeset
    * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
-     the log file to take 'banip' or 'unbanip' in effect. Close gh-81, gh-86
+     the log file to take 'banip' or 'unbanip' in effect. Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86
 
 - Enhancements:
    * [2d66f31] replaced uninformative "Invalid command" message with warning log
@@ -193,9 +257,9 @@ would be at a significant security risk.
    * [958a1b0] improved failregex to "support" auth.backend = "htdigest"
    * [9e7a3b7] until we make it proper module -- adjusted sys.path only if
      system-wide run
-   * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79
+   * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh#fail2ban/fail2ban#79
    * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
-     for this gh-87)
+     for this gh#fail2ban/fail2ban#87)
    * Various others: travis-ci integration, script to run tests
      against all available Python versions, etc
 
@@ -237,11 +301,11 @@ Tue Oct  2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at
   * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
   * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
   * [ed16ecc] enforce "ip" field returned as str, not unicode so that log
-    message stays non-unicode. Close gh-32
+    message stays non-unicode. Close gh#fail2ban/fail2ban#32
   * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
     already present in the pattern
   * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
-    friend to developers stuck with Windows (Closes gh-66)
+    friend to developers stuck with Windows (Closes gh#fail2ban/fail2ban#66)
   * [80b191c] anchor grep regexp in actioncheck to not match partial names
     of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
 - New features:
@@ -254,7 +318,7 @@ Tue Oct  2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at
     use of DNS
 - Tom Hendrikx
   * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
-    repeated offenders. Close gh-19
+    repeated offenders. Close gh#fail2ban/fail2ban#19
 - Xavier Devlamynck
   * [7d465f9..] Add asterisk support
 - Zbigniew Jedrzejewski-Szmek
@@ -274,7 +338,7 @@ Tue Oct  2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at
   * [a7d47e8] Update Free Software Foundation's address
 - Petr Voralek
   * [4007751] catch failed ssh logins due to being listed in DenyUsers.
-    Close gh-47 (Closes: #669063)
+    Close gh#fail2ban/fail2ban#47 (Closes: #669063)
 - Yaroslav Halchenko
   * [MANY]    extended and robustified unittests: test different backends
   * [d9248a6] refactored Filter's to avoid duplicate functionality

fail2ban.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package fail2ban
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,25 +17,7 @@
 
 
 Name:           fail2ban
-Requires:       cron
-Requires:       iptables
-Requires:       logrotate
-Requires:       lsof
-Requires:       python >= 2.5
-%if 0%{?suse_version} >= 1140 && 0%{?sles_version} == 0
-Requires:       python-pyinotify
-%endif
-%if 0%{?suse_version} >= 1220
-Requires:       python-gamin
-%endif
-%if 0%{?suse_version} >= 1230
-%{?systemd_requires}
-BuildRequires:  systemd
-%endif
-BuildRequires:  logrotate
-BuildRequires:  python-devel
-PreReq:         %fillup_prereq
-Version:        0.8.11
+Version:        0.8.12
 Release:        0
 Url:            http://www.fail2ban.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -53,6 +35,23 @@ Source3:        %{name}.logrotate
 Source4:        %{name}.service
 Source5:        %{name}.tmpfiles
 %endif
+Requires:       cron
+Requires:       iptables
+Requires:       logrotate
+Requires:       lsof
+Requires:       python >= 2.5
+%if 0%{?suse_version} >= 1140 && 0%{?sles_version} == 0
+Requires:       python-pyinotify
+%endif
+%if 0%{?suse_version} >= 1220
+Requires:       python-gamin
+%endif
+%if 0%{?suse_version} >= 1230
+%{?systemd_requires}
+BuildRequires:  systemd
+%endif
+BuildRequires:  logrotate
+BuildRequires:  python-devel
 
 %description
 Fail2ban scans log files like /var/log/messages and bans IP addresses