Accepting request 215524 from security

Security note: The update to version 0.8.11 has fixed two additional security issues: A remote unauthenticated attacker may cause arbitrary IP addresses to be blocked by Fail2ban causing legitimate users to be blocked from accessing services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176 (postfix) (forwarded request 215523 from weberho) OBS-URL: https://build.opensuse.org/request/show/215524 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=31
2014-01-30 13:54:36 +00:00 · 2014-01-30 13:54:36 +00:00 · b17e75956e
commit b17e75956e
parent 21d5b13653 0b23663b01
6 changed files with 185 additions and 61 deletions
--- a/fail2ban-0.8.11.tar.bz2
+++ b/fail2ban-0.8.11.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d8fa2bd1b106b65ad2bffd41c191f80a97bc3e9456b192d1714c4ee023af5e32
-size 156411
--- a/fail2ban-0.8.12.tar.bz2
+++ b/fail2ban-0.8.12.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2cdd7cbbf8b770715ce0068aec9dd8857388cd4d690fd5211907d7f2f3bdcde4
+size 169644
--- a/fail2ban.changes
+++ b/fail2ban.changes
@ -1,3 +1,94 @@
+-------------------------------------------------------------------
+Wed Jan 29 13:48:38 UTC 2014 - jweberhofer@weberhofer.at
+
+Security note: The update to version 0.8.11 has fixed two additional security
+issues: A remote unauthenticated attacker may cause arbitrary IP addresses to
+be blocked by Fail2ban causing legitimate users to be blocked from accessing
+services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176
+(postfix)
+
+-------------------------------------------------------------------
+Thu Jan 23 21:35:27 UTC 2014 - jweberhofer@weberhofer.at
+
+- action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816
+
+- lsof was required for fail2ban's SysVinit scripts only. Not longer used for
+  newer versions of openSUSE
+
+-------------------------------------------------------------------
+Thu Jan 23 08:40:40 UTC 2014 - jweberhofer@weberhofer.at
+
+- Reviewed and fixed github references in the changelog
+
+-------------------------------------------------------------------
+Wed Jan 22 09:27:43 UTC 2014 - jweberhofer@weberhofer.at
+
+- Use new flushlogs syntax after logrotate
+
+-------------------------------------------------------------------
+Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at
+
+- Update to version 0.8.12
+
+  * Log rotation can now occur with the command "flushlogs" rather than
+    reloading fail2ban or keeping the logtarget settings consistent in
+    jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798).
+
+  * Added ignorecommand option for allowing dynamic determination as to ignore
+    and IP or not.
+
+  * Remove indentation of name and loglevel while logging to SYSLOG to resolve
+    syslog(-ng) parsing problems. (dep#730202). Log lines now also
+    report "[PID]" after the name portion too.
+
+  * Epoch dates can now be enclosed within []
+
+  * New actions: badips, firewallcmd-ipset, ufw, blocklist_de
+
+  * New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid,
+    ejabberd, openwebmail, groupoffice
+
+  * Filter improvements:
+    - apache-noscript now includes php cgi scripts
+    - exim-spam filter to match spamassassin log entry for option SAdevnull.
+    - Added to sshd filter expression for 
+      "Received disconnect from : 3: Auth fail"
+    - Improved ACL-handling for Asterisk
+    - Added improper command pipelining to postfix filter.
+
+  * General fixes:
+    - Added lots of jail.conf entries for missing filters that creaped in 
+      over the last year.
+    - synchat changed to use push method which verifies whether all data was
+      send. This ensures that all data is sent before closing the connection.
+    - Fixed python 2.4 compatibility (as sub-second in date patterns weren't 
+      2.4 compatible)
+    - Complain/email actions fixed to only include relevant IPs to reporting
+
+  * Filter fixes:
+    - Added HTTP referrer bit of the apache access log to the apache filters.
+    - Apache 2.4 perfork regexes fixed
+    - Kernel syslog expression can have leading spaces
+    - allow for ",milliseconds" in the custom date format of proftpd.log
+    - recidive jail to block all protocols
+    - smtps not a IANA standard so may be missing from /etc/services. Due to 
+      (still) common use 465 has been used as the explicit port number
+    - Filter dovecot reordered session and TLS items in regex with wider scope
+      for session characters
+
+  * Ugly Fixes (Potentially incompatible changes):
+
+    - Unfortunately at the end of last release when the action
+      firewall-cmd-direct-new was added it was too long and had a broken action
+      check. The action was renamed to firewallcmd-new to fit within jail name
+      name length. (gh#fail2ban/fail2ban#395).
+
+    - Last release added mysqld-syslog-iptables as a jail configuration. This
+      jailname was too long and it has been renamed to mysqld-syslog.
+
+- Fixed formating of github references in changelog
+- reformatted spec-file
+ 
 -------------------------------------------------------------------
 Thu Nov 14 05:14:35 UTC 2013 - jweberhofer@weberhofer.at

@ -32,17 +123,19 @@ Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at
 - Fixes
  * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
    failregex at the beginning (and where applicable at the end).
-    Addresses a possible DoS. Closes gh-248, bnc#824710
+    Addresses a possible DoS. Closes gh#fail2ban/fail2ban#248, bnc#824710
  * action.d/{route,shorewall}.conf - blocktype must be defined
-    within [Init].  Closes gh-232
+    within [Init].  Closes gh#fail2ban/fail2ban#232

 - Enhancements
  * jail.conf -- assure all jails have actions and remove unused
    ports specifications
  * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
  * files/suse-initd -- update to the copy from stock SUSE
-  * Updates to asterisk filter. Closes gh-227/gh-230.
-  * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.
+  * Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227,
+    gh#fail2ban/fail2ban#230.
+  * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes 
+    gh#fail2ban/fail2ban#244.

 ------------------------------------------------------------------
 Tue May 28 06:46:54 UTC 2013 - jweberhofer@weberhofer.at
@ -60,59 +153,61 @@ Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at
 - Fixes: Yaroslav Halchenko
   * [6f4dad46] python-2.4 is the minimal version.
   * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
-     on Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
+     on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the
+     bug report.
   * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
-     insight. Closes gh-103.
+     insight. Closes gh#fail2ban/fail2ban#103.
   * [ab044b75] delay check for the existence of config directory until read.
   * [3b4084d4] fixing up for handling of TAI64N timestamps.
   * [154aa38e] do not shutdown logging until all jails stop.
-   * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184.
-     Thanks to Jon Foster for report and troubleshooting.
-  Orion Poplawski
+   * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes
+     gh#fail2ban/fail2ban#184. Thanks to Jon Foster for report and
+     troubleshooting.  Orion Poplawski
   * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
     newly created directories.
  Nicolas Collignon
-   * [39667ff6] Avoid leaking file descriptors. Closes gh-167.
+   * [39667ff6] Avoid leaking file descriptors. Closes gh#fail2ban/fail2ban#167.
  Sergey Brester
   * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
     sorting template list.
  Steven Hiscocks
   * [7a442f07] When changing log target with python2.{4,5} handle KeyError.
-     Closes gh-147, gh-148.
-   * [b6a68f51] Fix delaction on server side. Closes gh-124.
+     Closes gh#fail2ban/fail2ban#147, gh#fail2ban/fail2ban#148.
+   * [b6a68f51] Fix delaction on server side. Closes gh#fail2ban/fail2ban#124.
  Daniel Black
   * [f0610c01] Allow more that a one word command when changing and Action via
-     the fail2ban-client. Closes gh-134.
+     the fail2ban-client. Closes gh#fail2ban/fail2ban#134.
   * [945ad3d9] Fix dates on email actions to work in different locals. Closes
-     gh-70. Thanks to iGeorgeX for the idea.
+     gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea.
  blotus
-   * [96eb8986] ' and " should also be escaped in action tags Closes gh-109
+   * [96eb8986] ' and " should also be escaped in action tags Closes 
+     gh#fail2ban/fail2ban#109
  Christoph Theis, Nick Hilliard, Daniel Black
   * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
 - New features:
  Yaroslav Halchenko
   * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
     to provide additional flexibility to system adminstrators. Thanks to
-     beilber for the idea. Closes gh-114.
+     beilber for the idea. Closes gh#fail2ban/fail2ban#114.
   * [3ce53e87] Add exim filter.
  Erwan Ben Souiden
   * [d7d5228] add nagios integration documentation and script to ensure
-     fail2ban is running. Closes gh-166.
+     fail2ban is running. Closes gh#fail2ban/fail2ban#166.
  Artur Penttinen
-   * [29d0df5] Add mysqld filter. Closes gh-152.
+   * [29d0df5] Add mysqld filter. Closes gh#fail2ban/fail2ban#152.
  ArndRaphael Brandes
-   * [bba3fd8] Add Sogo filter. Closes gh-117.
+   * [bba3fd8] Add Sogo filter. Closes gh#fail2ban/fail2ban#117.
  Michael Gebetsriother
   * [f9b78ba] Add action route to block at routing level.
  Teodor Micu & Yaroslav Halchenko
   * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
  Daniel Black
-   * [be06b1b] Add action for iptables-ipsets. Closes gh-102.
+   * [be06b1b] Add action for iptables-ipsets. Closes gh#fail2ban/fail2ban#102.
  Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
   * [b6d0e8a] Add and enhance the bsd-ipfw action from
     FreeBSD ports.
  Soulard Morgan
-   * [f336d9f] Add filter for webmin. Closes gh-99.
+   * [f336d9f] Add filter for webmin. Closes gh#fail2ban/fail2ban#99.
  Steven Hiscocks
   * [..746c7d9] bash interactive shell completions for fail2ban-*'s
  Nick Hilliard
@ -122,23 +217,23 @@ Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at
   * [24a8d07] Added new date format for ASSP SMTP Proxy.
  Steven Hiscocks
   * [3d6791f] Ensure restart of Actions after a check fails occurs
-     consistently. Closes gh-172.
+     consistently. Closes gh#fail2ban/fail2ban#172.
   * [MANY] Improvements to test cases, travis, and code coverage (coveralls).
-   * [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
+   * [b36835f] Add get cinfo to fail2ban-client. Closes gh#fail2ban/fail2ban#124.
   * [ce3ab34] Added ability to specify PID file.
  Orion Poplawski
   * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
-     Closes gh-142.
+     Closes gh#fail2ban/fail2ban#142.
  Yaroslav Halchenko
   * [MANY] Lots of improvements to log messages, man pages and test cases.
   * [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
-     Closes gh-126. Bug report by Michael Heuberger.
+     Closes gh#fail2ban/fail2ban#126. Bug report by Michael Heuberger.
   * [40c5a2d] adding more of diagnostic messages into -client while starting
     the daemon.
   * [8e63d4c] Compare against None with 'is' instead of '=='.
   * [6fef85f] Strip CR and LF while analyzing the log line
  Daniel Black
-   * [3aeb1a9] Add jail.conf manual page. Closes gh-143.
+   * [3aeb1a9] Add jail.conf manual page. Closes gh#fail2ban/fail2ban#143.
   * [MANY] man page edits.
   * [7cd6dab] Added help command to fail2ban-client.
   * [c8c7b0b,23bbc60] Better logging of log file read errors.
@ -171,21 +266,23 @@ would be at a significant security risk.
 - Fixes:
  Alan Jenkins
   * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
-     banning due to misconfigured DNS. Close gh-64
+     banning due to misconfigured DNS. Close gh#fail2ban/fail2ban#64
  Yaroslav Halchenko
   * [83109bc] IMPORTANT: escape the content of <matches> (if used in
     custom action files) since its value could contain arbitrary
     symbols.  Thanks for discovery go to the NBS System security
     team
-   * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh-83
+   * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. 
+     Close gh#fail2ban/fail2ban#83
   * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
   * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
-     in the console. Close gh-91
+     in the console. Close gh#fail2ban/fail2ban#91

 - New features:
  David Engeset
   * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
-     the log file to take 'banip' or 'unbanip' in effect. Close gh-81, gh-86
+     the log file to take 'banip' or 'unbanip' in effect. 
+     Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86

 - Enhancements:
   * [2d66f31] replaced uninformative "Invalid command" message with warning log
@ -193,9 +290,10 @@ would be at a significant security risk.
   * [958a1b0] improved failregex to "support" auth.backend = "htdigest"
   * [9e7a3b7] until we make it proper module -- adjusted sys.path only if
     system-wide run
-   * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79
+   * [f52ba99] downgraded "already banned" from WARN to INFO level.
+     Closes gh#fail2ban/fail2ban#79
   * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
-     for this gh-87)
+     for this gh#fail2ban/fail2ban#87)
   * Various others: travis-ci integration, script to run tests
     against all available Python versions, etc

@ -237,11 +335,11 @@ Tue Oct  2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at
  * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
  * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
  * [ed16ecc] enforce "ip" field returned as str, not unicode so that log
-    message stays non-unicode. Close gh-32
+    message stays non-unicode. Close gh#fail2ban/fail2ban#32
  * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
    already present in the pattern
  * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
-    friend to developers stuck with Windows (Closes gh-66)
+    friend to developers stuck with Windows (Closes gh#fail2ban/fail2ban#66)
  * [80b191c] anchor grep regexp in actioncheck to not match partial names
    of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
 - New features:
@ -254,7 +352,7 @@ Tue Oct  2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at
    use of DNS
 - Tom Hendrikx
  * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
-    repeated offenders. Close gh-19
+    repeated offenders. Close gh#fail2ban/fail2ban#19
 - Xavier Devlamynck
  * [7d465f9..] Add asterisk support
 - Zbigniew Jedrzejewski-Szmek
@ -274,7 +372,7 @@ Tue Oct  2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at
  * [a7d47e8] Update Free Software Foundation's address
 - Petr Voralek
  * [4007751] catch failed ssh logins due to being listed in DenyUsers.
-    Close gh-47 (Closes: #669063)
+    Close gh#fail2ban/fail2ban#47 (Closes: #669063)
 - Yaroslav Halchenko
  * [MANY]    extended and robustified unittests: test different backends
  * [d9248a6] refactored Filter's to avoid duplicate functionality
--- a/fail2ban.logrotate
+++ b/fail2ban.logrotate
@ -8,6 +8,6 @@
    missingok
    create 644 root root
    postrotate
-      fail2ban-client set logtarget /var/log/fail2ban.log 1>/dev/null || true
+      fail2ban-client flushlogs  1>/dev/null || true
    endscript
 }
--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -1,7 +1,7 @@
 #
 # spec file for package fail2ban
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,10 +17,31 @@


 Name:           fail2ban
+Version:        0.8.12
+Release:        0
+Url:            http://www.fail2ban.org/
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+BuildArch:      noarch
+Summary:        Bans IP addresses that make too many authentication failures
+License:        GPL-2.0+
+Group:          Productivity/Networking/Security
+Source0:        https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
+%if 0%{?suse_version} < 1230
+# the init-script requires lsof
+Requires:       lsof
+Source1:        %{name}.init
+%endif
+Source2:        %{name}.sysconfig
+Source3:        %{name}.logrotate
+%if 0%{?suse_version} >= 1230
+Source4:        %{name}.service
+Source5:        %{name}.tmpfiles
+%endif
+# PATCH-FIX-UPSTREAM fix-for-upstream-firewallcmd-ipset.conf.patch rh#1046816
+Patch0:         fix-for-upstream-firewallcmd-ipset.conf.patch
 Requires:       cron
 Requires:       iptables
 Requires:       logrotate
-Requires:       lsof
 Requires:       python >= 2.5
 %if 0%{?suse_version} >= 1140 && 0%{?sles_version} == 0
 Requires:       python-pyinotify
@ -34,25 +55,6 @@ BuildRequires:  systemd
 %endif
 BuildRequires:  logrotate
 BuildRequires:  python-devel
-PreReq:         %fillup_prereq
-Version:        0.8.11
-Release:        0
-Url:            http://www.fail2ban.org/
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-BuildArch:      noarch
-Summary:        Bans IP addresses that make too many authentication failures
-License:        GPL-2.0+
-Group:          Productivity/Networking/Security
-Source0:        https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
-%if 0%{?suse_version} < 1230
-Source1:        %{name}.init
-%endif
-Source2:        %{name}.sysconfig
-Source3:        %{name}.logrotate
-%if 0%{?suse_version} >= 1230
-Source4:        %{name}.service
-Source5:        %{name}.tmpfiles
-%endif

 %description
 Fail2ban scans log files like /var/log/messages and bans IP addresses
@ -63,6 +65,7 @@ files such as sshd or Apache web server ones.

 %prep
 %setup
+%patch0 -p1
 # correct doc-path
 sed -i -e 's|/usr/share/doc/fail2ban|%{_docdir}/%{name}|' setup.py

--- a/fix-for-upstream-firewallcmd-ipset.conf.patch
+++ b/fix-for-upstream-firewallcmd-ipset.conf.patch
@ -0,0 +1,23 @@
+diff -ur fail2ban-0.8.12.orig/config/action.d/firewallcmd-ipset.conf fail2ban-0.8.12/config/action.d/firewallcmd-ipset.conf
+--- fail2ban-0.8.12.orig/config/action.d/firewallcmd-ipset.conf	2014-01-16 09:20:14.000000000 +0100
+++ fail2ban-0.8.12/config/action.d/firewallcmd-ipset.conf	2014-01-23 22:43:53.115263616 +0100
+@@ -25,8 +25,6 @@
+              ipset flush fail2ban-<name>
+              ipset destroy fail2ban-<name>
+ 
+-actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '^fail2ban-<name>$'
+-
+ actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
+ 
+ actionunban = ipset del fail2ban-<name> <ip> -exist
+diff -ur fail2ban-0.8.12.orig/THANKS fail2ban-0.8.12/THANKS
+--- fail2ban-0.8.12.orig/THANKS	2014-01-21 21:59:49.000000000 +0100
+++ fail2ban-0.8.12/THANKS	2014-01-23 22:43:53.115263616 +0100
+@@ -30,6 +30,7 @@
+ Daniel B.
+ Daniel Black
+ David Nutter
+Derek Atkins
+ Eric Gerbier
+ Enrico Labedzki
+ ftoppi