From a3b7f0e99534b12c1dc9e0e8711b48e537f87f7ed504e5753098576b944304db Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Wed, 22 Jan 2014 09:26:34 +0000 Subject: [PATCH 1/4] Accepting request 214671 from home:weberho:branches:security Update to version 0.8.12 OBS-URL: https://build.opensuse.org/request/show/214671 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=39 --- fail2ban-0.8.11.tar.bz2 | 3 - fail2ban-0.8.12.tar.bz2 | 3 + fail2ban.changes | 132 +++++++++++++++++++++++++++++----------- fail2ban.spec | 39 ++++++------ 4 files changed, 120 insertions(+), 57 deletions(-) delete mode 100644 fail2ban-0.8.11.tar.bz2 create mode 100644 fail2ban-0.8.12.tar.bz2 diff --git a/fail2ban-0.8.11.tar.bz2 b/fail2ban-0.8.11.tar.bz2 deleted file mode 100644 index 4195d08..0000000 --- a/fail2ban-0.8.11.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d8fa2bd1b106b65ad2bffd41c191f80a97bc3e9456b192d1714c4ee023af5e32 -size 156411 diff --git a/fail2ban-0.8.12.tar.bz2 b/fail2ban-0.8.12.tar.bz2 new file mode 100644 index 0000000..4cebe8b --- /dev/null +++ b/fail2ban-0.8.12.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2cdd7cbbf8b770715ce0068aec9dd8857388cd4d690fd5211907d7f2f3bdcde4 +size 169644 diff --git a/fail2ban.changes b/fail2ban.changes index ff2c296..57afc4b 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,3 +1,67 @@ +------------------------------------------------------------------- +Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at + +- Update to version 0.8.12 + + * Log rotation can now occur with the command "flushlogs" rather than + reloading fail2ban or keeping the logtarget settings consistent in + jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798). + + * Added ignorecommand option for allowing dynamic determination as to ignore + and IP or not. + + * Remove indentation of name and loglevel while logging to SYSLOG to resolve + syslog(-ng) parsing problems. (dep#730202). Log lines now also + report "[PID]" after the name portion too. + + * Epoch dates can now be enclosed within [] + + * New actions: badips, firewallcmd-ipset, ufw, blocklist_de + + * New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid, + ejabberd, openwebmail, groupoffice + + * Filter improvements: + - apache-noscript now includes php cgi scripts + - exim-spam filter to match spamassassin log entry for option SAdevnull. + - Added to sshd filter expression for + "Received disconnect from : 3: Auth fail" + - Improved ACL-handling for Asterisk + - Added improper command pipelining to postfix filter. + + * General fixes: + - Added lots of jail.conf entries for missing filters that creaped in + over the last year. + - synchat changed to use push method which verifies whether all data was + send. This ensures that all data is sent before closing the connection. + - Fixed python 2.4 compatibility (as sub-second in date patterns weren't + 2.4 compatible) + - Complain/email actions fixed to only include relevant IPs to reporting + + * Filter fixes: + - Added HTTP referrer bit of the apache access log to the apache filters. + - Apache 2.4 perfork regexes fixed + - Kernel syslog expression can have leading spaces + - allow for ",milliseconds" in the custom date format of proftpd.log + - recidive jail to block all protocols + - smtps not a IANA standard so may be missing from /etc/services. Due to + (still) common use 465 has been used as the explicit port number + - Filter dovecot reordered session and TLS items in regex with wider scope + for session characters + + * Ugly Fixes (Potentially incompatible changes): + + - Unfortunately at the end of last release when the action + firewall-cmd-direct-new was added it was too long and had a broken action + check. The action was renamed to firewallcmd-new to fit within jail name + name length. (gh#fail2ban/fail2ban#395). + + - Last release added mysqld-syslog-iptables as a jail configuration. This + jailname was too long and it has been renamed to mysqld-syslog. + +- Fixed formating of github references in changelog +- reformatted spec-file + ------------------------------------------------------------------- Thu Nov 14 05:14:35 UTC 2013 - jweberhofer@weberhofer.at @@ -32,17 +96,17 @@ Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at - Fixes * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor failregex at the beginning (and where applicable at the end). - Addresses a possible DoS. Closes gh-248, bnc#824710 + Addresses a possible DoS. Closes gh#fail2ban/fail2ban#248, bnc#824710 * action.d/{route,shorewall}.conf - blocktype must be defined - within [Init]. Closes gh-232 + within [Init]. Closes gh#fail2ban/fail2ban#232 - Enhancements * jail.conf -- assure all jails have actions and remove unused ports specifications * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ * files/suse-initd -- update to the copy from stock SUSE - * Updates to asterisk filter. Closes gh-227/gh-230. - * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244. + * Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227/gh#fail2ban/fail2ban#230. + * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh#fail2ban/fail2ban#244. ------------------------------------------------------------------ Tue May 28 06:46:54 UTC 2013 - jweberhofer@weberhofer.at @@ -60,59 +124,59 @@ Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at - Fixes: Yaroslav Halchenko * [6f4dad46] python-2.4 is the minimal version. * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g. - on Fedora. Closes gh-112. Thanks to Camusensei for the bug report. + on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the bug report. * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for - insight. Closes gh-103. + insight. Closes gh#fail2ban/fail2ban#103. * [ab044b75] delay check for the existence of config directory until read. * [3b4084d4] fixing up for handling of TAI64N timestamps. * [154aa38e] do not shutdown logging until all jails stop. - * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184. + * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh#fail2ban/fail2ban#184. Thanks to Jon Foster for report and troubleshooting. Orion Poplawski * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking newly created directories. Nicolas Collignon - * [39667ff6] Avoid leaking file descriptors. Closes gh-167. + * [39667ff6] Avoid leaking file descriptors. Closes gh#fail2ban/fail2ban#167. Sergey Brester * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of sorting template list. Steven Hiscocks * [7a442f07] When changing log target with python2.{4,5} handle KeyError. - Closes gh-147, gh-148. - * [b6a68f51] Fix delaction on server side. Closes gh-124. + Closes gh#fail2ban/fail2ban#147, gh#fail2ban/fail2ban#148. + * [b6a68f51] Fix delaction on server side. Closes gh#fail2ban/fail2ban#124. Daniel Black * [f0610c01] Allow more that a one word command when changing and Action via - the fail2ban-client. Closes gh-134. + the fail2ban-client. Closes gh#fail2ban/fail2ban#134. * [945ad3d9] Fix dates on email actions to work in different locals. Closes - gh-70. Thanks to iGeorgeX for the idea. + gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea. blotus - * [96eb8986] ' and " should also be escaped in action tags Closes gh-109 + * [96eb8986] ' and " should also be escaped in action tags Closes gh#fail2ban/fail2ban#109 Christoph Theis, Nick Hilliard, Daniel Black * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD - New features: Yaroslav Halchenko * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile} to provide additional flexibility to system adminstrators. Thanks to - beilber for the idea. Closes gh-114. + beilber for the idea. Closes gh#fail2ban/fail2ban#114. * [3ce53e87] Add exim filter. Erwan Ben Souiden * [d7d5228] add nagios integration documentation and script to ensure - fail2ban is running. Closes gh-166. + fail2ban is running. Closes gh#fail2ban/fail2ban#166. Artur Penttinen - * [29d0df5] Add mysqld filter. Closes gh-152. + * [29d0df5] Add mysqld filter. Closes gh#fail2ban/fail2ban#152. ArndRaphael Brandes - * [bba3fd8] Add Sogo filter. Closes gh-117. + * [bba3fd8] Add Sogo filter. Closes gh#fail2ban/fail2ban#117. Michael Gebetsriother * [f9b78ba] Add action route to block at routing level. Teodor Micu & Yaroslav Halchenko * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442. Daniel Black - * [be06b1b] Add action for iptables-ipsets. Closes gh-102. + * [be06b1b] Add action for iptables-ipsets. Closes gh#fail2ban/fail2ban#102. Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk * [b6d0e8a] Add and enhance the bsd-ipfw action from FreeBSD ports. Soulard Morgan - * [f336d9f] Add filter for webmin. Closes gh-99. + * [f336d9f] Add filter for webmin. Closes gh#fail2ban/fail2ban#99. Steven Hiscocks * [..746c7d9] bash interactive shell completions for fail2ban-*'s Nick Hilliard @@ -122,23 +186,23 @@ Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at * [24a8d07] Added new date format for ASSP SMTP Proxy. Steven Hiscocks * [3d6791f] Ensure restart of Actions after a check fails occurs - consistently. Closes gh-172. + consistently. Closes gh#fail2ban/fail2ban#172. * [MANY] Improvements to test cases, travis, and code coverage (coveralls). - * [b36835f] Add get cinfo to fail2ban-client. Closes gh-124. + * [b36835f] Add get cinfo to fail2ban-client. Closes gh#fail2ban/fail2ban#124. * [ce3ab34] Added ability to specify PID file. Orion Poplawski * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile. - Closes gh-142. + Closes gh#fail2ban/fail2ban#142. Yaroslav Halchenko * [MANY] Lots of improvements to log messages, man pages and test cases. * [91d5736] Postfix filter improvements - empty helo, from and rcpt to. - Closes gh-126. Bug report by Michael Heuberger. + Closes gh#fail2ban/fail2ban#126. Bug report by Michael Heuberger. * [40c5a2d] adding more of diagnostic messages into -client while starting the daemon. * [8e63d4c] Compare against None with 'is' instead of '=='. * [6fef85f] Strip CR and LF while analyzing the log line Daniel Black - * [3aeb1a9] Add jail.conf manual page. Closes gh-143. + * [3aeb1a9] Add jail.conf manual page. Closes gh#fail2ban/fail2ban#143. * [MANY] man page edits. * [7cd6dab] Added help command to fail2ban-client. * [c8c7b0b,23bbc60] Better logging of log file read errors. @@ -171,21 +235,21 @@ would be at a significant security risk. - Fixes: Alan Jenkins * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid - banning due to misconfigured DNS. Close gh-64 + banning due to misconfigured DNS. Close gh#fail2ban/fail2ban#64 Yaroslav Halchenko * [83109bc] IMPORTANT: escape the content of (if used in custom action files) since its value could contain arbitrary symbols. Thanks for discovery go to the NBS System security team - * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh-83 + * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh#fail2ban/fail2ban#83 * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3 * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages - in the console. Close gh-91 + in the console. Close gh#fail2ban/fail2ban#91 - New features: David Engeset * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching - the log file to take 'banip' or 'unbanip' in effect. Close gh-81, gh-86 + the log file to take 'banip' or 'unbanip' in effect. Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86 - Enhancements: * [2d66f31] replaced uninformative "Invalid command" message with warning log @@ -193,9 +257,9 @@ would be at a significant security risk. * [958a1b0] improved failregex to "support" auth.backend = "htdigest" * [9e7a3b7] until we make it proper module -- adjusted sys.path only if system-wide run - * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79 + * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh#fail2ban/fail2ban#79 * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00 - for this gh-87) + for this gh#fail2ban/fail2ban#87) * Various others: travis-ci integration, script to run tests against all available Python versions, etc @@ -237,11 +301,11 @@ Tue Oct 2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf * [ed16ecc] enforce "ip" field returned as str, not unicode so that log - message stays non-unicode. Close gh-32 + message stays non-unicode. Close gh#fail2ban/fail2ban#32 * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if already present in the pattern * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be - friend to developers stuck with Windows (Closes gh-66) + friend to developers stuck with Windows (Closes gh#fail2ban/fail2ban#66) * [80b191c] anchor grep regexp in actioncheck to not match partial names of the jails (Closes: #672228) (Thanks Szépe Viktor for the report) - New features: @@ -254,7 +318,7 @@ Tue Oct 2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at use of DNS - Tom Hendrikx * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban - repeated offenders. Close gh-19 + repeated offenders. Close gh#fail2ban/fail2ban#19 - Xavier Devlamynck * [7d465f9..] Add asterisk support - Zbigniew Jedrzejewski-Szmek @@ -274,7 +338,7 @@ Tue Oct 2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at * [a7d47e8] Update Free Software Foundation's address - Petr Voralek * [4007751] catch failed ssh logins due to being listed in DenyUsers. - Close gh-47 (Closes: #669063) + Close gh#fail2ban/fail2ban#47 (Closes: #669063) - Yaroslav Halchenko * [MANY] extended and robustified unittests: test different backends * [d9248a6] refactored Filter's to avoid duplicate functionality diff --git a/fail2ban.spec b/fail2ban.spec index c8835f8..c7fec0a 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ # # spec file for package fail2ban # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,25 +17,7 @@ Name: fail2ban -Requires: cron -Requires: iptables -Requires: logrotate -Requires: lsof -Requires: python >= 2.5 -%if 0%{?suse_version} >= 1140 && 0%{?sles_version} == 0 -Requires: python-pyinotify -%endif -%if 0%{?suse_version} >= 1220 -Requires: python-gamin -%endif -%if 0%{?suse_version} >= 1230 -%{?systemd_requires} -BuildRequires: systemd -%endif -BuildRequires: logrotate -BuildRequires: python-devel -PreReq: %fillup_prereq -Version: 0.8.11 +Version: 0.8.12 Release: 0 Url: http://www.fail2ban.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -53,6 +35,23 @@ Source3: %{name}.logrotate Source4: %{name}.service Source5: %{name}.tmpfiles %endif +Requires: cron +Requires: iptables +Requires: logrotate +Requires: lsof +Requires: python >= 2.5 +%if 0%{?suse_version} >= 1140 && 0%{?sles_version} == 0 +Requires: python-pyinotify +%endif +%if 0%{?suse_version} >= 1220 +Requires: python-gamin +%endif +%if 0%{?suse_version} >= 1230 +%{?systemd_requires} +BuildRequires: systemd +%endif +BuildRequires: logrotate +BuildRequires: python-devel %description Fail2ban scans log files like /var/log/messages and bans IP addresses From 1c64f0f9dbeb145cb40609829779632831de1241621cabff132393da4ee98e4e Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Thu, 23 Jan 2014 08:49:19 +0000 Subject: [PATCH 2/4] Accepting request 214757 from home:weberho:branches:security - Reviewed and fixed one github references in the changelog following http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines#Current_set_of_abbreviations - Use new flushlogs syntax after logrotate OBS-URL: https://build.opensuse.org/request/show/214757 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=40 --- fail2ban.changes | 37 +++++++++++++++++++++++++++---------- fail2ban.logrotate | 2 +- 2 files changed, 28 insertions(+), 11 deletions(-) diff --git a/fail2ban.changes b/fail2ban.changes index 57afc4b..38d6489 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Thu Jan 23 08:40:40 UTC 2014 - jweberhofer@weberhofer.at + +- Reviewed and fixed github references in the changelog + +------------------------------------------------------------------- +Wed Jan 22 09:27:43 UTC 2014 - jweberhofer@weberhofer.at + +- Use new flushlogs syntax after logrotate + ------------------------------------------------------------------- Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at @@ -105,8 +115,10 @@ Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at ports specifications * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ * files/suse-initd -- update to the copy from stock SUSE - * Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227/gh#fail2ban/fail2ban#230. - * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh#fail2ban/fail2ban#244. + * Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227, + gh#fail2ban/fail2ban#230. + * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes + gh#fail2ban/fail2ban#244. ------------------------------------------------------------------ Tue May 28 06:46:54 UTC 2013 - jweberhofer@weberhofer.at @@ -124,15 +136,16 @@ Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at - Fixes: Yaroslav Halchenko * [6f4dad46] python-2.4 is the minimal version. * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g. - on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the bug report. + on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the + bug report. * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for insight. Closes gh#fail2ban/fail2ban#103. * [ab044b75] delay check for the existence of config directory until read. * [3b4084d4] fixing up for handling of TAI64N timestamps. * [154aa38e] do not shutdown logging until all jails stop. - * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh#fail2ban/fail2ban#184. - Thanks to Jon Foster for report and troubleshooting. - Orion Poplawski + * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes + gh#fail2ban/fail2ban#184. Thanks to Jon Foster for report and + troubleshooting. Orion Poplawski * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking newly created directories. Nicolas Collignon @@ -150,7 +163,8 @@ Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at * [945ad3d9] Fix dates on email actions to work in different locals. Closes gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea. blotus - * [96eb8986] ' and " should also be escaped in action tags Closes gh#fail2ban/fail2ban#109 + * [96eb8986] ' and " should also be escaped in action tags Closes + gh#fail2ban/fail2ban#109 Christoph Theis, Nick Hilliard, Daniel Black * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD - New features: @@ -241,7 +255,8 @@ would be at a significant security risk. custom action files) since its value could contain arbitrary symbols. Thanks for discovery go to the NBS System security team - * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh#fail2ban/fail2ban#83 + * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. + Close gh#fail2ban/fail2ban#83 * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3 * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages in the console. Close gh#fail2ban/fail2ban#91 @@ -249,7 +264,8 @@ would be at a significant security risk. - New features: David Engeset * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching - the log file to take 'banip' or 'unbanip' in effect. Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86 + the log file to take 'banip' or 'unbanip' in effect. + Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86 - Enhancements: * [2d66f31] replaced uninformative "Invalid command" message with warning log @@ -257,7 +273,8 @@ would be at a significant security risk. * [958a1b0] improved failregex to "support" auth.backend = "htdigest" * [9e7a3b7] until we make it proper module -- adjusted sys.path only if system-wide run - * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh#fail2ban/fail2ban#79 + * [f52ba99] downgraded "already banned" from WARN to INFO level. + Closes gh#fail2ban/fail2ban#79 * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00 for this gh#fail2ban/fail2ban#87) * Various others: travis-ci integration, script to run tests diff --git a/fail2ban.logrotate b/fail2ban.logrotate index 056d894..cbd0e96 100644 --- a/fail2ban.logrotate +++ b/fail2ban.logrotate @@ -8,6 +8,6 @@ missingok create 644 root root postrotate - fail2ban-client set logtarget /var/log/fail2ban.log 1>/dev/null || true + fail2ban-client flushlogs 1>/dev/null || true endscript } From 0156e67ee63485b181c738605125a9c9342881f4ac315d8159832ce7ab970469 Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Thu, 23 Jan 2014 21:59:39 +0000 Subject: [PATCH 3/4] Accepting request 214983 from home:weberho:branches:security - action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816 - lsof was required for fail2ban's SysVinit scripts only. Not longer used for newer versions of openSUSE OBS-URL: https://build.opensuse.org/request/show/214983 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=41 --- fail2ban.changes | 8 +++++++ fail2ban.spec | 6 ++++- fix-for-upstream-firewallcmd-ipset.conf.patch | 23 +++++++++++++++++++ 3 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 fix-for-upstream-firewallcmd-ipset.conf.patch diff --git a/fail2ban.changes b/fail2ban.changes index 38d6489..418f4b0 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Jan 23 21:35:27 UTC 2014 - jweberhofer@weberhofer.at + +- action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816 + +- lsof was required for fail2ban's SysVinit scripts only. Not longer used for + newer versions of openSUSE + ------------------------------------------------------------------- Thu Jan 23 08:40:40 UTC 2014 - jweberhofer@weberhofer.at diff --git a/fail2ban.spec b/fail2ban.spec index c7fec0a..f4ae0c1 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -27,6 +27,8 @@ License: GPL-2.0+ Group: Productivity/Networking/Security Source0: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2 %if 0%{?suse_version} < 1230 +# the init-script requires lsof +Requires: lsof Source1: %{name}.init %endif Source2: %{name}.sysconfig @@ -35,10 +37,11 @@ Source3: %{name}.logrotate Source4: %{name}.service Source5: %{name}.tmpfiles %endif +# PATCH-FIX-UPSTREAM fix-for-upstream-firewallcmd-ipset.conf.patch rh#1046816 +Patch0: fix-for-upstream-firewallcmd-ipset.conf.patch Requires: cron Requires: iptables Requires: logrotate -Requires: lsof Requires: python >= 2.5 %if 0%{?suse_version} >= 1140 && 0%{?sles_version} == 0 Requires: python-pyinotify @@ -62,6 +65,7 @@ files such as sshd or Apache web server ones. %prep %setup +%patch0 -p1 # correct doc-path sed -i -e 's|/usr/share/doc/fail2ban|%{_docdir}/%{name}|' setup.py diff --git a/fix-for-upstream-firewallcmd-ipset.conf.patch b/fix-for-upstream-firewallcmd-ipset.conf.patch new file mode 100644 index 0000000..5cffb45 --- /dev/null +++ b/fix-for-upstream-firewallcmd-ipset.conf.patch @@ -0,0 +1,23 @@ +diff -ur fail2ban-0.8.12.orig/config/action.d/firewallcmd-ipset.conf fail2ban-0.8.12/config/action.d/firewallcmd-ipset.conf +--- fail2ban-0.8.12.orig/config/action.d/firewallcmd-ipset.conf 2014-01-16 09:20:14.000000000 +0100 ++++ fail2ban-0.8.12/config/action.d/firewallcmd-ipset.conf 2014-01-23 22:43:53.115263616 +0100 +@@ -25,8 +25,6 @@ + ipset flush fail2ban- + ipset destroy fail2ban- + +-actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '^fail2ban-$' +- + actionban = ipset add fail2ban- timeout -exist + + actionunban = ipset del fail2ban- -exist +diff -ur fail2ban-0.8.12.orig/THANKS fail2ban-0.8.12/THANKS +--- fail2ban-0.8.12.orig/THANKS 2014-01-21 21:59:49.000000000 +0100 ++++ fail2ban-0.8.12/THANKS 2014-01-23 22:43:53.115263616 +0100 +@@ -30,6 +30,7 @@ + Daniel B. + Daniel Black + David Nutter ++Derek Atkins + Eric Gerbier + Enrico Labedzki + ftoppi From 0b23663b015a89a02dcf80af876907d2af6d8a13bf62ebbe3fdaa959493f5d92 Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Wed, 29 Jan 2014 13:58:23 +0000 Subject: [PATCH 4/4] Accepting request 215523 from home:weberho:branches:security Security note: The update to version 0.8.11 has fixed two additional security issues: A remote unauthenticated attacker may cause arbitrary IP addresses to be blocked by Fail2ban causing legitimate users to be blocked from accessing services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176 (postfix) OBS-URL: https://build.opensuse.org/request/show/215523 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=42 --- fail2ban.changes | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/fail2ban.changes b/fail2ban.changes index 418f4b0..e39fd22 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Jan 29 13:48:38 UTC 2014 - jweberhofer@weberhofer.at + +Security note: The update to version 0.8.11 has fixed two additional security +issues: A remote unauthenticated attacker may cause arbitrary IP addresses to +be blocked by Fail2ban causing legitimate users to be blocked from accessing +services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176 +(postfix) + ------------------------------------------------------------------- Thu Jan 23 21:35:27 UTC 2014 - jweberhofer@weberhofer.at