rpm/fail2ban
SHA256
1
0
Fork 0
forked from pool/fail2ban
Code Pull Requests Activity
0b23663b01
fail2ban/fail2ban.changes
Johannes Weberhofer 0b23663b01 Accepting request 215523 from home:weberho:branches:security 
Security note: The update to version 0.8.11 has fixed two additional security
issues: A remote unauthenticated attacker may cause arbitrary IP addresses to
be blocked by Fail2ban causing legitimate users to be blocked from accessing
services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176
(postfix)

OBS-URL: https://build.opensuse.org/request/show/215523
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=42
2014-01-29 13:58:23 +00:00

458 lines
20 KiB
Plaintext
Raw Blame History

-------------------------------------------------------------------
Wed Jan 29 13:48:38 UTC 2014 - jweberhofer@weberhofer.at
Security note: The update to version 0.8.11 has fixed two additional security
issues: A remote unauthenticated attacker may cause arbitrary IP addresses to
be blocked by Fail2ban causing legitimate users to be blocked from accessing
services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176
(postfix)
-------------------------------------------------------------------
Thu Jan 23 21:35:27 UTC 2014 - jweberhofer@weberhofer.at
- action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816
- lsof was required for fail2ban's SysVinit scripts only. Not longer used for
newer versions of openSUSE
-------------------------------------------------------------------
Thu Jan 23 08:40:40 UTC 2014 - jweberhofer@weberhofer.at
- Reviewed and fixed github references in the changelog
-------------------------------------------------------------------
Wed Jan 22 09:27:43 UTC 2014 - jweberhofer@weberhofer.at
- Use new flushlogs syntax after logrotate
-------------------------------------------------------------------
Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at
- Update to version 0.8.12
* Log rotation can now occur with the command "flushlogs" rather than
reloading fail2ban or keeping the logtarget settings consistent in
jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798).
* Added ignorecommand option for allowing dynamic determination as to ignore
and IP or not.
* Remove indentation of name and loglevel while logging to SYSLOG to resolve
syslog(-ng) parsing problems. (dep#730202). Log lines now also
report "[PID]" after the name portion too.
* Epoch dates can now be enclosed within []
* New actions: badips, firewallcmd-ipset, ufw, blocklist_de
* New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid,
ejabberd, openwebmail, groupoffice
* Filter improvements:
- apache-noscript now includes php cgi scripts
- exim-spam filter to match spamassassin log entry for option SAdevnull.
- Added to sshd filter expression for
"Received disconnect from : 3: Auth fail"
- Improved ACL-handling for Asterisk
- Added improper command pipelining to postfix filter.
* General fixes:
- Added lots of jail.conf entries for missing filters that creaped in
over the last year.
- synchat changed to use push method which verifies whether all data was
send. This ensures that all data is sent before closing the connection.
- Fixed python 2.4 compatibility (as sub-second in date patterns weren't
2.4 compatible)
- Complain/email actions fixed to only include relevant IPs to reporting
* Filter fixes:
- Added HTTP referrer bit of the apache access log to the apache filters.
- Apache 2.4 perfork regexes fixed
- Kernel syslog expression can have leading spaces
- allow for ",milliseconds" in the custom date format of proftpd.log
- recidive jail to block all protocols
- smtps not a IANA standard so may be missing from /etc/services. Due to
(still) common use 465 has been used as the explicit port number
- Filter dovecot reordered session and TLS items in regex with wider scope
for session characters
* Ugly Fixes (Potentially incompatible changes):
- Unfortunately at the end of last release when the action
firewall-cmd-direct-new was added it was too long and had a broken action
check. The action was renamed to firewallcmd-new to fit within jail name
name length. (gh#fail2ban/fail2ban#395).
- Last release added mysqld-syslog-iptables as a jail configuration. This
jailname was too long and it has been renamed to mysqld-syslog.
- Fixed formating of github references in changelog
- reformatted spec-file
-------------------------------------------------------------------
Thu Nov 14 05:14:35 UTC 2013 - jweberhofer@weberhofer.at
- Update to version 0.8.11
- In light of CVE-2013-2178 that triggered our last release we have put a
significant effort into tightening all of the regexs of our filters to avoid
another similar vulnerability. We haven't examined all of these for a potential
DoS scenario however it is possible that another DoS vulnerability exists that
is fixed by this release. A large number of filters have been updated to
include more failure regexs supporting previously unbanned failures and support
newer application versions too. We have test cases for most of these now
however if you have other examples that demonstrate that a filter is
insufficient we welcome your feedback. During the tightening of the regexs to
avoid DoS vulnerabilities there is the possibility that we have inadvertently,
despite our best intentions, incorrectly allowed a failure to continue.
-------------------------------------------------------------------
Sat Sep 21 11:38:29 UTC 2013 - schuetzm@gmx.net
- Added systemd service file and systemd-tmpfiles configuration
-------------------------------------------------------------------
Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at
- Update to version 0.8.10 Primarily bugfix and enhancements release, triggered
by "bugs" in apache- filters. If you are relying on listed below apache-
filters, upgrade asap and seek your distributions to patch their fail2ban
distribution with [6ccd5781]. The bug's decription can be found in
https://vndh.net/note:fail2ban-089-denial-service
- Fixes
* [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
failregex at the beginning (and where applicable at the end).
Addresses a possible DoS. Closes gh#fail2ban/fail2ban#248, bnc#824710
* action.d/{route,shorewall}.conf - blocktype must be defined
within [Init]. Closes gh#fail2ban/fail2ban#232
- Enhancements
* jail.conf -- assure all jails have actions and remove unused
ports specifications
* config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
* files/suse-initd -- update to the copy from stock SUSE
* Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227,
gh#fail2ban/fail2ban#230.
* Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes
gh#fail2ban/fail2ban#244.
------------------------------------------------------------------
Tue May 28 06:46:54 UTC 2013 - jweberhofer@weberhofer.at
- Included logrotate configuration for fail2ban
-------------------------------------------------------------------
Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at
- Init-Script does no longer require $syslog to be started as file-base logging
is the default. Synced with Debian script.
- Upgrade to version 0.8.9
- Fixes: Yaroslav Halchenko
* [6f4dad46] python-2.4 is the minimal version.
* [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the
bug report.
* [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
insight. Closes gh#fail2ban/fail2ban#103.
* [ab044b75] delay check for the existence of config directory until read.
* [3b4084d4] fixing up for handling of TAI64N timestamps.
* [154aa38e] do not shutdown logging until all jails stop.
* [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes
gh#fail2ban/fail2ban#184. Thanks to Jon Foster for report and
troubleshooting. Orion Poplawski
* [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
newly created directories.
Nicolas Collignon
* [39667ff6] Avoid leaking file descriptors. Closes gh#fail2ban/fail2ban#167.
Sergey Brester
* [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
sorting template list.
Steven Hiscocks
* [7a442f07] When changing log target with python2.{4,5} handle KeyError.
Closes gh#fail2ban/fail2ban#147, gh#fail2ban/fail2ban#148.
* [b6a68f51] Fix delaction on server side. Closes gh#fail2ban/fail2ban#124.
Daniel Black
* [f0610c01] Allow more that a one word command when changing and Action via
the fail2ban-client. Closes gh#fail2ban/fail2ban#134.
* [945ad3d9] Fix dates on email actions to work in different locals. Closes
gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea.
blotus
* [96eb8986] ' and " should also be escaped in action tags Closes
gh#fail2ban/fail2ban#109
Christoph Theis, Nick Hilliard, Daniel Black
* [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
- New features:
Yaroslav Halchenko
* [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
to provide additional flexibility to system adminstrators. Thanks to
beilber for the idea. Closes gh#fail2ban/fail2ban#114.
* [3ce53e87] Add exim filter.
Erwan Ben Souiden
* [d7d5228] add nagios integration documentation and script to ensure
fail2ban is running. Closes gh#fail2ban/fail2ban#166.
Artur Penttinen
* [29d0df5] Add mysqld filter. Closes gh#fail2ban/fail2ban#152.
ArndRaphael Brandes
* [bba3fd8] Add Sogo filter. Closes gh#fail2ban/fail2ban#117.
Michael Gebetsriother
* [f9b78ba] Add action route to block at routing level.
Teodor Micu & Yaroslav Halchenko
* [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
Daniel Black
* [be06b1b] Add action for iptables-ipsets. Closes gh#fail2ban/fail2ban#102.
Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
* [b6d0e8a] Add and enhance the bsd-ipfw action from
FreeBSD ports.
Soulard Morgan
* [f336d9f] Add filter for webmin. Closes gh#fail2ban/fail2ban#99.
Steven Hiscocks
* [..746c7d9] bash interactive shell completions for fail2ban-*'s
Nick Hilliard
* [0c5a9c5] Add pf action.
- Enhancements:
Enrico Labedzki
* [24a8d07] Added new date format for ASSP SMTP Proxy.
Steven Hiscocks
* [3d6791f] Ensure restart of Actions after a check fails occurs
consistently. Closes gh#fail2ban/fail2ban#172.
* [MANY] Improvements to test cases, travis, and code coverage (coveralls).
* [b36835f] Add get cinfo to fail2ban-client. Closes gh#fail2ban/fail2ban#124.
* [ce3ab34] Added ability to specify PID file.
Orion Poplawski
* [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
Closes gh#fail2ban/fail2ban#142.
Yaroslav Halchenko
* [MANY] Lots of improvements to log messages, man pages and test cases.
* [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
Closes gh#fail2ban/fail2ban#126. Bug report by Michael Heuberger.
* [40c5a2d] adding more of diagnostic messages into -client while starting
the daemon.
* [8e63d4c] Compare against None with 'is' instead of '=='.
* [6fef85f] Strip CR and LF while analyzing the log line
Daniel Black
* [3aeb1a9] Add jail.conf manual page. Closes gh#fail2ban/fail2ban#143.
* [MANY] man page edits.
* [7cd6dab] Added help command to fail2ban-client.
* [c8c7b0b,23bbc60] Better logging of log file read errors.
* [3665e6d] Added code coverage to development process.
* [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
source. Also include BSD changes.
* [1d9abd1] Action files can have tags in definition that refer to other
tags.
* [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
unreachable rather than just a drop of the packet.
Pascal Borreli
* [a2b29b4] Fixed lots of typos in config files and documentation.
hamilton5
* [7ede1e8] Update dovecot filter config.
Romain Riviere
* [0ac8746] Enhance named-refused filter for views.
James Stout
* [..2143cdf] Solaris support enhancements:
- README.Solaris
- failregex'es tune ups (sshd.conf)
- hostsdeny: do not rely on support of '-i' in sed
-------------------------------------------------------------------
Thu Dec 6 15:32:02 UTC 2012 - jweberhofer@weberhofer.at
One of the important changes is escaping of the <matches> content -- so if you
crafted some custom action which uses it -- you must upgrade, or you
would be at a significant security risk.
- Fixes:
Alan Jenkins
* [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
banning due to misconfigured DNS. Close gh#fail2ban/fail2ban#64
Yaroslav Halchenko
* [83109bc] IMPORTANT: escape the content of <matches> (if used in
custom action files) since its value could contain arbitrary
symbols. Thanks for discovery go to the NBS System security
team
* [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes.
Close gh#fail2ban/fail2ban#83
* [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
* [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
in the console. Close gh#fail2ban/fail2ban#91
- New features:
David Engeset
* [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
the log file to take 'banip' or 'unbanip' in effect.
Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86
- Enhancements:
* [2d66f31] replaced uninformative "Invalid command" message with warning log
exception why command actually failed
* [958a1b0] improved failregex to "support" auth.backend = "htdigest"
* [9e7a3b7] until we make it proper module -- adjusted sys.path only if
system-wide run
* [f52ba99] downgraded "already banned" from WARN to INFO level.
Closes gh#fail2ban/fail2ban#79
* [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
for this gh#fail2ban/fail2ban#87)
* Various others: travis-ci integration, script to run tests
against all available Python versions, etc
-------------------------------------------------------------------
Mon Dec 3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at
- Fixed initscript as discussed in bnc#790557
-------------------------------------------------------------------
Wed Oct 3 09:53:40 UTC 2012 - meissner@suse.com
- use Source URL pointing to github
-------------------------------------------------------------------
Tue Oct 2 12:09:08 UTC 2012 - jweberhofer@weberhofer.at
- Do not longer replace main config-files
- Use variables for directories in spec file
-------------------------------------------------------------------
Tue Oct 2 10:48:24 UTC 2012 - jweberhofer@weberhofer.at
- Added dependencies to python-pyinotifyi, python-gamin and iptables
-------------------------------------------------------------------
Tue Oct 2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at
- Upgraded to version 0.8.7.1
- Yaroslav Halchenko
* [e9762f3] Removed sneaked in comment on sys.path.insert
Tom Hendrikx & Jeremy Olexa
* [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated.
See http://forums.gentoo.org/viewtopic-t-899018.html
- Chris Reffett
* [a018a26] Fixed addBannedIP to add enough failures to trigger a ban,
rather than just one failure.
- Yaroslav Halchenko
* [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
* [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
* [ed16ecc] enforce "ip" field returned as str, not unicode so that log
message stays non-unicode. Close gh#fail2ban/fail2ban#32
* [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
already present in the pattern
* [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
friend to developers stuck with Windows (Closes gh#fail2ban/fail2ban#66)
* [80b191c] anchor grep regexp in actioncheck to not match partial names
of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
- New features:
- François Boulogne
* [a7cb20e..] add lighttpd-auth filter/jail
- Lee Clemens & Yaroslav Halchenko
* [e442503] pyinotify backend (default if backend='auto' and pyinotify
is available)
* [d73a71f,3989d24] usedns parameter for the jails to allow disabling
use of DNS
- Tom Hendrikx
* [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
repeated offenders. Close gh#fail2ban/fail2ban#19
- Xavier Devlamynck
* [7d465f9..] Add asterisk support
- Zbigniew Jedrzejewski-Szmek
* [de502cf..] allow running fail2ban as non-root user (disabled by
default) via xt_recent. See doc/run-rootless.txt
- Enhancements
- Lee Clemens
* [47c03a2] files/nagios - spelling/grammar fixes
* [b083038] updated Free Software Foundation's address
* [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606
* [642d9af,3282f86] reformated printing of jail's name to be consistent
with init's info messages
* [3282f86] uniform use of capitalized Jail in the messages
- Leonardo Chiquitto
* [4502adf] Fix comments in dshield.conf and mynetwatchman.conf
to reflect code
* [a7d47e8] Update Free Software Foundation's address
- Petr Voralek
* [4007751] catch failed ssh logins due to being listed in DenyUsers.
Close gh#fail2ban/fail2ban#47 (Closes: #669063)
- Yaroslav Halchenko
* [MANY] extended and robustified unittests: test different backends
* [d9248a6] refactored Filter's to avoid duplicate functionality
* [7821174] direct users to issues on github
* [d2ffee0..] re-factored fail2ban-regex -- more condensed output by
default with -v to control verbosity
* [b4099da] adjusted header for config/*.conf to mention .local and way
to comment (Thanks Stefano Forli for the note)
* [6ad55f6] added failregex for wu-ftpd to match against syslog instead
of DoS-prone auth.log's rhost (Closes: #514239)
* [2082fee] match possibly present "pam_unix(sshd:auth):" portion for
sshd filter (Closes: #648020)
- Yehuda Katz & Yaroslav Halchenko
* [322f53e,bd40cc7] ./DEVELOP -- documentation for developers
-------------------------------------------------------------------
Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de
- Adding to fail2ban.init remove of pid and sock files on stop
in case not removed before (prevents start fail)
-------------------------------------------------------------------
Sun Jun 3 13:08:36 UTC 2012 - jweberhofer@weberhofer.at
- Update to version 0.8.6. containing various fixes and enhancements
-------------------------------------------------------------------
Fri Nov 18 22:04:03 UTC 2011 - lchiquitto@suse.com
- Update to version 0.8.5: many bug fixes, enhancements and, as
a bonus, drop two patches that are now upstream
- Update FSF address to silent rpmlint warnings
- Drop stale socket files on startup (bnc#537239, bnc#730044)
-------------------------------------------------------------------
Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de
- Apply packaging guidelines (remove redundant/obsolete
tags/sections from specfile, etc.)
-------------------------------------------------------------------
Thu Sep 1 14:07:28 UTC 2011 - coolo@suse.com
- Use /var/run/fail2ban instead of /tmp for temp files in
actions: see bugs.debian.org/544232, bnc#690853,
CVE-2009-5023
-------------------------------------------------------------------
Thu Jan 6 16:56:30 UTC 2011 - lchiquitto@suse.com
- Use $FAIL2BAN_OPTIONS when starting (bnc#662495)
- Clean up sysconfig file
-------------------------------------------------------------------
Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org
- Use O_CLOEXEC on fds (patch from Fedora)
-------------------------------------------------------------------
Wed May 5 16:48:46 UTC 2010 - lchiquitto@suse.com
- Create /var/run/fail2ban during startup to support systems that
mount /var/run as tmpfs
- Build package as noarch
- Spec file cleanup: fix a couple of rpmlint warnings
- Init script: look for fail2ban-server when checking if the
daemon is running
-------------------------------------------------------------------
Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.com
- Update to version 0.8.4. Important changes:
* New "Ban IP" command
* New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve
* Fixed the 'unexpected communication error' problem
* Remove socket file on startup if fail2ban crashed (bnc#537239)
-------------------------------------------------------------------
Wed Feb 4 18:19:39 CET 2009 - kssingvo@suse.de
- Initial version: 0.8.3
View Git Blame Copy Permalink