fail2ban/fail2ban.changes

-------------------------------------------------------------------
Thu Nov 14 05:14:35 UTC 2013 - jweberhofer@weberhofer.at

- Update to version 0.8.11

- In light of CVE-2013-2178 that triggered our last release we have put a
  significant effort into tightening all of the regexs of our filters to avoid
  another similar vulnerability. We haven't examined all of these for a potential
  DoS scenario however it is possible that another DoS vulnerability exists that
  is fixed by this release. A large number of filters have been updated to
  include more failure regexs supporting previously unbanned failures and support
  newer application versions too. We have test cases for most of these now
  however if you have other examples that demonstrate that a filter is
  insufficient we welcome your feedback. During the tightening of the regexs to
  avoid DoS vulnerabilities there is the possibility that we have inadvertently,
  despite our best intentions, incorrectly allowed a failure to continue.

-------------------------------------------------------------------
Sat Sep 21 11:38:29 UTC 2013 - schuetzm@gmx.net

- Added systemd service file and systemd-tmpfiles configuration

-------------------------------------------------------------------
Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at

- Update to version 0.8.10 Primarily bugfix and enhancements release, triggered
  by "bugs" in apache- filters.  If you are relying on listed below apache-
  filters, upgrade asap and seek your distributions to patch their fail2ban
  distribution with [6ccd5781]. The bug's decription can be found in
  https://vndh.net/note:fail2ban-089-denial-service

- Fixes
  * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
    failregex at the beginning (and where applicable at the end).
    Addresses a possible DoS. Closes gh-248, bnc#824710
  * action.d/{route,shorewall}.conf - blocktype must be defined
    within [Init].  Closes gh-232

- Enhancements
  * jail.conf -- assure all jails have actions and remove unused
    ports specifications
  * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
  * files/suse-initd -- update to the copy from stock SUSE
  * Updates to asterisk filter. Closes gh-227/gh-230.
  * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.

------------------------------------------------------------------
Tue May 28 06:46:54 UTC 2013 - jweberhofer@weberhofer.at

- Included logrotate configuration for fail2ban

-------------------------------------------------------------------
Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at

- Init-Script does no longer require $syslog to be started as file-base logging
  is the default. Synced with Debian script.

- Upgrade to version 0.8.9

- Fixes: Yaroslav Halchenko
   * [6f4dad46] python-2.4 is the minimal version.
   * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
     on Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
   * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
     insight. Closes gh-103.
   * [ab044b75] delay check for the existence of config directory until read.
   * [3b4084d4] fixing up for handling of TAI64N timestamps.
   * [154aa38e] do not shutdown logging until all jails stop.
   * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184.
     Thanks to Jon Foster for report and troubleshooting.
  Orion Poplawski
   * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
     newly created directories.
  Nicolas Collignon
   * [39667ff6] Avoid leaking file descriptors. Closes gh-167.
  Sergey Brester
   * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
     sorting template list.
  Steven Hiscocks
   * [7a442f07] When changing log target with python2.{4,5} handle KeyError.
     Closes gh-147, gh-148.
   * [b6a68f51] Fix delaction on server side. Closes gh-124.
  Daniel Black
   * [f0610c01] Allow more that a one word command when changing and Action via
     the fail2ban-client. Closes gh-134.
   * [945ad3d9] Fix dates on email actions to work in different locals. Closes
     gh-70. Thanks to iGeorgeX for the idea.
  blotus
   * [96eb8986] ' and " should also be escaped in action tags Closes gh-109
  Christoph Theis, Nick Hilliard, Daniel Black
   * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
- New features:
  Yaroslav Halchenko
   * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
     to provide additional flexibility to system adminstrators. Thanks to
     beilber for the idea. Closes gh-114.
   * [3ce53e87] Add exim filter.
  Erwan Ben Souiden
   * [d7d5228] add nagios integration documentation and script to ensure
     fail2ban is running. Closes gh-166.
  Artur Penttinen
   * [29d0df5] Add mysqld filter. Closes gh-152.
  ArndRaphael Brandes
   * [bba3fd8] Add Sogo filter. Closes gh-117.
  Michael Gebetsriother
   * [f9b78ba] Add action route to block at routing level.
  Teodor Micu & Yaroslav Halchenko
   * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
  Daniel Black
   * [be06b1b] Add action for iptables-ipsets. Closes gh-102.
  Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
   * [b6d0e8a] Add and enhance the bsd-ipfw action from
     FreeBSD ports.
  Soulard Morgan
   * [f336d9f] Add filter for webmin. Closes gh-99.
  Steven Hiscocks
   * [..746c7d9] bash interactive shell completions for fail2ban-*'s
  Nick Hilliard
   * [0c5a9c5] Add pf action.
- Enhancements:
  Enrico Labedzki
   * [24a8d07] Added new date format for ASSP SMTP Proxy.
  Steven Hiscocks
   * [3d6791f] Ensure restart of Actions after a check fails occurs
     consistently. Closes gh-172.
   * [MANY] Improvements to test cases, travis, and code coverage (coveralls).
   * [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
   * [ce3ab34] Added ability to specify PID file.
  Orion Poplawski
   * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
     Closes gh-142.
  Yaroslav Halchenko
   * [MANY] Lots of improvements to log messages, man pages and test cases.
   * [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
     Closes gh-126. Bug report by Michael Heuberger.
   * [40c5a2d] adding more of diagnostic messages into -client while starting
     the daemon.
   * [8e63d4c] Compare against None with 'is' instead of '=='.
   * [6fef85f] Strip CR and LF while analyzing the log line
  Daniel Black
   * [3aeb1a9] Add jail.conf manual page. Closes gh-143.
   * [MANY] man page edits.
   * [7cd6dab] Added help command to fail2ban-client.
   * [c8c7b0b,23bbc60] Better logging of log file read errors.
   * [3665e6d] Added code coverage to development process.
   * [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
     source. Also include BSD changes.
   * [1d9abd1] Action files can have tags in definition that refer to other
     tags.
   * [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
     unreachable rather than just a drop of the packet.
  Pascal Borreli
   * [a2b29b4] Fixed lots of typos in config files and documentation.
  hamilton5
   * [7ede1e8] Update dovecot filter config.
  Romain Riviere
   * [0ac8746] Enhance named-refused filter for views.
  James Stout
   * [..2143cdf] Solaris support enhancements:
     - README.Solaris
     - failregex'es tune ups (sshd.conf)
     - hostsdeny: do not rely on support of '-i' in sed

-------------------------------------------------------------------
Thu Dec  6 15:32:02 UTC 2012 - jweberhofer@weberhofer.at

One of the important changes is escaping of the <matches> content -- so if you
crafted some custom action which uses it -- you must upgrade, or you
would be at a significant security risk.

- Fixes:
  Alan Jenkins
   * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
     banning due to misconfigured DNS. Close gh-64
  Yaroslav Halchenko
   * [83109bc] IMPORTANT: escape the content of <matches> (if used in
     custom action files) since its value could contain arbitrary
     symbols.  Thanks for discovery go to the NBS System security
     team
   * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh-83
   * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
   * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
     in the console. Close gh-91

- New features:
  David Engeset
   * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
     the log file to take 'banip' or 'unbanip' in effect. Close gh-81, gh-86

- Enhancements:
   * [2d66f31] replaced uninformative "Invalid command" message with warning log
     exception why command actually failed
   * [958a1b0] improved failregex to "support" auth.backend = "htdigest"
   * [9e7a3b7] until we make it proper module -- adjusted sys.path only if
     system-wide run
   * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79
   * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
     for this gh-87)
   * Various others: travis-ci integration, script to run tests
     against all available Python versions, etc

-------------------------------------------------------------------
Mon Dec  3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at

- Fixed initscript as discussed in bnc#790557

-------------------------------------------------------------------
Wed Oct  3 09:53:40 UTC 2012 - meissner@suse.com

- use Source URL pointing to github

-------------------------------------------------------------------
Tue Oct  2 12:09:08 UTC 2012 - jweberhofer@weberhofer.at

- Do not longer replace main config-files
- Use variables for directories in spec file

-------------------------------------------------------------------
Tue Oct  2 10:48:24 UTC 2012 - jweberhofer@weberhofer.at

- Added dependencies to python-pyinotifyi, python-gamin and iptables

-------------------------------------------------------------------
Tue Oct  2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at

- Upgraded to version 0.8.7.1

- Yaroslav Halchenko
  * [e9762f3] Removed sneaked in comment on sys.path.insert
    Tom Hendrikx & Jeremy Olexa
  * [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated.
    See http://forums.gentoo.org/viewtopic-t-899018.html
- Chris Reffett
  * [a018a26] Fixed addBannedIP to add enough failures to trigger a ban,
    rather than just one failure.
- Yaroslav Halchenko
  * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
  * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
  * [ed16ecc] enforce "ip" field returned as str, not unicode so that log
    message stays non-unicode. Close gh-32
  * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
    already present in the pattern
  * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
    friend to developers stuck with Windows (Closes gh-66)
  * [80b191c] anchor grep regexp in actioncheck to not match partial names
    of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
- New features:
- François Boulogne
  * [a7cb20e..] add lighttpd-auth filter/jail
- Lee Clemens & Yaroslav Halchenko
  * [e442503] pyinotify backend (default if backend='auto' and pyinotify
    is available)
  * [d73a71f,3989d24] usedns parameter for the jails to allow disabling
    use of DNS
- Tom Hendrikx
  * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
    repeated offenders. Close gh-19
- Xavier Devlamynck
  * [7d465f9..] Add asterisk support
- Zbigniew Jedrzejewski-Szmek
  * [de502cf..] allow running fail2ban as non-root user (disabled by
    default) via xt_recent. See doc/run-rootless.txt
- Enhancements
- Lee Clemens
  * [47c03a2] files/nagios - spelling/grammar fixes
  * [b083038] updated Free Software Foundation's address
  * [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606
  * [642d9af,3282f86] reformated printing of jail's name to be consistent
    with init's info messages
  * [3282f86] uniform use of capitalized Jail in the messages
- Leonardo Chiquitto
  * [4502adf] Fix comments in dshield.conf and mynetwatchman.conf
    to reflect code
  * [a7d47e8] Update Free Software Foundation's address
- Petr Voralek
  * [4007751] catch failed ssh logins due to being listed in DenyUsers.
    Close gh-47 (Closes: #669063)
- Yaroslav Halchenko
  * [MANY]    extended and robustified unittests: test different backends
  * [d9248a6] refactored Filter's to avoid duplicate functionality
  * [7821174] direct users to issues on github
  * [d2ffee0..] re-factored fail2ban-regex -- more condensed output by
    default with -v to control verbosity
  * [b4099da] adjusted header for config/*.conf to mention .local and way
    to comment (Thanks Stefano Forli for the note)
  * [6ad55f6] added failregex for wu-ftpd to match against syslog instead
    of DoS-prone auth.log's rhost (Closes: #514239)
  * [2082fee] match possibly present "pam_unix(sshd:auth):" portion for
    sshd filter (Closes: #648020)
- Yehuda Katz & Yaroslav Halchenko
  * [322f53e,bd40cc7] ./DEVELOP -- documentation for developers

-------------------------------------------------------------------
Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de

- Adding to fail2ban.init remove of pid and sock files on stop 
  in case not removed before (prevents start fail)

-------------------------------------------------------------------
Sun Jun  3 13:08:36 UTC 2012 - jweberhofer@weberhofer.at

- Update to version 0.8.6. containing various fixes and enhancements

-------------------------------------------------------------------
Fri Nov 18 22:04:03 UTC 2011 - lchiquitto@suse.com

- Update to version 0.8.5: many bug fixes, enhancements and, as
  a bonus, drop two patches that are now upstream
- Update FSF address to silent rpmlint warnings
- Drop stale socket files on startup (bnc#537239, bnc#730044)

-------------------------------------------------------------------
Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de

- Apply packaging guidelines (remove redundant/obsolete
  tags/sections from specfile, etc.)

-------------------------------------------------------------------
Thu Sep  1 14:07:28 UTC 2011 - coolo@suse.com

- Use /var/run/fail2ban instead of /tmp for temp files in
  actions: see bugs.debian.org/544232, bnc#690853,
  CVE-2009-5023

-------------------------------------------------------------------
Thu Jan  6 16:56:30 UTC 2011 - lchiquitto@suse.com

- Use $FAIL2BAN_OPTIONS when starting (bnc#662495)
- Clean up sysconfig file

-------------------------------------------------------------------
Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org

- Use O_CLOEXEC on fds (patch from Fedora)

-------------------------------------------------------------------
Wed May  5 16:48:46 UTC 2010 - lchiquitto@suse.com

- Create /var/run/fail2ban during startup to support systems that
  mount /var/run as tmpfs
- Build package as noarch
- Spec file cleanup: fix a couple of rpmlint warnings
- Init script: look for fail2ban-server when checking if the
  daemon is running

-------------------------------------------------------------------
Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.com

- Update to version 0.8.4. Important changes:
  * New "Ban IP" command
  * New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve
  * Fixed the 'unexpected communication error' problem
  * Remove socket file on startup if fail2ban crashed (bnc#537239)

-------------------------------------------------------------------
Wed Feb  4 18:19:39 CET 2009 - kssingvo@suse.de

- Initial version: 0.8.3