Hello community, here is the log from the commit of package fail2ban for openSUSE:11.3 checked in at Wed Oct 19 16:13:26 CEST 2011.
-------- --- old-versions/11.3/all/fail2ban/fail2ban.changes 2010-05-05 19:13:28.000000000 +0200 +++ 11.3/fail2ban/fail2ban.changes 2011-09-01 16:09:20.000000000 +0200 @@ -1,0 +2,18 @@ +Thu Sep 1 14:07:28 UTC 2011 - [email protected] + +- Use /var/run/fail2ban instead of /tmp for temp files in + actions: see bugs.debian.org/544232, bnc#690853, + CVE-2009-5023 + +------------------------------------------------------------------- +Thu Jan 6 16:56:30 UTC 2011 - [email protected] + +- Use $FAIL2BAN_OPTIONS when starting (bnc#662495) +- Clean up sysconfig file + +------------------------------------------------------------------- +Tue Jul 27 20:39:41 UTC 2010 - [email protected] + +- Use O_CLOEXEC on fds (patch from Fedora) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/fail2ban Destination is old-versions/11.3/UPDATES/all/fail2ban calling whatdependson for 11.3-i586 New: ---- fail2ban-0.8.2-fd_cloexec.patch fix-tmp-usage.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ --- /var/tmp/diff_new_pack.9hcTNH/_old 2011-10-19 16:11:48.000000000 +0200 +++ /var/tmp/diff_new_pack.9hcTNH/_new 2011-10-19 16:11:48.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package fail2ban (Version 0.8.4) +# spec file for package fail2ban # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,7 +26,7 @@ PreReq: %fillup_prereq AutoReqProv: on Version: 0.8.4 -Release: 2 +Release: 5.<RELEASE2> Url: http://www.fail2ban.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -34,6 +34,8 @@ Source0: http://download.sourceforge.net/sourceforge/fail2ban/%{name}-%{version}.tar.bz2 Source1: %{name}.init Source2: %{name}.sysconfig +Patch: fail2ban-0.8.2-fd_cloexec.patch +Patch1: fix-tmp-usage.diff %description Fail2ban scans log files like /var/log/messages and bans IP addresses @@ -51,6 +53,8 @@ %prep %setup perl -pi -e 's;/usr/local/;/usr/;g' files/suse-initd +%patch -p1 +%patch1 -p1 %build export CFLAGS="$RPM_OPT_FLAGS" ++++++ fail2ban-0.8.2-fd_cloexec.patch ++++++ --- fail2ban-0.8.2/server/filter.py.orig 2008-03-27 16:26:59.000000000 +0000 +++ fail2ban-0.8.2/server/filter.py 2008-03-27 15:29:48.000000000 +0000 @@ -428,6 +428,7 @@ # is computed and compared to the previous hash of this line. import md5 +import fcntl class FileContainer: @@ -455,6 +456,11 @@ def open(self): self.__handler = open(self.__filename) + + # Set the file descriptor to be FD_CLOEXEC + fd = self.__handler.fileno() + fcntl.fcntl (self.__handler.fileno(), fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC) + firstLine = self.__handler.readline() # Computes the MD5 of the first line. myHash = md5.new(firstLine).digest() ++++++ fail2ban.init ++++++ --- /var/tmp/diff_new_pack.9hcTNH/_old 2011-10-19 16:11:48.000000000 +0200 +++ /var/tmp/diff_new_pack.9hcTNH/_new 2011-10-19 16:11:48.000000000 +0200 @@ -66,7 +66,7 @@ fi ## Start daemon with startproc(8). If this fails ## the return value is set appropriately by startproc. - startproc $FAIL2BAN_CLI -q start > /dev/null 2>&1 + startproc $FAIL2BAN_CLI -q $FAIL2BAN_OPTIONS start > /dev/null 2>&1 # Remember status and be verbose rc_status -v ++++++ fail2ban.sysconfig ++++++ --- /var/tmp/diff_new_pack.9hcTNH/_old 2011-10-19 16:11:48.000000000 +0200 +++ /var/tmp/diff_new_pack.9hcTNH/_new 2011-10-19 16:11:48.000000000 +0200 @@ -1,18 +1,10 @@ -## Path: System/Security/Fail2ban -## Description: fail2ban options -## Type: string -## Default: fail2ban +## Path: System/Security/Fail2ban +## Description: fail2ban options +## Type: string +## Default: "" ## ServiceReload: fail2ban ## ServiceRestart: fail2ban # -IDENT="fail2ban" -## Type: string -## Default: "fail2ban daemon" -DESCRIPTIVE="fail2ban daemon" -## Type: string -## Default: "" +# Options for fail2ban # -# change FAIL2BAN_OPTIONS for arguments of start of fail2ban -# e.g. FAIL2BAN_OPTIONS="-c /etc/fail2ban/fail2ban.conf" FAIL2BAN_OPTIONS="" - ++++++ fix-tmp-usage.diff ++++++ From: yarikoptic <yarikoptic@a942ae1a-1317-0410-a47c-b1dcaea8d605> Date: Wed, 23 Mar 2011 20:35:56 +0000 (+0000) Subject: BF: Use /var/run/fail2ban instead of /tmp for temp files in actions: see http://bugs... X-Git-Tag: upstream/0.8.4+svn20110323^2~8 X-Git-Url: http://git.onerussian.com/?p=deb%2Ffail2ban.git;a=commitdiff_plain;h=ea7d352616b1e2232fcaa99b11807a86ce29ed8b BF: Use /var/run/fail2ban instead of /tmp for temp files in actions: see bugs.debian.org/544232 It should be robust since /var/run/fail2ban is guaranteed to exist to carry the socket file, and it will be owned by root (or some other dedicated fail2ban user) thus avoiding possibility for the exploit git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@767 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf index b80698b..8549a55 100644 --- a/config/action.d/dshield.conf +++ b/config/action.d/dshield.conf @@ -206,5 +206,5 @@ dest = [email protected] # Notes.: Base name of temporary files used for buffering # Values: [ STRING ] Default: /tmp/fail2ban-dshield # -tmpfile = /tmp/fail2ban-dshield +tmpfile = /var/run/fail2ban/tmp-dshield diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf index 8a33d0e..6fd51d2 100644 --- a/config/action.d/mail-buffered.conf +++ b/config/action.d/mail-buffered.conf @@ -81,7 +81,7 @@ lines = 5 # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt # Destination/Addressee of the mail # diff --git a/config/action.d/mynetwatchman.conf b/config/action.d/mynetwatchman.conf index 15b91b1..f0e5515 100644 --- a/config/action.d/mynetwatchman.conf +++ b/config/action.d/mynetwatchman.conf @@ -141,4 +141,4 @@ mnwurl = http://mynetwatchman.com/insertwebreport.asp # Notes.: Base name of temporary files # Values: [ STRING ] Default: /tmp/fail2ban-mynetwatchman # -tmpfile = /tmp/fail2ban-mynetwatchman +tmpfile = /var/run/fail2ban/tmp-mynetwatchman diff --git a/config/action.d/sendmail-buffered.conf b/config/action.d/sendmail-buffered.conf index de8166a..25a23b7 100644 --- a/config/action.d/sendmail-buffered.conf +++ b/config/action.d/sendmail-buffered.conf @@ -101,5 +101,5 @@ lines = 5 # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
