Hello community, here is the log from the commit of package fail2ban.2613 for openSUSE:12.3:Update checked in at 2014-03-08 19:50:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/fail2ban.2613 (Old) and /work/SRC/openSUSE:12.3:Update/.fail2ban.2613.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fail2ban.2613" Changes: -------- New Changes file: --- /dev/null 2014-02-13 01:09:38.344032506 +0100 +++ /work/SRC/openSUSE:12.3:Update/.fail2ban.2613.new/fail2ban.changes 2014-03-08 19:50:21.000000000 +0100 @@ -0,0 +1,457 @@ +------------------------------------------------------------------- +Wed Jan 29 13:48:38 UTC 2014 - [email protected] + +Security note: The update to version 0.8.11 has fixed two additional security +issues: A remote unauthenticated attacker may cause arbitrary IP addresses to +be blocked by Fail2ban causing legitimate users to be blocked from accessing +services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176 +(postfix) + +------------------------------------------------------------------- +Thu Jan 23 21:35:27 UTC 2014 - [email protected] + +- action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816 + +- lsof was required for fail2ban's SysVinit scripts only. Not longer used for + newer versions of openSUSE + +------------------------------------------------------------------- +Thu Jan 23 08:40:40 UTC 2014 - [email protected] + +- Reviewed and fixed github references in the changelog + +------------------------------------------------------------------- +Wed Jan 22 09:27:43 UTC 2014 - [email protected] + +- Use new flushlogs syntax after logrotate + +------------------------------------------------------------------- +Wed Jan 22 08:50:05 UTC 2014 - [email protected] + +- Update to version 0.8.12 + + * Log rotation can now occur with the command "flushlogs" rather than + reloading fail2ban or keeping the logtarget settings consistent in + jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798). + + * Added ignorecommand option for allowing dynamic determination as to ignore + and IP or not. + + * Remove indentation of name and loglevel while logging to SYSLOG to resolve + syslog(-ng) parsing problems. (dep#730202). Log lines now also + report "[PID]" after the name portion too. + + * Epoch dates can now be enclosed within [] + + * New actions: badips, firewallcmd-ipset, ufw, blocklist_de + + * New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid, + ejabberd, openwebmail, groupoffice + + * Filter improvements: + - apache-noscript now includes php cgi scripts + - exim-spam filter to match spamassassin log entry for option SAdevnull. + - Added to sshd filter expression for + "Received disconnect from : 3: Auth fail" + - Improved ACL-handling for Asterisk + - Added improper command pipelining to postfix filter. + + * General fixes: + - Added lots of jail.conf entries for missing filters that creaped in + over the last year. + - synchat changed to use push method which verifies whether all data was + send. This ensures that all data is sent before closing the connection. + - Fixed python 2.4 compatibility (as sub-second in date patterns weren't + 2.4 compatible) + - Complain/email actions fixed to only include relevant IPs to reporting + + * Filter fixes: + - Added HTTP referrer bit of the apache access log to the apache filters. + - Apache 2.4 perfork regexes fixed + - Kernel syslog expression can have leading spaces + - allow for ",milliseconds" in the custom date format of proftpd.log + - recidive jail to block all protocols + - smtps not a IANA standard so may be missing from /etc/services. Due to + (still) common use 465 has been used as the explicit port number + - Filter dovecot reordered session and TLS items in regex with wider scope + for session characters + + * Ugly Fixes (Potentially incompatible changes): + + - Unfortunately at the end of last release when the action + firewall-cmd-direct-new was added it was too long and had a broken action + check. The action was renamed to firewallcmd-new to fit within jail name + name length. (gh#fail2ban/fail2ban#395). + + - Last release added mysqld-syslog-iptables as a jail configuration. This + jailname was too long and it has been renamed to mysqld-syslog. + +- Fixed formating of github references in changelog +- reformatted spec-file + +------------------------------------------------------------------- +Thu Nov 14 05:14:35 UTC 2013 - [email protected] + +- Update to version 0.8.11 + +- In light of CVE-2013-2178 that triggered our last release we have put a + significant effort into tightening all of the regexs of our filters to avoid + another similar vulnerability. We haven't examined all of these for a potential + DoS scenario however it is possible that another DoS vulnerability exists that + is fixed by this release. A large number of filters have been updated to + include more failure regexs supporting previously unbanned failures and support + newer application versions too. We have test cases for most of these now + however if you have other examples that demonstrate that a filter is + insufficient we welcome your feedback. During the tightening of the regexs to + avoid DoS vulnerabilities there is the possibility that we have inadvertently, + despite our best intentions, incorrectly allowed a failure to continue. + +------------------------------------------------------------------- +Sat Sep 21 11:38:29 UTC 2013 - [email protected] + +- Added systemd service file and systemd-tmpfiles configuration + +------------------------------------------------------------------- +Thu Jun 13 08:58:53 UTC 2013 - [email protected] + +- Update to version 0.8.10 Primarily bugfix and enhancements release, triggered + by "bugs" in apache- filters. If you are relying on listed below apache- + filters, upgrade asap and seek your distributions to patch their fail2ban + distribution with [6ccd5781]. The bug's decription can be found in + https://vndh.net/note:fail2ban-089-denial-service + +- Fixes + * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor + failregex at the beginning (and where applicable at the end). + Addresses a possible DoS. Closes gh#fail2ban/fail2ban#248, bnc#824710 + * action.d/{route,shorewall}.conf - blocktype must be defined + within [Init]. Closes gh#fail2ban/fail2ban#232 + +- Enhancements + * jail.conf -- assure all jails have actions and remove unused + ports specifications + * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ + * files/suse-initd -- update to the copy from stock SUSE + * Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227, + gh#fail2ban/fail2ban#230. + * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes + gh#fail2ban/fail2ban#244. + +------------------------------------------------------------------ +Tue May 28 06:46:54 UTC 2013 - [email protected] + +- Included logrotate configuration for fail2ban + +------------------------------------------------------------------- +Tue May 14 10:06:35 UTC 2013 - [email protected] + +- Init-Script does no longer require $syslog to be started as file-base logging + is the default. Synced with Debian script. + +- Upgrade to version 0.8.9 + +- Fixes: Yaroslav Halchenko + * [6f4dad46] python-2.4 is the minimal version. + * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g. + on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the + bug report. + * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for + insight. Closes gh#fail2ban/fail2ban#103. + * [ab044b75] delay check for the existence of config directory until read. + * [3b4084d4] fixing up for handling of TAI64N timestamps. + * [154aa38e] do not shutdown logging until all jails stop. + * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes + gh#fail2ban/fail2ban#184. Thanks to Jon Foster for report and + troubleshooting. Orion Poplawski + * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking + newly created directories. + Nicolas Collignon + * [39667ff6] Avoid leaking file descriptors. Closes gh#fail2ban/fail2ban#167. + Sergey Brester + * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of + sorting template list. + Steven Hiscocks + * [7a442f07] When changing log target with python2.{4,5} handle KeyError. + Closes gh#fail2ban/fail2ban#147, gh#fail2ban/fail2ban#148. + * [b6a68f51] Fix delaction on server side. Closes gh#fail2ban/fail2ban#124. + Daniel Black + * [f0610c01] Allow more that a one word command when changing and Action via + the fail2ban-client. Closes gh#fail2ban/fail2ban#134. + * [945ad3d9] Fix dates on email actions to work in different locals. Closes + gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea. + blotus + * [96eb8986] ' and " should also be escaped in action tags Closes + gh#fail2ban/fail2ban#109 + Christoph Theis, Nick Hilliard, Daniel Black + * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD +- New features: + Yaroslav Halchenko + * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile} + to provide additional flexibility to system adminstrators. Thanks to + beilber for the idea. Closes gh#fail2ban/fail2ban#114. + * [3ce53e87] Add exim filter. + Erwan Ben Souiden + * [d7d5228] add nagios integration documentation and script to ensure + fail2ban is running. Closes gh#fail2ban/fail2ban#166. + Artur Penttinen + * [29d0df5] Add mysqld filter. Closes gh#fail2ban/fail2ban#152. ++++ 260 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.fail2ban.2613.new/fail2ban.changes New: ---- fail2ban-0.8.12.tar.bz2 fail2ban.changes fail2ban.init fail2ban.logrotate fail2ban.service fail2ban.spec fail2ban.sysconfig fail2ban.tmpfiles fix-for-upstream-firewallcmd-ipset.conf.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ # # spec file for package fail2ban # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: fail2ban Version: 0.8.12 Release: 0 Url: http://www.fail2ban.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ Group: Productivity/Networking/Security Source0: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2 %if 0%{?suse_version} < 1230 # the init-script requires lsof Requires: lsof Source1: %{name}.init %endif Source2: %{name}.sysconfig Source3: %{name}.logrotate %if 0%{?suse_version} >= 1230 Source4: %{name}.service Source5: %{name}.tmpfiles %endif # PATCH-FIX-UPSTREAM fix-for-upstream-firewallcmd-ipset.conf.patch rh#1046816 Patch0: fix-for-upstream-firewallcmd-ipset.conf.patch Requires: cron Requires: iptables Requires: logrotate Requires: python >= 2.5 %if 0%{?suse_version} >= 1140 && 0%{?sles_version} == 0 Requires: python-pyinotify %endif %if 0%{?suse_version} >= 1220 Requires: python-gamin %endif %if 0%{?suse_version} >= 1230 %{?systemd_requires} BuildRequires: systemd %endif BuildRequires: logrotate BuildRequires: python-devel %description Fail2ban scans log files like /var/log/messages and bans IP addresses that makes too many password failures. It updates firewall rules to reject the IP address, can send e-mails, or set host.deny entries. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones. %prep %setup %patch0 -p1 # correct doc-path sed -i -e 's|/usr/share/doc/fail2ban|%{_docdir}/%{name}|' setup.py %build export CFLAGS="$RPM_OPT_FLAGS" python setup.py build gzip man/*.1 %install python setup.py install \ --root=$RPM_BUILD_ROOT \ --prefix=%{_prefix} install -d -m755 $RPM_BUILD_ROOT/%{_mandir}/man1 for i in fail2ban-client fail2ban-regex fail2ban-server; do install -m644 man/${i}.1.gz $RPM_BUILD_ROOT/%{_mandir}/man1 done install -d -m755 $RPM_BUILD_ROOT/%{_initrddir} install -d -m755 $RPM_BUILD_ROOT/%{_sbindir} %if 0%{?suse_version} < 1230 install -m755 %{SOURCE1} $RPM_BUILD_ROOT/%{_initrddir}/%{name} ln -sf %{_initrddir}/%{name} ${RPM_BUILD_ROOT}%{_sbindir}/rc%{name} %endif install -d -m755 $RPM_BUILD_ROOT/var/adm/fillup-templates install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.%{name} install -d -m755 $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/fail2ban %if 0%{?suse_version} >= 1230 install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} install -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/%{name}.service install -d -m755 $RPM_BUILD_ROOT/usr/lib/tmpfiles.d/ install -m644 %{SOURCE5} $RPM_BUILD_ROOT/usr/lib/tmpfiles.d/%{name}.conf %endif %pre %if 0%{?suse_version} >= 1230 %service_add_pre %{name}.service %endif %post %{fillup_only} %if 0%{?suse_version} >= 1230 systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf %service_add_post %{name}.service %endif %preun %if 0%{?suse_version} >= 1230 %service_del_preun %{name}.service %else %stop_on_removal %{name} %endif %postun %if 0%{?suse_version} >= 1230 %service_del_postun %{name}.service %else %restart_on_update %{name} %insserv_cleanup %endif %files %defattr(-, root, root) %dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/%{name}/action.d %dir %{_sysconfdir}/%{name}/filter.d %config(noreplace) %{_sysconfdir}/%{name}/*.conf %config(noreplace) %{_sysconfdir}/%{name}/action.d/*.conf %config(noreplace) %{_sysconfdir}/%{name}/filter.d/*.conf %config %{_sysconfdir}/logrotate.d/fail2ban %if 0%{?suse_version} >= 1230 %{_unitdir}/%{name}.service /usr/lib/tmpfiles.d/%{name}.conf %else %{_initrddir}/%{name} %{_sbindir}/rc%{name} %dir %ghost /var/run/%{name} %endif %{_bindir}/%{name}* %{_datadir}/%{name} /var/adm/fillup-templates/sysconfig.%{name} %doc %{_mandir}/man1/* %doc COPYING ChangeLog DEVELOP README.md TODO files/cacti %changelog ++++++ fail2ban.init ++++++ #!/bin/sh # ### BEGIN INIT INFO # Provides: fail2ban # Required-Start: $remote_fs $local_fs # Should-Start: $syslog $time $network iptables # Required-Stop: $remote_fs $local_fs # Should-Stop: $syslog $time $network iptables # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Pidfile: /var/run/fail2ban/fail2ban.pid # Short-Description: Bans IPs with too many authentication failures # Description: Start fail2ban to scan logfiles and ban IP addresses # which make too many logfiles failures, and/or sent e-mails about ### END INIT INFO # Check for missing binaries (stale symlinks should not happen) FAIL2BAN_CLI=/usr/bin/fail2ban-client test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } FAIL2BAN_SRV=/usr/bin/fail2ban-server test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } FAIL2BAN_CONFIG="/etc/sysconfig/fail2ban" FAIL2BAN_SOCKET_DIR="/var/run/fail2ban" FAIL2BAN_SOCKET="$FAIL2BAN_SOCKET_DIR/fail2ban.sock" FAIL2BAN_PID="$FAIL2BAN_SOCKET_DIR/fail2ban.pid" if [ -e $FAIL2BAN_CONFIG ]; then . $FAIL2BAN_CONFIG fi . /etc/rc.status rc_reset case "$1" in start) echo -n "Starting fail2ban " if [ ! -d $FAIL2BAN_SOCKET_DIR ]; then mkdir -p $FAIL2BAN_SOCKET_DIR fi if [ -e $FAIL2BAN_SOCKET ]; then if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then rm $FAIL2BAN_SOCKET fi fi $FAIL2BAN_CLI -x -q $FAIL2BAN_OPTIONS start &>/dev/null 2>&1 rc_status -v ;; stop) echo -n "Shutting down fail2ban " ## Stop daemon with built-in functionality 'stop' /sbin/startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1 if [ -f $FAIL2BAN_SOCKET ] then echo "$FAIL2BAN_SOCKET not removed .. removing .." rm $FAIL2BAN_SOCKET fi if [ -f $FAIL2BAN_PID ] then echo "$FAIL2BAN_PID not removed .. removing .." rm $FAIL2BAN_PID fi rc_status -v ;; try-restart|condrestart) $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi rc_status ;; restart) $0 stop i=60 while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do sleep 1 i=$[$i-1] echo -n "." done $0 start rc_status ;; reload|force-reload) echo -n "Reload service Fail2ban " /sbin/startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1 rc_status -v ;; status) echo -n "Checking for service fail2ban " /sbin/checkproc $FAIL2BAN_SRV rc_status -v ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ fail2ban.logrotate ++++++ /var/log/fail2ban.log { compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 644 root root postrotate fail2ban-client flushlogs 1>/dev/null || true endscript } ++++++ fail2ban.service ++++++ [Unit] Description=Bans IPs with too many authentication failures After=network.target SuSEfirewall2.service [Service] Type=forking EnvironmentFile=-/etc/sysconfig/fail2ban PIDFile=/run/fail2ban/fail2ban.pid ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start ExecReload=/usr/bin/fail2ban-client reload ExecStop=/usr/bin/fail2ban-client stop [Install] WantedBy=multi-user.target ++++++ fail2ban.sysconfig ++++++ ## Path: System/Security/Fail2ban ## Description: fail2ban options ## Type: string ## Default: "" ## ServiceReload: fail2ban ## ServiceRestart: fail2ban # # Options for fail2ban # FAIL2BAN_OPTIONS="" ++++++ fail2ban.tmpfiles ++++++ d /run/fail2ban 0755 root root ++++++ fix-for-upstream-firewallcmd-ipset.conf.patch ++++++ diff -ur fail2ban-0.8.12.orig/config/action.d/firewallcmd-ipset.conf fail2ban-0.8.12/config/action.d/firewallcmd-ipset.conf --- fail2ban-0.8.12.orig/config/action.d/firewallcmd-ipset.conf 2014-01-16 09:20:14.000000000 +0100 +++ fail2ban-0.8.12/config/action.d/firewallcmd-ipset.conf 2014-01-23 22:43:53.115263616 +0100 @@ -25,8 +25,6 @@ ipset flush fail2ban-<name> ipset destroy fail2ban-<name> -actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '^fail2ban-<name>$' - actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist actionunban = ipset del fail2ban-<name> <ip> -exist diff -ur fail2ban-0.8.12.orig/THANKS fail2ban-0.8.12/THANKS --- fail2ban-0.8.12.orig/THANKS 2014-01-21 21:59:49.000000000 +0100 +++ fail2ban-0.8.12/THANKS 2014-01-23 22:43:53.115263616 +0100 @@ -30,6 +30,7 @@ Daniel B. Daniel Black David Nutter +Derek Atkins Eric Gerbier Enrico Labedzki ftoppi -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
