Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fail2ban for openSUSE:Factory checked in at 2021-08-25 20:57:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fail2ban (Old) and /work/SRC/openSUSE:Factory/.fail2ban.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fail2ban" Wed Aug 25 20:57:59 2021 rev:61 rq:914046 version:0.11.2 Changes: -------- --- /work/SRC/openSUSE:Factory/fail2ban/fail2ban.changes 2020-12-05 20:51:33.663576641 +0100 +++ /work/SRC/openSUSE:Factory/.fail2ban.new.1899/fail2ban.changes 2021-08-25 20:59:26.945063448 +0200 @@ -1,0 +2,6 @@ +Tue Aug 24 13:40:32 UTC 2021 - Johannes Weberhofer <[email protected]> + +- Added fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch + to fixs CVE-2021-32749 - bnc#1188610 to prevent a command injection via mail comand + +------------------------------------------------------------------- @@ -4 +10 @@ -- Integrate change to resolve bnc#1146856 +- Integrate change to resolve bnc#1146856 and bnc#1180738 New: ---- fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ --- /var/tmp/diff_new_pack.lIi8pA/_old 2021-08-25 20:59:27.593062597 +0200 +++ /var/tmp/diff_new_pack.lIi8pA/_new 2021-08-25 20:59:27.593062597 +0200 @@ -1,7 +1,7 @@ # # spec file for package fail2ban # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -49,6 +49,9 @@ Patch201: %{name}-0.10.4-env-script-interpreter.patch # PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch [email protected] -- start after SuSEfirewall2 only for older distributions Patch300: fail2ban-opensuse-service-sfw.patch +# PATCH-FIX-UPSTREAM fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch [email protected] -- fixes CVE-2021-32749 +Patch400: fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch + BuildRequires: fdupes BuildRequires: logrotate BuildRequires: python3-tools @@ -133,6 +136,7 @@ %if !0%{?suse_version} > 1500 %patch300 -p1 %endif +%patch400 -p1 rm config/paths-arch.conf \ config/paths-debian.conf \ ++++++ fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch ++++++ >From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001 From: sebres <[email protected]> Date: Mon, 21 Jun 2021 17:12:53 +0200 Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable (default tilde) stops consider "~" char after new-line as composing escape sequence --- config/action.d/complain.conf | 2 +- config/action.d/dshield.conf | 2 +- config/action.d/mail-buffered.conf | 8 ++++---- config/action.d/mail-whois-lines.conf | 2 +- config/action.d/mail-whois.conf | 6 +++--- config/action.d/mail.conf | 6 +++--- 6 files changed, 13 insertions(+), 13 deletions(-) diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf index 3a5f882c9f..4d73b05859 100644 --- a/config/action.d/complain.conf +++ b/config/action.d/complain.conf @@ -102,7 +102,7 @@ logpath = /dev/null # Notes.: Your system mail command. Is passed 2 args: subject and recipient # Values: CMD # -mailcmd = mail -s +mailcmd = mail -E 'set escape' -s # Option: mailargs # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf index c128bef348..3d5a7a53a9 100644 --- a/config/action.d/dshield.conf +++ b/config/action.d/dshield.conf @@ -179,7 +179,7 @@ tcpflags = # Notes.: Your system mail command. Is passed 2 args: subject and recipient # Values: CMD # -mailcmd = mail -s +mailcmd = mail -E 'set escape' -s # Option: mailargs # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf index 325f185b2f..79b841049c 100644 --- a/config/action.d/mail-buffered.conf +++ b/config/action.d/mail-buffered.conf @@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n The jail <name> has been started successfully.\n Output will be buffered until <lines> lines are available.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) @@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then These hosts have been banned by Fail2Ban.\n `cat <tmpfile>` Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest> rm <tmpfile> fi printf %%b "Hi,\n The jail <name> has been stopped.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> # Option: actioncheck # Notes.: command executed once before each actionban command @@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile> These hosts have been banned by Fail2Ban.\n `cat <tmpfile>` \nRegards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest> rm <tmpfile> fi diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf index 3a3e56b2c7..d2818cb9b9 100644 --- a/config/action.d/mail-whois-lines.conf +++ b/config/action.d/mail-whois-lines.conf @@ -72,7 +72,7 @@ actionunban = # Notes.: Your system mail command. Is passed 2 args: subject and recipient # Values: CMD # -mailcmd = mail -s +mailcmd = mail -E 'set escape' -s # Default name of the chain # diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf index 7fea34c40d..ab33b616dc 100644 --- a/config/action.d/mail-whois.conf +++ b/config/action.d/mail-whois.conf @@ -20,7 +20,7 @@ norestored = 1 actionstart = printf %%b "Hi,\n The jail <name> has been started successfully.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) @@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n actionstop = printf %%b "Hi,\n The jail <name> has been stopped.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> # Option: actioncheck # Notes.: command executed once before each actionban command @@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n Here is more information about <ip> :\n `%(_whois_command)s`\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf index 5d8c0e154c..f4838ddcb6 100644 --- a/config/action.d/mail.conf +++ b/config/action.d/mail.conf @@ -16,7 +16,7 @@ norestored = 1 actionstart = printf %%b "Hi,\n The jail <name> has been started successfully.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) @@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n actionstop = printf %%b "Hi,\n The jail <name> has been stopped.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> # Option: actioncheck # Notes.: command executed once before each actionban command @@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the
