Hello community, here is the log from the commit of package fail2ban.1498 for openSUSE:12.2:Update checked in at 2013-04-02 10:08:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/fail2ban.1498 (Old) and /work/SRC/openSUSE:12.2:Update/.fail2ban.1498.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "fail2ban.1498", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-02-26 18:15:11.936010755 +0100 +++ /work/SRC/openSUSE:12.2:Update/.fail2ban.1498.new/fail2ban.changes 2013-04-02 10:09:00.000000000 +0200 @@ -0,0 +1,78 @@ +------------------------------------------------------------------- +Tue Mar 26 08:12:51 UTC 2013 - jweberhofer@weberhofer.at + +- fail2ban: does not escape the content of <matches> + (bnc#794953, CVE-2012-5642): fail2ban-0.8.4-CVE-2012-5642.patch + +------------------------------------------------------------------- +Mon Dec 3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at + +- Fixed initscript as discussed in bnc#790557 + +------------------------------------------------------------------- +Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de + +- Adding to fail2ban.init remove of pid and sock files on stop + in case not removed before (prevents start fail) + +------------------------------------------------------------------- +Sun Jun 3 13:08:36 UTC 2012 - jweberhofer@weberhofer.at + +- Update to version 0.8.6. containing various fixes and enhancements + +------------------------------------------------------------------- +Fri Nov 18 22:04:03 UTC 2011 - lchiquitto@suse.com + +- Update to version 0.8.5: many bug fixes, enhancements and, as + a bonus, drop two patches that are now upstream +- Update FSF address to silent rpmlint warnings +- Drop stale socket files on startup (bnc#537239, bnc#730044) + +------------------------------------------------------------------- +Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de + +- Apply packaging guidelines (remove redundant/obsolete + tags/sections from specfile, etc.) + +------------------------------------------------------------------- +Thu Sep 1 14:07:28 UTC 2011 - coolo@suse.com + +- Use /var/run/fail2ban instead of /tmp for temp files in + actions: see bugs.debian.org/544232, bnc#690853, + CVE-2009-5023 + +------------------------------------------------------------------- +Thu Jan 6 16:56:30 UTC 2011 - lchiquitto@suse.com + +- Use $FAIL2BAN_OPTIONS when starting (bnc#662495) +- Clean up sysconfig file + +------------------------------------------------------------------- +Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org + +- Use O_CLOEXEC on fds (patch from Fedora) + +------------------------------------------------------------------- +Wed May 5 16:48:46 UTC 2010 - lchiquitto@suse.com + +- Create /var/run/fail2ban during startup to support systems that + mount /var/run as tmpfs +- Build package as noarch +- Spec file cleanup: fix a couple of rpmlint warnings +- Init script: look for fail2ban-server when checking if the + daemon is running + +------------------------------------------------------------------- +Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.com + +- Update to version 0.8.4. Important changes: + * New "Ban IP" command + * New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve + * Fixed the 'unexpected communication error' problem + * Remove socket file on startup if fail2ban crashed (bnc#537239) + +------------------------------------------------------------------- +Wed Feb 4 18:19:39 CET 2009 - kssingvo@suse.de + +- Initial version: 0.8.3 + New: ---- fail2ban-0.8.6-CVE-2012-5642.patch fail2ban-0.8.6-update-fsf-address.patch fail2ban-0.8.6.tar.bz2 fail2ban.changes fail2ban.init fail2ban.spec fail2ban.sysconfig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ # # spec file for package fail2ban # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: fail2ban Requires: cron Requires: logrotate Requires: lsof Requires: python >= 2.5 BuildRequires: python-devel PreReq: %fillup_prereq Version: 0.8.6 Release: 0 Url: http://www.fail2ban.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ Group: Productivity/Networking/Security Source0: %{name}-%{version}.tar.bz2 Source1: %{name}.init Source2: %{name}.sysconfig Patch0: fail2ban-%{version}-update-fsf-address.patch # PATCH-FIX-UPSTREAM fail2ban-0.8.6-CVE-2012-5642.patch [bnc#794953, CVE-2012-5642] Patch1: fail2ban-0.8.6-CVE-2012-5642.patch %description Fail2ban scans log files like /var/log/messages and bans IP addresses that makes too many password failures. It updates firewall rules to reject the IP address, can send e-mails, or set host.deny entries. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones. %prep %setup %patch0 -p1 %patch1 -p1 %build export CFLAGS="$RPM_OPT_FLAGS" python setup.py build gzip man/*.1 %install python setup.py install \ --root=$RPM_BUILD_ROOT \ --prefix=%{_prefix} install -d -m755 $RPM_BUILD_ROOT/%{_mandir}/man1 for i in fail2ban-client fail2ban-regex fail2ban-server; do install -m644 man/${i}.1.gz $RPM_BUILD_ROOT/%{_mandir}/man1 done install -d -m755 $RPM_BUILD_ROOT/%{_sysconfdir}/init.d install -d -m755 $RPM_BUILD_ROOT/usr/sbin install -m755 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/%{name} ln -sf /etc/init.d/%{name} ${RPM_BUILD_ROOT}/usr/sbin/rc%{name} install -d -m755 $RPM_BUILD_ROOT/var/adm/fillup-templates install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.%{name} %post %{fillup_only} %preun %stop_on_removal %{name} %postun %restart_on_update %{name} %insserv_cleanup %files %defattr(-, root, root) %dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/%{name}/action.d %dir %{_sysconfdir}/%{name}/filter.d %config %{_sysconfdir}/%{name}/*.conf %config %{_sysconfdir}/%{name}/action.d/*.conf %config %{_sysconfdir}/%{name}/filter.d/*.conf %{_sysconfdir}/init.d/%{name} /usr/bin/%{name}* /usr/sbin/rc%{name} /usr/share/%{name} %dir %ghost /var/run/%{name} /var/adm/fillup-templates/sysconfig.%{name} %doc %{_mandir}/man1/* %doc COPYING ChangeLog README TODO files/cacti %changelog ++++++ fail2ban-0.8.6-CVE-2012-5642.patch ++++++
From 83109bce144f443a48ef31165a5389b7b83f4e0e Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko
Date: Mon, 8 Oct 2012 22:14:51 -0400 Subject: [PATCH] BF: escape the content of <matches> since its value could contain arbitrary symbols
--- server/action.py | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/server/action.py b/server/action.py index faf5065..387c115 100644 --- a/server/action.py +++ b/server/action.py @@ -230,7 +230,14 @@ def getActionStop(self): def execActionStop(self): stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo) return Action.executeCmd(stopCmd) - + + def escapeTag(tag): + for c in '\\#&;`|*?~<>^()[]{}$\n': + if c in tag: + tag = tag.replace(c, '\\' + c) + return tag + escapeTag = staticmethod(escapeTag) + ## # Replaces tags in query with property values in aInfo. # @@ -243,8 +250,13 @@ def replaceTag(query, aInfo): """ Replace tags in query """ string = query - for tag in aInfo: - string = string.replace('<' + tag + '>', str(aInfo[tag])) + for tag, value in aInfo.iteritems(): + value = str(value) # assure string + if tag == 'matches': + # That one needs to be escaped since its content is + # out of our control + value = escapeTag(value) + string = string.replace('<' + tag + '>', value) # New line string = string.replace("<br>", '\n') return string -- 1.8.1.5 ++++++ fail2ban-0.8.6-update-fsf-address.patch ++++++ ++++ 650 lines (skipped) ++++++ fail2ban.init ++++++ #!/bin/sh # ### BEGIN INIT INFO # Provides: fail2ban # Required-Start: $syslog $remote_fs $local_fs # Should-Start: $time $network iptables # Required-Stop: $syslog $remote_fs $local_fs # Should-Stop: $time $network iptables # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Pidfile: /var/run/fail2ban/fail2ban.pid # Short-Description: Bans IPs with too many authentication failures # Description: Start fail2ban to scan logfiles and ban IP addresses # which make too many logfiles failures, and/or sent e-mails about ### END INIT INFO # Check for missing binaries (stale symlinks should not happen) FAIL2BAN_CLI=/usr/bin/fail2ban-client test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } FAIL2BAN_SRV=/usr/bin/fail2ban-server test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } FAIL2BAN_CONFIG="/etc/sysconfig/fail2ban" FAIL2BAN_SOCKET_DIR="/var/run/fail2ban" FAIL2BAN_SOCKET="$FAIL2BAN_SOCKET_DIR/fail2ban.sock" FAIL2BAN_PID="$FAIL2BAN_SOCKET_DIR/fail2ban.pid" if [ -e $FAIL2BAN_CONFIG ]; then . $FAIL2BAN_CONFIG fi . /etc/rc.status rc_reset case "$1" in start) echo -n "Starting fail2ban " if [ ! -d $FAIL2BAN_SOCKET_DIR ]; then mkdir -p $FAIL2BAN_SOCKET_DIR fi if [ -e $FAIL2BAN_SOCKET ]; then if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then rm $FAIL2BAN_SOCKET fi fi $FAIL2BAN_CLI -x -q $FAIL2BAN_OPTIONS start &>/dev/null 2>&1 rc_status -v ;; stop) echo -n "Shutting down fail2ban " ## Stop daemon with built-in functionality 'stop' /sbin/startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1 if [ -f $FAIL2BAN_SOCKET ] then echo "$FAIL2BAN_SOCKET not removed .. removing .." rm $FAIL2BAN_SOCKET fi if [ -f $FAIL2BAN_PID ] then echo "$FAIL2BAN_PID not removed .. removing .." rm $FAIL2BAN_PID fi rc_status -v ;; try-restart|condrestart) $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi rc_status ;; restart) $0 stop i=60 while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do sleep 1 i=$[$i-1] echo -n "." done $0 start rc_status ;; reload|force-reload) echo -n "Reload service Fail2ban " /sbin/startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1 rc_status -v ;; status) echo -n "Checking for service fail2ban " /sbin/checkproc $FAIL2BAN_SRV rc_status -v ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ fail2ban.sysconfig ++++++ ## Path: System/Security/Fail2ban ## Description: fail2ban options ## Type: string ## Default: "" ## ServiceReload: fail2ban ## ServiceRestart: fail2ban # # Options for fail2ban # FAIL2BAN_OPTIONS="" -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org