Hello community, here is the log from the commit of package fail2ban.1800 for openSUSE:12.2:Update checked in at 2013-07-02 11:14:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/fail2ban.1800 (Old) and /work/SRC/openSUSE:12.2:Update/.fail2ban.1800.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "fail2ban.1800" Changes: -------- New Changes file: --- /dev/null 2013-07-02 09:26:14.908030755 +0200 +++ /work/SRC/openSUSE:12.2:Update/.fail2ban.1800.new/fail2ban.changes 2013-07-02 11:14:30.000000000 +0200 @@ -0,0 +1,87 @@ +------------------------------------------------------------------- +Fri Jun 14 13:02:51 UTC 2013 - jweberhofer@weberhofer.at + +- Fixes: Yaroslav Halchenko + * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor + failregex at the beginning (and where applicable at the end). + Addresses a possible DoS. + Closes gh#fail2ban/fail2ban#248, CVE-2013-2178, bnc#824710 + +------------------------------------------------------------------- +Tue Mar 26 08:12:51 UTC 2013 - jweberhofer@weberhofer.at + +- fail2ban: does not escape the content of <matches> + (bnc#794953, CVE-2012-5642): fail2ban-0.8.4-CVE-2012-5642.patch + +------------------------------------------------------------------- +Mon Dec 3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at + +- Fixed initscript as discussed in bnc#790557 + +------------------------------------------------------------------- +Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de + +- Adding to fail2ban.init remove of pid and sock files on stop + in case not removed before (prevents start fail) + +------------------------------------------------------------------- +Sun Jun 3 13:08:36 UTC 2012 - jweberhofer@weberhofer.at + +- Update to version 0.8.6. containing various fixes and enhancements + +------------------------------------------------------------------- +Fri Nov 18 22:04:03 UTC 2011 - lchiquitto@suse.com + +- Update to version 0.8.5: many bug fixes, enhancements and, as + a bonus, drop two patches that are now upstream +- Update FSF address to silent rpmlint warnings +- Drop stale socket files on startup (bnc#537239, bnc#730044) + +------------------------------------------------------------------- +Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de + +- Apply packaging guidelines (remove redundant/obsolete + tags/sections from specfile, etc.) + +------------------------------------------------------------------- +Thu Sep 1 14:07:28 UTC 2011 - coolo@suse.com + +- Use /var/run/fail2ban instead of /tmp for temp files in + actions: see bugs.debian.org/544232, bnc#690853, + CVE-2009-5023 + +------------------------------------------------------------------- +Thu Jan 6 16:56:30 UTC 2011 - lchiquitto@suse.com + +- Use $FAIL2BAN_OPTIONS when starting (bnc#662495) +- Clean up sysconfig file + +------------------------------------------------------------------- +Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org + +- Use O_CLOEXEC on fds (patch from Fedora) + +------------------------------------------------------------------- +Wed May 5 16:48:46 UTC 2010 - lchiquitto@suse.com + +- Create /var/run/fail2ban during startup to support systems that + mount /var/run as tmpfs +- Build package as noarch +- Spec file cleanup: fix a couple of rpmlint warnings +- Init script: look for fail2ban-server when checking if the + daemon is running + +------------------------------------------------------------------- +Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.com + +- Update to version 0.8.4. Important changes: + * New "Ban IP" command + * New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve + * Fixed the 'unexpected communication error' problem + * Remove socket file on startup if fail2ban crashed (bnc#537239) + +------------------------------------------------------------------- +Wed Feb 4 18:19:39 CET 2009 - kssingvo@suse.de + +- Initial version: 0.8.3 + New: ---- fail2ban-0.8.6-CVE-2012-5642.patch fail2ban-0.8.6-CVE-2013-2178.patch fail2ban-0.8.6-update-fsf-address.patch fail2ban-0.8.6.tar.bz2 fail2ban.changes fail2ban.init fail2ban.spec fail2ban.sysconfig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ # # spec file for package fail2ban # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: fail2ban Requires: cron Requires: logrotate Requires: lsof Requires: python >= 2.5 BuildRequires: python-devel PreReq: %fillup_prereq Version: 0.8.6 Release: 0 Url: http://www.fail2ban.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ Group: Productivity/Networking/Security Source0: %{name}-%{version}.tar.bz2 Source1: %{name}.init Source2: %{name}.sysconfig Patch0: fail2ban-%{version}-update-fsf-address.patch # PATCH-FIX-UPSTREAM fail2ban-0.8.6-CVE-2012-5642.patch [bnc#794953, CVE-2012-5642] Patch1: fail2ban-0.8.6-CVE-2012-5642.patch # PATCH-FIX-UPSTREAM fail2ban-0.8.6-CVE-2013-2178.patch [bnc#824710, CVE-2013-2178] Patch2: fail2ban-0.8.6-CVE-2013-2178.patch %description Fail2ban scans log files like /var/log/messages and bans IP addresses that makes too many password failures. It updates firewall rules to reject the IP address, can send e-mails, or set host.deny entries. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones. %prep %setup %patch0 -p1 %patch1 -p1 %patch2 -p1 %build export CFLAGS="$RPM_OPT_FLAGS" python setup.py build gzip man/*.1 %install python setup.py install \ --root=$RPM_BUILD_ROOT \ --prefix=%{_prefix} install -d -m755 $RPM_BUILD_ROOT/%{_mandir}/man1 for i in fail2ban-client fail2ban-regex fail2ban-server; do install -m644 man/${i}.1.gz $RPM_BUILD_ROOT/%{_mandir}/man1 done install -d -m755 $RPM_BUILD_ROOT/%{_sysconfdir}/init.d install -d -m755 $RPM_BUILD_ROOT/usr/sbin install -m755 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/%{name} ln -sf /etc/init.d/%{name} ${RPM_BUILD_ROOT}/usr/sbin/rc%{name} install -d -m755 $RPM_BUILD_ROOT/var/adm/fillup-templates install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.%{name} %post %{fillup_only} %preun %stop_on_removal %{name} %postun %restart_on_update %{name} %insserv_cleanup %files %defattr(-, root, root) %dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/%{name}/action.d %dir %{_sysconfdir}/%{name}/filter.d %config %{_sysconfdir}/%{name}/*.conf %config %{_sysconfdir}/%{name}/action.d/*.conf %config %{_sysconfdir}/%{name}/filter.d/*.conf %{_sysconfdir}/init.d/%{name} /usr/bin/%{name}* /usr/sbin/rc%{name} /usr/share/%{name} %dir %ghost /var/run/%{name} /var/adm/fillup-templates/sysconfig.%{name} %doc %{_mandir}/man1/* %doc COPYING ChangeLog README TODO files/cacti %changelog ++++++ fail2ban-0.8.6-CVE-2012-5642.patch ++++++
From 83109bce144f443a48ef31165a5389b7b83f4e0e Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko
Date: Mon, 8 Oct 2012 22:14:51 -0400 Subject: [PATCH] BF: escape the content of <matches> since its value could contain arbitrary symbols
---
server/action.py | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/server/action.py b/server/action.py
index faf5065..387c115 100644
--- a/server/action.py
+++ b/server/action.py
@@ -230,7 +230,14 @@ def getActionStop(self):
def execActionStop(self):
stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
return Action.executeCmd(stopCmd)
-
+
+ def escapeTag(tag):
+ for c in '\\#&;`|*?~<>^()[]{}$\n':
+ if c in tag:
+ tag = tag.replace(c, '\\' + c)
+ return tag
+ escapeTag = staticmethod(escapeTag)
+
##
# Replaces tags in query with property values in aInfo.
#
@@ -243,8 +250,13 @@ def replaceTag(query, aInfo):
""" Replace tags in query
"""
string = query
- for tag in aInfo:
- string = string.replace('<' + tag + '>', str(aInfo[tag]))
+ for tag, value in aInfo.iteritems():
+ value = str(value) # assure string
+ if tag == 'matches':
+ # That one needs to be escaped since its content is
+ # out of our control
+ value = escapeTag(value)
+ string = string.replace('<' + tag + '>', value)
# New line
string = string.replace("<br>", '\n')
return string
--
1.8.1.5
++++++ fail2ban-0.8.6-CVE-2013-2178.patch ++++++
diff -Nur fail2ban-0.8.6-orig/config/filter.d/apache-auth.conf fail2ban-0.8.6/config/filter.d/apache-auth.conf
--- fail2ban-0.8.6-orig/config/filter.d/apache-auth.conf 2011-11-29 04:46:04.000000000 +0100
+++ fail2ban-0.8.6/config/filter.d/apache-auth.conf 2013-06-14 15:00:50.880752638 +0200
@@ -5,6 +5,12 @@
# $Revision$
#
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
[Definition]
# Option: failregex
@@ -14,9 +20,7 @@
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
-failregex = [[]client <HOST>[]] user .* authentication failure
- [[]client <HOST>[]] user .* not found
- [[]client <HOST>[]] user .* password mismatch
+failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
diff -Nur fail2ban-0.8.6-orig/config/filter.d/apache-auth.conf.orig fail2ban-0.8.6/config/filter.d/apache-auth.conf.orig
--- fail2ban-0.8.6-orig/config/filter.d/apache-auth.conf.orig 1970-01-01 01:00:00.000000000 +0100
+++ fail2ban-0.8.6/config/filter.d/apache-auth.conf.orig 2011-11-29 04:46:04.000000000 +0100
@@ -0,0 +1,25 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision$
+#
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match the password failure messages in the logfile. The
+# host must be matched by a group named "host". The tag "<HOST>" can
+# be used for standard IP/hostname matching and is only an alias for
+# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values: TEXT
+#
+failregex = [[]client <HOST>[]] user .* authentication failure
+ [[]client <HOST>[]] user .* not found
+ [[]client <HOST>[]] user .* password mismatch
+
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =
diff -Nur fail2ban-0.8.6-orig/config/filter.d/apache-common.conf fail2ban-0.8.6/config/filter.d/apache-common.conf
--- fail2ban-0.8.6-orig/config/filter.d/apache-common.conf 1970-01-01 01:00:00.000000000 +0100
+++ fail2ban-0.8.6/config/filter.d/apache-common.conf 2013-06-14 15:00:50.888752790 +0200
@@ -0,0 +1,17 @@
+# Generic configuration items (to be used as interpolations) in other
+# apache filters
+#
+# Author: Yaroslav Halchenko
+#
+#
+
+[INCLUDES]
+
+# Load customizations if any available
+after = apache-common.local
+
+
+[DEFAULT]
+
+# Common prefix for [error] apache messages which also would include <HOST>
+_apache_error_client = \[[^]]+\] \[error\] \[client <HOST>\]
diff -Nur fail2ban-0.8.6-orig/config/filter.d/apache-nohome.conf fail2ban-0.8.6/config/filter.d/apache-nohome.conf
--- fail2ban-0.8.6-orig/config/filter.d/apache-nohome.conf 2011-11-29 04:46:04.000000000 +0100
+++ fail2ban-0.8.6/config/filter.d/apache-nohome.conf 2013-06-14 15:00:50.896752942 +0200
@@ -5,6 +5,12 @@
# $Revision$
#
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
[Definition]
# Option: failregex
@@ -14,7 +20,7 @@
# per-domain log files.
# Values: TEXT
#
-failregex = [[]client <HOST>[]] File does not exist: .*/~.*
+failregex = ^%(_apache_error_client)s File does not exist: .*/~.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
diff -Nur fail2ban-0.8.6-orig/config/filter.d/apache-nohome.conf.orig fail2ban-0.8.6/config/filter.d/apache-nohome.conf.orig
--- fail2ban-0.8.6-orig/config/filter.d/apache-nohome.conf.orig 1970-01-01 01:00:00.000000000 +0100
+++ fail2ban-0.8.6/config/filter.d/apache-nohome.conf.orig 2011-11-29 04:46:04.000000000 +0100
@@ -0,0 +1,23 @@
+# Fail2Ban configuration file
+#
+# Author: Yaroslav O. Halchenko