Hello community, here is the log from the commit of package fail2ban for openSUSE:Factory checked in at 2014-01-30 14:54:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fail2ban (Old) and /work/SRC/openSUSE:Factory/.fail2ban.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "fail2ban" Changes: -------- --- /work/SRC/openSUSE:Factory/fail2ban/fail2ban.changes 2013-11-19 10:45:04.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.fail2ban.new/fail2ban.changes 2014-01-30 14:54:37.000000000 +0100 @@ -1,0 +2,91 @@ +Wed Jan 29 13:48:38 UTC 2014 - jweberhofer@weberhofer.at + +Security note: The update to version 0.8.11 has fixed two additional security +issues: A remote unauthenticated attacker may cause arbitrary IP addresses to +be blocked by Fail2ban causing legitimate users to be blocked from accessing +services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176 +(postfix) + +------------------------------------------------------------------- +Thu Jan 23 21:35:27 UTC 2014 - jweberhofer@weberhofer.at + +- action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816 + +- lsof was required for fail2ban's SysVinit scripts only. Not longer used for + newer versions of openSUSE + +------------------------------------------------------------------- +Thu Jan 23 08:40:40 UTC 2014 - jweberhofer@weberhofer.at + +- Reviewed and fixed github references in the changelog + +------------------------------------------------------------------- +Wed Jan 22 09:27:43 UTC 2014 - jweberhofer@weberhofer.at + +- Use new flushlogs syntax after logrotate + +------------------------------------------------------------------- +Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at + +- Update to version 0.8.12 + + * Log rotation can now occur with the command "flushlogs" rather than + reloading fail2ban or keeping the logtarget settings consistent in + jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798). + + * Added ignorecommand option for allowing dynamic determination as to ignore + and IP or not. + + * Remove indentation of name and loglevel while logging to SYSLOG to resolve + syslog(-ng) parsing problems. (dep#730202). Log lines now also + report "[PID]" after the name portion too. + + * Epoch dates can now be enclosed within [] + + * New actions: badips, firewallcmd-ipset, ufw, blocklist_de + + * New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid, + ejabberd, openwebmail, groupoffice + + * Filter improvements: + - apache-noscript now includes php cgi scripts + - exim-spam filter to match spamassassin log entry for option SAdevnull. + - Added to sshd filter expression for + "Received disconnect from : 3: Auth fail" + - Improved ACL-handling for Asterisk + - Added improper command pipelining to postfix filter. + + * General fixes: + - Added lots of jail.conf entries for missing filters that creaped in + over the last year. + - synchat changed to use push method which verifies whether all data was + send. This ensures that all data is sent before closing the connection. + - Fixed python 2.4 compatibility (as sub-second in date patterns weren't + 2.4 compatible) + - Complain/email actions fixed to only include relevant IPs to reporting + + * Filter fixes: + - Added HTTP referrer bit of the apache access log to the apache filters. + - Apache 2.4 perfork regexes fixed + - Kernel syslog expression can have leading spaces + - allow for ",milliseconds" in the custom date format of proftpd.log + - recidive jail to block all protocols + - smtps not a IANA standard so may be missing from /etc/services. Due to + (still) common use 465 has been used as the explicit port number + - Filter dovecot reordered session and TLS items in regex with wider scope + for session characters + + * Ugly Fixes (Potentially incompatible changes): + + - Unfortunately at the end of last release when the action + firewall-cmd-direct-new was added it was too long and had a broken action + check. The action was renamed to firewallcmd-new to fit within jail name + name length. (gh#fail2ban/fail2ban#395). + + - Last release added mysqld-syslog-iptables as a jail configuration. This + jailname was too long and it has been renamed to mysqld-syslog. + +- Fixed formating of github references in changelog +- reformatted spec-file + +------------------------------------------------------------------- @@ -35 +126 @@ - Addresses a possible DoS. Closes gh-248, bnc#824710 + Addresses a possible DoS. Closes gh#fail2ban/fail2ban#248, bnc#824710 @@ -37 +128 @@ - within [Init]. Closes gh-232 + within [Init]. Closes gh#fail2ban/fail2ban#232 @@ -44,2 +135,4 @@ - * Updates to asterisk filter. Closes gh-227/gh-230. - * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244. + * Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227, + gh#fail2ban/fail2ban#230. + * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes + gh#fail2ban/fail2ban#244. @@ -63 +156,2 @@ - on Fedora. Closes gh-112. Thanks to Camusensei for the bug report. + on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the + bug report. @@ -65 +159 @@ - insight. Closes gh-103. + insight. Closes gh#fail2ban/fail2ban#103. @@ -69,3 +163,3 @@ - * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184. - Thanks to Jon Foster for report and troubleshooting. - Orion Poplawski + * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes + gh#fail2ban/fail2ban#184. Thanks to Jon Foster for report and + troubleshooting. Orion Poplawski @@ -75 +169 @@ - * [39667ff6] Avoid leaking file descriptors. Closes gh-167. + * [39667ff6] Avoid leaking file descriptors. Closes gh#fail2ban/fail2ban#167. @@ -81,2 +175,2 @@ - Closes gh-147, gh-148. - * [b6a68f51] Fix delaction on server side. Closes gh-124. + Closes gh#fail2ban/fail2ban#147, gh#fail2ban/fail2ban#148. + * [b6a68f51] Fix delaction on server side. Closes gh#fail2ban/fail2ban#124. @@ -85 +179 @@ - the fail2ban-client. Closes gh-134. + the fail2ban-client. Closes gh#fail2ban/fail2ban#134. @@ -87 +181 @@ - gh-70. Thanks to iGeorgeX for the idea. + gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea. @@ -89 +183,2 @@ - * [96eb8986] ' and " should also be escaped in action tags Closes gh-109 + * [96eb8986] ' and " should also be escaped in action tags Closes + gh#fail2ban/fail2ban#109 @@ -96 +191 @@ - beilber for the idea. Closes gh-114. + beilber for the idea. Closes gh#fail2ban/fail2ban#114. @@ -100 +195 @@ - fail2ban is running. Closes gh-166. + fail2ban is running. Closes gh#fail2ban/fail2ban#166. @@ -102 +197 @@ - * [29d0df5] Add mysqld filter. Closes gh-152. + * [29d0df5] Add mysqld filter. Closes gh#fail2ban/fail2ban#152. @@ -104 +199 @@ - * [bba3fd8] Add Sogo filter. Closes gh-117. + * [bba3fd8] Add Sogo filter. Closes gh#fail2ban/fail2ban#117. @@ -110 +205 @@ - * [be06b1b] Add action for iptables-ipsets. Closes gh-102. + * [be06b1b] Add action for iptables-ipsets. Closes gh#fail2ban/fail2ban#102. @@ -115 +210 @@ - * [f336d9f] Add filter for webmin. Closes gh-99. + * [f336d9f] Add filter for webmin. Closes gh#fail2ban/fail2ban#99. @@ -125 +220 @@ - consistently. Closes gh-172. + consistently. Closes gh#fail2ban/fail2ban#172. @@ -127 +222 @@ - * [b36835f] Add get cinfo to fail2ban-client. Closes gh-124. + * [b36835f] Add get cinfo to fail2ban-client. Closes gh#fail2ban/fail2ban#124. @@ -131 +226 @@ - Closes gh-142. + Closes gh#fail2ban/fail2ban#142. @@ -135 +230 @@ - Closes gh-126. Bug report by Michael Heuberger. + Closes gh#fail2ban/fail2ban#126. Bug report by Michael Heuberger. @@ -141 +236 @@ - * [3aeb1a9] Add jail.conf manual page. Closes gh-143. + * [3aeb1a9] Add jail.conf manual page. Closes gh#fail2ban/fail2ban#143. @@ -174 +269 @@ - banning due to misconfigured DNS. Close gh-64 + banning due to misconfigured DNS. Close gh#fail2ban/fail2ban#64 @@ -180 +275,2 @@ - * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh-83 + * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. + Close gh#fail2ban/fail2ban#83 @@ -183 +279 @@ - in the console. Close gh-91 + in the console. Close gh#fail2ban/fail2ban#91 @@ -188 +284,2 @@ - the log file to take 'banip' or 'unbanip' in effect. Close gh-81, gh-86 + the log file to take 'banip' or 'unbanip' in effect. + Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86 @@ -196 +293,2 @@ - * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79 + * [f52ba99] downgraded "already banned" from WARN to INFO level. + Closes gh#fail2ban/fail2ban#79 @@ -198 +296 @@ - for this gh-87) + for this gh#fail2ban/fail2ban#87) @@ -240 +338 @@ - message stays non-unicode. Close gh-32 + message stays non-unicode. Close gh#fail2ban/fail2ban#32 @@ -244 +342 @@ - friend to developers stuck with Windows (Closes gh-66) + friend to developers stuck with Windows (Closes gh#fail2ban/fail2ban#66) @@ -257 +355 @@ ++++ 5 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/fail2ban/fail2ban.changes ++++ and /work/SRC/openSUSE:Factory/.fail2ban.new/fail2ban.changes Old: ---- fail2ban-0.8.11.tar.bz2 New: ---- fail2ban-0.8.12.tar.bz2 fix-for-upstream-firewallcmd-ipset.conf.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ --- /var/tmp/diff_new_pack.UC2u1H/_old 2014-01-30 14:54:37.000000000 +0100 +++ /var/tmp/diff_new_pack.UC2u1H/_new 2014-01-30 14:54:37.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package fail2ban # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,25 +17,7 @@ Name: fail2ban -Requires: cron -Requires: iptables -Requires: logrotate -Requires: lsof -Requires: python >= 2.5 -%if 0%{?suse_version} >= 1140 && 0%{?sles_version} == 0 -Requires: python-pyinotify -%endif -%if 0%{?suse_version} >= 1220 -Requires: python-gamin -%endif -%if 0%{?suse_version} >= 1230 -%{?systemd_requires} -BuildRequires: systemd -%endif -BuildRequires: logrotate -BuildRequires: python-devel -PreReq: %fillup_prereq -Version: 0.8.11 +Version: 0.8.12 Release: 0 Url: http://www.fail2ban.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -45,6 +27,8 @@ Group: Productivity/Networking/Security Source0: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2 %if 0%{?suse_version} < 1230 +# the init-script requires lsof +Requires: lsof Source1: %{name}.init %endif Source2: %{name}.sysconfig @@ -53,6 +37,24 @@ Source4: %{name}.service Source5: %{name}.tmpfiles %endif +# PATCH-FIX-UPSTREAM fix-for-upstream-firewallcmd-ipset.conf.patch rh#1046816 +Patch0: fix-for-upstream-firewallcmd-ipset.conf.patch +Requires: cron +Requires: iptables +Requires: logrotate +Requires: python >= 2.5 +%if 0%{?suse_version} >= 1140 && 0%{?sles_version} == 0 +Requires: python-pyinotify +%endif +%if 0%{?suse_version} >= 1220 +Requires: python-gamin +%endif +%if 0%{?suse_version} >= 1230 +%{?systemd_requires} +BuildRequires: systemd +%endif +BuildRequires: logrotate +BuildRequires: python-devel %description Fail2ban scans log files like /var/log/messages and bans IP addresses @@ -63,6 +65,7 @@ %prep %setup +%patch0 -p1 # correct doc-path sed -i -e 's|/usr/share/doc/fail2ban|%{_docdir}/%{name}|' setup.py ++++++ fail2ban-0.8.11.tar.bz2 -> fail2ban-0.8.12.tar.bz2 ++++++ ++++ 4668 lines of diff (skipped) ++++++ fail2ban.logrotate ++++++ --- /var/tmp/diff_new_pack.UC2u1H/_old 2014-01-30 14:54:38.000000000 +0100 +++ /var/tmp/diff_new_pack.UC2u1H/_new 2014-01-30 14:54:38.000000000 +0100 @@ -8,6 +8,6 @@ missingok create 644 root root postrotate - fail2ban-client set logtarget /var/log/fail2ban.log 1>/dev/null || true + fail2ban-client flushlogs 1>/dev/null || true endscript } ++++++ fix-for-upstream-firewallcmd-ipset.conf.patch ++++++ diff -ur fail2ban-0.8.12.orig/config/action.d/firewallcmd-ipset.conf fail2ban-0.8.12/config/action.d/firewallcmd-ipset.conf --- fail2ban-0.8.12.orig/config/action.d/firewallcmd-ipset.conf 2014-01-16 09:20:14.000000000 +0100 +++ fail2ban-0.8.12/config/action.d/firewallcmd-ipset.conf 2014-01-23 22:43:53.115263616 +0100 @@ -25,8 +25,6 @@ ipset flush fail2ban-<name> ipset destroy fail2ban-<name> -actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '^fail2ban-<name>$' - actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist actionunban = ipset del fail2ban-<name> <ip> -exist diff -ur fail2ban-0.8.12.orig/THANKS fail2ban-0.8.12/THANKS --- fail2ban-0.8.12.orig/THANKS 2014-01-21 21:59:49.000000000 +0100 +++ fail2ban-0.8.12/THANKS 2014-01-23 22:43:53.115263616 +0100 @@ -30,6 +30,7 @@ Daniel B. Daniel Black David Nutter +Derek Atkins Eric Gerbier Enrico Labedzki ftoppi -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org