Hello community, here is the log from the commit of package fail2ban.1498 for openSUSE:12.1:Update checked in at 2013-04-02 10:08:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/fail2ban.1498 (Old) and /work/SRC/openSUSE:12.1:Update/.fail2ban.1498.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "fail2ban.1498", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-02-26 18:15:11.936010755 +0100 +++ /work/SRC/openSUSE:12.1:Update/.fail2ban.1498.new/fail2ban.changes 2013-04-02 10:08:56.000000000 +0200 @@ -0,0 +1,64 @@ +------------------------------------------------------------------- +Tue Mar 26 07:56:26 UTC 2013 - jweberhofer@weberhofer.at + +- fail2ban does not escape the content of <matches> + (bnc#794953, CVE-2012-5642): fail2ban-0.8.4-CVE-2012-5642.patch + +------------------------------------------------------------------- +Mon Dec 3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at + +- Fixed initscript as discussed in bnc#790557 + +------------------------------------------------------------------- +Fri Nov 25 13:57:16 UTC 2011 - lchiquitto@suse.com + +- Drop stale socket files on startup (bnc#537239, bnc#730044) + +------------------------------------------------------------------- +Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de + +- Apply packaging guidelines (remove redundant/obsolete + tags/sections from specfile, etc.) + +------------------------------------------------------------------- +Thu Sep 1 14:07:28 UTC 2011 - coolo@suse.com + +- Use /var/run/fail2ban instead of /tmp for temp files in + actions: see bugs.debian.org/544232, bnc#690853, + CVE-2009-5023 + +------------------------------------------------------------------- +Thu Jan 6 16:56:30 UTC 2011 - lchiquitto@novell.com + +- Use $FAIL2BAN_OPTIONS when starting (bnc#662495) +- Clean up sysconfig file + +------------------------------------------------------------------- +Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org + +- Use O_CLOEXEC on fds (patch from Fedora) + +------------------------------------------------------------------- +Wed May 5 16:48:46 UTC 2010 - lchiquitto@novell.com + +- Create /var/run/fail2ban during startup to support systems that + mount /var/run as tmpfs +- Build package as noarch +- Spec file cleanup: fix a couple of rpmlint warnings +- Init script: look for fail2ban-server when checking if the + daemon is running + +------------------------------------------------------------------- +Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.de + +- Update to version 0.8.4. Important changes: + * New "Ban IP" command + * New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve + * Fixed the 'unexpected communication error' problem + * Remove socket file on startup if fail2ban crashed (bnc#537239) + +------------------------------------------------------------------- +Wed Feb 4 18:19:39 CET 2009 - kssingvo@suse.de + +- Initial version: 0.8.3 + New: ---- fail2ban-0.8.2-fd_cloexec.patch fail2ban-0.8.4-CVE-2012-5642.patch fail2ban-0.8.4.tar.bz2 fail2ban.changes fail2ban.init fail2ban.spec fail2ban.sysconfig fix-tmp-usage.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ # # spec file for package fail2ban # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: fail2ban Requires: cron Requires: logrotate Requires: python >= 2.5 BuildRequires: python-devel PreReq: %fillup_prereq Version: 0.8.4 Release: 0 Url: http://www.fail2ban.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ Group: Productivity/Networking/Security Source0: http://download.sourceforge.net/sourceforge/fail2ban/%{name}-%{version}.tar.bz2 Source1: %{name}.init Source2: %{name}.sysconfig Patch: fail2ban-0.8.2-fd_cloexec.patch Patch1: fix-tmp-usage.diff # PATCH-FIX-UPSTREAM fail2ban-0.8.4-CVE-2012-5642.patch [bnc#794953, CVE-2012-5642] Patch2: fail2ban-0.8.4-CVE-2012-5642.patch %description Fail2ban scans log files like /var/log/messages and bans IP addresses that makes too many password failures. It updates firewall rules to reject the IP address, can send e-mails, or set host.deny entries. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones. %prep %setup perl -pi -e 's;/usr/local/;/usr/;g' files/suse-initd %patch -p1 %patch1 -p1 %patch2 -p1 %build export CFLAGS="$RPM_OPT_FLAGS" python setup.py build gzip man/*.1 %install python setup.py install \ --root=$RPM_BUILD_ROOT \ --prefix=%{_prefix} install -d -m755 $RPM_BUILD_ROOT/%{_mandir}/man1 for i in fail2ban-client fail2ban-regex fail2ban-server; do install -m644 man/${i}.1.gz $RPM_BUILD_ROOT/%{_mandir}/man1 done install -d -m755 $RPM_BUILD_ROOT/%{_sysconfdir}/init.d install -d -m755 $RPM_BUILD_ROOT/usr/sbin install -m755 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/%{name} ln -sf /etc/init.d/%{name} ${RPM_BUILD_ROOT}/usr/sbin/rc%{name} install -d -m755 $RPM_BUILD_ROOT/var/adm/fillup-templates install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.%{name} %post %{fillup_only} %preun %stop_on_removal %{name} %postun %restart_on_update %{name} %insserv_cleanup %files %defattr(-, root, root) %dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/%{name}/action.d %dir %{_sysconfdir}/%{name}/filter.d %config %{_sysconfdir}/%{name}/*.conf %config %{_sysconfdir}/%{name}/action.d/*.conf %config %{_sysconfdir}/%{name}/filter.d/*.conf %{_sysconfdir}/init.d/%{name} /usr/bin/%{name}* /usr/sbin/rc%{name} /usr/share/%{name} %dir %ghost /var/run/%{name} /var/adm/fillup-templates/sysconfig.%{name} %doc %{_mandir}/man1/* %doc COPYING ChangeLog README TODO files/cacti %changelog ++++++ fail2ban-0.8.2-fd_cloexec.patch ++++++ --- fail2ban-0.8.2/server/filter.py.orig 2008-03-27 16:26:59.000000000 +0000 +++ fail2ban-0.8.2/server/filter.py 2008-03-27 15:29:48.000000000 +0000 @@ -428,6 +428,7 @@ # is computed and compared to the previous hash of this line. import md5 +import fcntl class FileContainer: @@ -455,6 +456,11 @@ def open(self): self.__handler = open(self.__filename) + + # Set the file descriptor to be FD_CLOEXEC + fd = self.__handler.fileno() + fcntl.fcntl (self.__handler.fileno(), fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC) + firstLine = self.__handler.readline() # Computes the MD5 of the first line. myHash = md5.new(firstLine).digest() ++++++ fail2ban-0.8.4-CVE-2012-5642.patch ++++++
From 83109bce144f443a48ef31165a5389b7b83f4e0e Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko <debian@onerussian.com> Date: Mon, 8 Oct 2012 22:14:51 -0400 Subject: [PATCH] BF: escape the content of <matches> since its value could contain arbitrary symbols
--- server/action.py | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff -ur fail2ban-0.8.4-orig/server/action.py fail2ban-0.8.4/server/action.py --- fail2ban-0.8.4-orig/server/action.py 2008-04-08 00:25:17.000000000 +0200 +++ fail2ban-0.8.4/server/action.py 2013-03-26 08:48:17.925207509 +0100 @@ -223,7 +223,14 @@ def execActionStop(self): stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo) return Action.executeCmd(stopCmd) - + + def escapeTag(tag): + for c in '\\#&;`|*?~<>^()[]{}$\n': + if c in tag: + tag = tag.replace(c, '\\' + c) + return tag + escapeTag = staticmethod(escapeTag) + ## # Replaces tags in query with property values in aInfo. # @@ -236,8 +243,13 @@ """ Replace tags in query """ string = query - for tag in aInfo: - string = string.replace('<' + tag + '>', str(aInfo[tag])) + for tag, value in aInfo.iteritems(): + value = str(value) # assure string + if tag == 'matches': + # That one needs to be escaped since its content is + # out of our control + value = escapeTag(value) + string = string.replace('<' + tag + '>', value) # New line string = string.replace("<br>", '\n') return string Nur in fail2ban-0.8.4/server: action.py.orig. ++++++ fail2ban.init ++++++ #!/bin/sh # # Template SUSE system startup script for example daemon fail2ban # Copyright (C) 2010 Klaus Sinvogel, SUSE / Novell Inc. # # This library is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or (at # your option) any later version. # # This library is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, # USA. # # ### BEGIN INIT INFO # Provides: fail2ban # Required-Start: $syslog $remote_fs $local_fs # Should-Start: $time $network iptables # Required-Stop: $syslog $remote_fs $local_fs # Should-Stop: $time $network iptables # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Pidfile: /var/run/fail2ban/fail2ban.pid # Short-Description: Bans IPs with too many password failures # Description: Start fail2ban to scan logfiles and ban IP addresses # which make too many logfiles failures, and/or sent e-mails about ### END INIT INFO # Check for missing binaries (stale symlinks should not happen) FAIL2BAN_CLI=/usr/bin/fail2ban-client test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } FAIL2BAN_SRV=/usr/bin/fail2ban-server test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } # Check for existence of needed config file and read it FAIL2BAN_CONFIG=/etc/sysconfig/fail2ban test -r $FAIL2BAN_CONFIG || { echo "$FAIL2BAN_CONFIG not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } # Socket directory FAIL2BAN_SOCK_DIR="/var/run/fail2ban" FAIL2BAN_SOCK="$FAIL2BAN_SOCK_DIR/fail2ban.sock" # Read config . $FAIL2BAN_CONFIG . /etc/rc.status rc_reset case "$1" in start) echo -n "Starting fail2ban " if [ ! -d $FAIL2BAN_SOCK_DIR ]; then mkdir -p $FAIL2BAN_SOCK_DIR fi if [ -e $FAIL2BAN_SOCK ]; then if ! lsof -n $FAIL2BAN_SOCK &>/dev/null; then rm $FAIL2BAN_SOCK fi fi ## Start daemon with startproc(8). If this fails ## the return value is set appropriately by startproc. $FAIL2BAN_CLI -x -q $FAIL2BAN_OPTIONS start &>/dev/null 2>&1 # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down fail2ban " ## Stop daemon with built-in functionality 'stop' startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1 # Remember status and be verbose rc_status -v ;; try-restart|condrestart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). ## RH has a similar command named condrestart. if test "$1" = "condrestart"; then echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" fi $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; force-reload) ## Signal the daemon to reload its config. Most daemons ## do this on signal 1 (SIGHUP). ## If it does not support it, restart the service if it ## is running. echo -n "Reload service fail2ban " killproc -HUP $FAIL2BAN_SRV rc_status -v ## Otherwise: #$0 try-restart #rc_status ;; reload) ## Like force-reload, but if daemon does not support ## signaling, do nothing (!) # If it supports signaling: echo -n "Reload service fail2ban " startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1 rc_status -v ## Otherwise if it does not support reload: #rc_failed 3 #rc_status -v ;; status) echo -n "Checking for service fail2ban " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. # Return value is slightly different for the status command: # 0 - service up and running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running (unused) # 4 - service status unknown :-( # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) # NOTE: checkproc returns LSB compliant status values. checkproc $FAIL2BAN_SRV # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, print out the ## argument to this init script which is required for a reload. ## Note: probe is not (yet) part of LSB (as of 1.9) test /etc/fail2ban/fail2ban.conf -nt /var/run/fail2ban/fail2ban.pid && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ fail2ban.sysconfig ++++++ ## Path: System/Security/Fail2ban ## Description: fail2ban options ## Type: string ## Default: "" ## ServiceReload: fail2ban ## ServiceRestart: fail2ban # # Options for fail2ban # FAIL2BAN_OPTIONS="" ++++++ fix-tmp-usage.diff ++++++ From: yarikoptic <yarikoptic@a942ae1a-1317-0410-a47c-b1dcaea8d605> Date: Wed, 23 Mar 2011 20:35:56 +0000 (+0000) Subject: BF: Use /var/run/fail2ban instead of /tmp for temp files in actions: see http://bugs... X-Git-Tag: upstream/0.8.4+svn20110323^2~8 X-Git-Url: http://git.onerussian.com/?p=deb%2Ffail2ban.git;a=commitdiff_plain;h=ea7d352... BF: Use /var/run/fail2ban instead of /tmp for temp files in actions: see bugs.debian.org/544232 It should be robust since /var/run/fail2ban is guaranteed to exist to carry the socket file, and it will be owned by root (or some other dedicated fail2ban user) thus avoiding possibility for the exploit git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@... a942ae1a-1317-0410-a47c-b1dcaea8d605 --- diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf index b80698b..8549a55 100644 --- a/config/action.d/dshield.conf +++ b/config/action.d/dshield.conf @@ -206,5 +206,5 @@ dest = reports@dshield.org # Notes.: Base name of temporary files used for buffering # Values: [ STRING ] Default: /tmp/fail2ban-dshield # -tmpfile = /tmp/fail2ban-dshield +tmpfile = /var/run/fail2ban/tmp-dshield diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf index 8a33d0e..6fd51d2 100644 --- a/config/action.d/mail-buffered.conf +++ b/config/action.d/mail-buffered.conf @@ -81,7 +81,7 @@ lines = 5 # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt # Destination/Addressee of the mail # diff --git a/config/action.d/mynetwatchman.conf b/config/action.d/mynetwatchman.conf index 15b91b1..f0e5515 100644 --- a/config/action.d/mynetwatchman.conf +++ b/config/action.d/mynetwatchman.conf @@ -141,4 +141,4 @@ mnwurl = http://mynetwatchman.com/insertwebreport.asp # Notes.: Base name of temporary files # Values: [ STRING ] Default: /tmp/fail2ban-mynetwatchman # -tmpfile = /tmp/fail2ban-mynetwatchman +tmpfile = /var/run/fail2ban/tmp-mynetwatchman diff --git a/config/action.d/sendmail-buffered.conf b/config/action.d/sendmail-buffered.conf index de8166a..25a23b7 100644 --- a/config/action.d/sendmail-buffered.conf +++ b/config/action.d/sendmail-buffered.conf @@ -101,5 +101,5 @@ lines = 5 # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org