openSUSE-RU-2017:1779-1: moderate: Recommended update for fail2ban

5 Jul 2017

      openSUSE Recommended Update: Recommended update for fail2ban
______________________________________________________________________________

Announcement ID:    openSUSE-RU-2017:1779-1
Rating:             moderate
References:         #1036928 
Affected Products:
                    openSUSE Leap 42.2
______________________________________________________________________________

   An update that has one recommended fix can now be installed.

Description:

   This update for fail2ban fixes the following issues:

   Fail2Ban was updated to version 0.9.7.

   Additional fixes included:

   - Updated roundcube authentication filter
   - Postfix RBL: 554 & SMTP fixes boo#1036928 " fail2ban-rbl regex
     incorrect, takes no action as a result".

   Version changes on 0.9.7:

     * Fixed a systemd-journal handling in fail2ban-regex
       (gh#fail2ban/fail2ban#1657)
     * filter.d/sshd.conf
       - Fixed non-anchored part of failregex (misleading match of colon
         inside IPv6 address instead of `: ` in the reason-part by missing
         space, gh#fail2ban/fail2ban#1658) (0.10th resp. IPv6 relevant only,
         amend for gh#fail2ban/fail2ban#1479)
     * config/pathes-freebsd.conf
       - Fixed filenames for apache and nginx log files
         (gh#fail2ban/fail2ban#1667)
     * filter.d/exim.conf
       - optional part `(...)` after host-name before `[IP]`
         (gh#fail2ban/fail2ban#1751)
       - new reason "Unrouteable address" for "rejected RCPT" regex
         (gh#fail2ban/fail2ban#1762)
       - match of complex time like `D=2m42s` in regex "no MAIL in SMTP
         connection" (gh#fail2ban/fail2ban#1766)
     * filter.d/sshd.conf
       - new aggressive rules (gh#fail2ban/fail2ban#864):
         - Connection reset by peer (multi-line rule during authorization
   process)
         - No supported authentication methods available
       - single line and multi-line expression optimized, added optional
         prefixes and suffix (logged from several ssh versions), according to
         gh#fail2ban/fail2ban#1206;
       - fixed expression received disconnect auth fail (optional space after
         port part, gh#fail2ban/fail2ban#1652) and suffix (logged from
         several ssh versions), according to gh#fail2ban/fail2ban#1206;
     * filter.d/suhosin.conf
       - greedy catch-all before `<HOST>` fixed (potential vulnerability)
     * filter.d/cyrus-imap.conf
       - accept entries without login-info resp. hostname before IP address
         (#fail2ban/fail2ban#707)
     * Filter tests extended with check of all config-regexp, that contains
       greedy catch-all before `<HOST>`, that is hard-anchored at end or
       precise sub expression after `<HOST>`

   * New Actions:
     - action.d/netscaler: Block IPs on a Citrix Netscaler ADC
       (gh#fail2ban/fail2ban#1663)

   * New Filters:
     - filter.d/domino-smtp: IBM Domino SMTP task (gh#fail2ban/fail2ban#1603)
   * Introduced new log-level `MSG` (as INFO-2, equivalent to 18)

   - rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban

   fail2ban version update to 0.9.6 (2016/12/10) included:

   Fixes:

   * Misleading add resp. enable of (already available) jail in database,
     that induced a subsequent error: last position of log file will be never
     retrieved (gh-795)
   * Fixed a distribution related bug within
     testReadStockJailConfForceEnabled (e.g. test-cases faults on Fedora, see
     gh-1353)
   * Fixed pythonic filters and test scripts (running via wrong python
     version, uses "fail2ban-python" now);
   * Fixed test case "testSetupInstallRoot" for not default python version
     (also using direct call, out of virtualenv);
   * Fixed ambiguous wrong recognized date pattern resp. its optional parts
     (see gh-1512);
   * FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
   * Monit config: scripting is not supported in path (gh-1556)
   * `filter.d/apache-modsecurity.conf`
       - Fixed for newer version (one space, gh-1626), optimized: non-greedy
         catch-all replaced for safer match, unneeded catch-all anchoring
         removed, non-capturing
   * `filter.d/asterisk.conf`
       - Fixed to match different asterisk log prefix (source file: method:)
   * `filter.d/dovecot.conf`
       - Fixed failregex ignores failures through some not relevant info
         (gh-1623)
   * `filter.d/ignorecommands/apache-fakegooglebot`
       - Fixed error within apache-fakegooglebot, that will be called with
         wrong python version (gh-1506)
   * `filter.d/assp.conf`
       - Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
   * `filter.d/postfix-sasl.conf`
       - Allow for having no trailing space after 'failed:' (gh-1497)
   * `filter.d/vsftpd.conf`
       - Optional reason part in message after FAIL LOGIN (gh-1543)
   * `filter.d/sendmail-reject.conf`
       - removed mandatory double space (if dns-host available, gh-1579)
   * filter.d/sshd.conf
       - recognized "Failed publickey for" (gh-1477);
       - optimized failregex to match all of "Failed any-method for ... from
         <HOST>" (gh-1479)
       - eliminated possible complex injections (on user-name resp.
         auth-info, see gh-1479)
       - optional port part after host (see gh-1533, gh-1581)

   New Features:

   * New Actions:
       - `action.d/npf.conf` for NPF, the latest packet filter for NetBSD
   * New Filters:
       - `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL
         database engine) (gh-1586, gh-1606 and gh-1607)

   Enhancements:

   * DateTemplate regexp extended with the word-end boundary, additionally to
     word-start boundary
   * Introduces new command "fail2ban-python", as automatically created
     symlink to python executable, where fail2ban currently installed (resp.
     its modules are located):
       - allows to use the same version, fail2ban currently running, e.g. in
         external scripts just via replace python with fail2ban-python:
         ```diff
         -#!/usr/bin/env python
         +#!/usr/bin/env fail2ban-python ```
       - always the same pickle protocol
       - the same (and also guaranteed available) fail2ban modules
       - simplified stand-alone install, resp. stand-alone installation
         possibility via setup (like gh-1487) is getting closer
   * Several test cases rewritten using new methods assertIn, assertNotIn
   * New forward compatibility method assertRaisesRegexp (normally python >=
     2.7). Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged,
     assertNotLogged are test covered now
   * Jail configuration extended with new syntax to pass options to the
     backend (see gh-1408), examples:
       - `backend = systemd[journalpath=/run/log/journal/machine-1]`
       - `backend =
         systemd[journalfiles="/run/log/journal/machine-1/system.journal,
         /run/log/journal/machine-1/user.journal"]`
       - `backend = systemd[journalflags=2]`

Patch Instructions:

   To install this openSUSE Recommended Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE Leap 42.2:

      zypper in -t patch openSUSE-2017-772=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - openSUSE Leap 42.2 (noarch):

      SuSEfirewall2-fail2ban-0.9.7-2.3.1
      fail2ban-0.9.7-2.3.1
      monitoring-plugins-fail2ban-0.9.7-2.3.1

References:

   https://bugzilla.suse.com/1036928

maintenance＠opensuse.org

tags

participants (1)