openSUSE-RU-2017:1779-1: moderate: Recommended update for fail2ban
openSUSE Recommended Update: Recommended update for fail2ban ______________________________________________________________________________ Announcement ID: openSUSE-RU-2017:1779-1 Rating: moderate References: #1036928 Affected Products: openSUSE Leap 42.2 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for fail2ban fixes the following issues: Fail2Ban was updated to version 0.9.7. Additional fixes included: - Updated roundcube authentication filter - Postfix RBL: 554 & SMTP fixes boo#1036928 " fail2ban-rbl regex incorrect, takes no action as a result". Version changes on 0.9.7: * Fixed a systemd-journal handling in fail2ban-regex (gh#fail2ban/fail2ban#1657) * filter.d/sshd.conf - Fixed non-anchored part of failregex (misleading match of colon inside IPv6 address instead of `: ` in the reason-part by missing space, gh#fail2ban/fail2ban#1658) (0.10th resp. IPv6 relevant only, amend for gh#fail2ban/fail2ban#1479) * config/pathes-freebsd.conf - Fixed filenames for apache and nginx log files (gh#fail2ban/fail2ban#1667) * filter.d/exim.conf - optional part `(...)` after host-name before `[IP]` (gh#fail2ban/fail2ban#1751) - new reason "Unrouteable address" for "rejected RCPT" regex (gh#fail2ban/fail2ban#1762) - match of complex time like `D=2m42s` in regex "no MAIL in SMTP connection" (gh#fail2ban/fail2ban#1766) * filter.d/sshd.conf - new aggressive rules (gh#fail2ban/fail2ban#864): - Connection reset by peer (multi-line rule during authorization process) - No supported authentication methods available - single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions), according to gh#fail2ban/fail2ban#1206; - fixed expression received disconnect auth fail (optional space after port part, gh#fail2ban/fail2ban#1652) and suffix (logged from several ssh versions), according to gh#fail2ban/fail2ban#1206; * filter.d/suhosin.conf - greedy catch-all before `<HOST>` fixed (potential vulnerability) * filter.d/cyrus-imap.conf - accept entries without login-info resp. hostname before IP address (#fail2ban/fail2ban#707) * Filter tests extended with check of all config-regexp, that contains greedy catch-all before `<HOST>`, that is hard-anchored at end or precise sub expression after `<HOST>` * New Actions: - action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh#fail2ban/fail2ban#1663) * New Filters: - filter.d/domino-smtp: IBM Domino SMTP task (gh#fail2ban/fail2ban#1603) * Introduced new log-level `MSG` (as INFO-2, equivalent to 18) - rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban fail2ban version update to 0.9.6 (2016/12/10) included: Fixes: * Misleading add resp. enable of (already available) jail in database, that induced a subsequent error: last position of log file will be never retrieved (gh-795) * Fixed a distribution related bug within testReadStockJailConfForceEnabled (e.g. test-cases faults on Fedora, see gh-1353) * Fixed pythonic filters and test scripts (running via wrong python version, uses "fail2ban-python" now); * Fixed test case "testSetupInstallRoot" for not default python version (also using direct call, out of virtualenv); * Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512); * FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540) * Monit config: scripting is not supported in path (gh-1556) * `filter.d/apache-modsecurity.conf` - Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all replaced for safer match, unneeded catch-all anchoring removed, non-capturing * `filter.d/asterisk.conf` - Fixed to match different asterisk log prefix (source file: method:) * `filter.d/dovecot.conf` - Fixed failregex ignores failures through some not relevant info (gh-1623) * `filter.d/ignorecommands/apache-fakegooglebot` - Fixed error within apache-fakegooglebot, that will be called with wrong python version (gh-1506) * `filter.d/assp.conf` - Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494) * `filter.d/postfix-sasl.conf` - Allow for having no trailing space after 'failed:' (gh-1497) * `filter.d/vsftpd.conf` - Optional reason part in message after FAIL LOGIN (gh-1543) * `filter.d/sendmail-reject.conf` - removed mandatory double space (if dns-host available, gh-1579) * filter.d/sshd.conf - recognized "Failed publickey for" (gh-1477); - optimized failregex to match all of "Failed any-method for ... from <HOST>" (gh-1479) - eliminated possible complex injections (on user-name resp. auth-info, see gh-1479) - optional port part after host (see gh-1533, gh-1581) New Features: * New Actions: - `action.d/npf.conf` for NPF, the latest packet filter for NetBSD * New Filters: - `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine) (gh-1586, gh-1606 and gh-1607) Enhancements: * DateTemplate regexp extended with the word-end boundary, additionally to word-start boundary * Introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located): - allows to use the same version, fail2ban currently running, e.g. in external scripts just via replace python with fail2ban-python: ```diff -#!/usr/bin/env python +#!/usr/bin/env fail2ban-python ``` - always the same pickle protocol - the same (and also guaranteed available) fail2ban modules - simplified stand-alone install, resp. stand-alone installation possibility via setup (like gh-1487) is getting closer * Several test cases rewritten using new methods assertIn, assertNotIn * New forward compatibility method assertRaisesRegexp (normally python >= 2.7). Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged are test covered now * Jail configuration extended with new syntax to pass options to the backend (see gh-1408), examples: - `backend = systemd[journalpath=/run/log/journal/machine-1]` - `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]` - `backend = systemd[journalflags=2]` Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-772=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (noarch): SuSEfirewall2-fail2ban-0.9.7-2.3.1 fail2ban-0.9.7-2.3.1 monitoring-plugins-fail2ban-0.9.7-2.3.1 References: https://bugzilla.suse.com/1036928
participants (1)
-
maintenance@opensuse.org