Hello community, here is the log from the commit of package fail2ban.1498 for openSUSE:12.1:Update checked in at 2013-04-02 10:08:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/fail2ban.1498 (Old) and /work/SRC/openSUSE:12.1:Update/.fail2ban.1498.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "fail2ban.1498", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-02-26 18:15:11.936010755 +0100 +++ /work/SRC/openSUSE:12.1:Update/.fail2ban.1498.new/fail2ban.changes 2013-04-02 10:08:56.000000000 +0200 @@ -0,0 +1,64 @@ +------------------------------------------------------------------- +Tue Mar 26 07:56:26 UTC 2013 - jweberhofer@weberhofer.at + +- fail2ban does not escape the content of <matches> + (bnc#794953, CVE-2012-5642): fail2ban-0.8.4-CVE-2012-5642.patch + +------------------------------------------------------------------- +Mon Dec 3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at + +- Fixed initscript as discussed in bnc#790557 + +------------------------------------------------------------------- +Fri Nov 25 13:57:16 UTC 2011 - lchiquitto@suse.com + +- Drop stale socket files on startup (bnc#537239, bnc#730044) + +------------------------------------------------------------------- +Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de + +- Apply packaging guidelines (remove redundant/obsolete + tags/sections from specfile, etc.) + +------------------------------------------------------------------- +Thu Sep 1 14:07:28 UTC 2011 - coolo@suse.com + +- Use /var/run/fail2ban instead of /tmp for temp files in + actions: see bugs.debian.org/544232, bnc#690853, + CVE-2009-5023 + +------------------------------------------------------------------- +Thu Jan 6 16:56:30 UTC 2011 - lchiquitto@novell.com + +- Use $FAIL2BAN_OPTIONS when starting (bnc#662495) +- Clean up sysconfig file + +------------------------------------------------------------------- +Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org + +- Use O_CLOEXEC on fds (patch from Fedora) + +------------------------------------------------------------------- +Wed May 5 16:48:46 UTC 2010 - lchiquitto@novell.com + +- Create /var/run/fail2ban during startup to support systems that + mount /var/run as tmpfs +- Build package as noarch +- Spec file cleanup: fix a couple of rpmlint warnings +- Init script: look for fail2ban-server when checking if the + daemon is running + +------------------------------------------------------------------- +Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.de + +- Update to version 0.8.4. Important changes: + * New "Ban IP" command + * New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve + * Fixed the 'unexpected communication error' problem + * Remove socket file on startup if fail2ban crashed (bnc#537239) + +------------------------------------------------------------------- +Wed Feb 4 18:19:39 CET 2009 - kssingvo@suse.de + +- Initial version: 0.8.3 + New: ---- fail2ban-0.8.2-fd_cloexec.patch fail2ban-0.8.4-CVE-2012-5642.patch fail2ban-0.8.4.tar.bz2 fail2ban.changes fail2ban.init fail2ban.spec fail2ban.sysconfig fix-tmp-usage.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ # # spec file for package fail2ban # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: fail2ban Requires: cron Requires: logrotate Requires: python >= 2.5 BuildRequires: python-devel PreReq: %fillup_prereq Version: 0.8.4 Release: 0 Url: http://www.fail2ban.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ Group: Productivity/Networking/Security Source0: http://download.sourceforge.net/sourceforge/fail2ban/%{name}-%{version}.tar.bz2 Source1: %{name}.init Source2: %{name}.sysconfig Patch: fail2ban-0.8.2-fd_cloexec.patch Patch1: fix-tmp-usage.diff # PATCH-FIX-UPSTREAM fail2ban-0.8.4-CVE-2012-5642.patch [bnc#794953, CVE-2012-5642] Patch2: fail2ban-0.8.4-CVE-2012-5642.patch %description Fail2ban scans log files like /var/log/messages and bans IP addresses that makes too many password failures. It updates firewall rules to reject the IP address, can send e-mails, or set host.deny entries. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones. %prep %setup perl -pi -e 's;/usr/local/;/usr/;g' files/suse-initd %patch -p1 %patch1 -p1 %patch2 -p1 %build export CFLAGS="$RPM_OPT_FLAGS" python setup.py build gzip man/*.1 %install python setup.py install \ --root=$RPM_BUILD_ROOT \ --prefix=%{_prefix} install -d -m755 $RPM_BUILD_ROOT/%{_mandir}/man1 for i in fail2ban-client fail2ban-regex fail2ban-server; do install -m644 man/${i}.1.gz $RPM_BUILD_ROOT/%{_mandir}/man1 done install -d -m755 $RPM_BUILD_ROOT/%{_sysconfdir}/init.d install -d -m755 $RPM_BUILD_ROOT/usr/sbin install -m755 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/%{name} ln -sf /etc/init.d/%{name} ${RPM_BUILD_ROOT}/usr/sbin/rc%{name} install -d -m755 $RPM_BUILD_ROOT/var/adm/fillup-templates install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.%{name} %post %{fillup_only} %preun %stop_on_removal %{name} %postun %restart_on_update %{name} %insserv_cleanup %files %defattr(-, root, root) %dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/%{name}/action.d %dir %{_sysconfdir}/%{name}/filter.d %config %{_sysconfdir}/%{name}/*.conf %config %{_sysconfdir}/%{name}/action.d/*.conf %config %{_sysconfdir}/%{name}/filter.d/*.conf %{_sysconfdir}/init.d/%{name} /usr/bin/%{name}* /usr/sbin/rc%{name} /usr/share/%{name} %dir %ghost /var/run/%{name} /var/adm/fillup-templates/sysconfig.%{name} %doc %{_mandir}/man1/* %doc COPYING ChangeLog README TODO files/cacti %changelog ++++++ fail2ban-0.8.2-fd_cloexec.patch ++++++ --- fail2ban-0.8.2/server/filter.py.orig 2008-03-27 16:26:59.000000000 +0000 +++ fail2ban-0.8.2/server/filter.py 2008-03-27 15:29:48.000000000 +0000 @@ -428,6 +428,7 @@ # is computed and compared to the previous hash of this line. import md5 +import fcntl class FileContainer: @@ -455,6 +456,11 @@ def open(self): self.__handler = open(self.__filename) + + # Set the file descriptor to be FD_CLOEXEC + fd = self.__handler.fileno() + fcntl.fcntl (self.__handler.fileno(), fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC) + firstLine = self.__handler.readline() # Computes the MD5 of the first line. myHash = md5.new(firstLine).digest() ++++++ fail2ban-0.8.4-CVE-2012-5642.patch ++++++
From 83109bce144f443a48ef31165a5389b7b83f4e0e Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko
Date: Mon, 8 Oct 2012 22:14:51 -0400 Subject: [PATCH] BF: escape the content of <matches> since its value could contain arbitrary symbols
---
server/action.py | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff -ur fail2ban-0.8.4-orig/server/action.py fail2ban-0.8.4/server/action.py
--- fail2ban-0.8.4-orig/server/action.py 2008-04-08 00:25:17.000000000 +0200
+++ fail2ban-0.8.4/server/action.py 2013-03-26 08:48:17.925207509 +0100
@@ -223,7 +223,14 @@
def execActionStop(self):
stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
return Action.executeCmd(stopCmd)
-
+
+ def escapeTag(tag):
+ for c in '\\#&;`|*?~<>^()[]{}$\n':
+ if c in tag:
+ tag = tag.replace(c, '\\' + c)
+ return tag
+ escapeTag = staticmethod(escapeTag)
+
##
# Replaces tags in query with property values in aInfo.
#
@@ -236,8 +243,13 @@
""" Replace tags in query
"""
string = query
- for tag in aInfo:
- string = string.replace('<' + tag + '>', str(aInfo[tag]))
+ for tag, value in aInfo.iteritems():
+ value = str(value) # assure string
+ if tag == 'matches':
+ # That one needs to be escaped since its content is
+ # out of our control
+ value = escapeTag(value)
+ string = string.replace('<' + tag + '>', value)
# New line
string = string.replace("<br>", '\n')
return string
Nur in fail2ban-0.8.4/server: action.py.orig.
++++++ fail2ban.init ++++++
#!/bin/sh
#
# Template SUSE system startup script for example daemon fail2ban
# Copyright (C) 2010 Klaus Sinvogel, SUSE / Novell Inc.
#
# This library is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or (at
# your option) any later version.
#
# This library is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307,
# USA.
#
#
### BEGIN INIT INFO
# Provides: fail2ban
# Required-Start: $syslog $remote_fs $local_fs
# Should-Start: $time $network iptables
# Required-Stop: $syslog $remote_fs $local_fs
# Should-Stop: $time $network iptables
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Pidfile: /var/run/fail2ban/fail2ban.pid
# Short-Description: Bans IPs with too many password failures
# Description: Start fail2ban to scan logfiles and ban IP addresses
# which make too many logfiles failures, and/or sent e-mails about
### END INIT INFO
# Check for missing binaries (stale symlinks should not happen)
FAIL2BAN_CLI=/usr/bin/fail2ban-client
test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
FAIL2BAN_SRV=/usr/bin/fail2ban-server
test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
# Check for existence of needed config file and read it
FAIL2BAN_CONFIG=/etc/sysconfig/fail2ban
test -r $FAIL2BAN_CONFIG || { echo "$FAIL2BAN_CONFIG not existing";
if [ "$1" = "stop" ]; then exit 0;
else exit 6; fi; }
# Socket directory
FAIL2BAN_SOCK_DIR="/var/run/fail2ban"
FAIL2BAN_SOCK="$FAIL2BAN_SOCK_DIR/fail2ban.sock"
# Read config
. $FAIL2BAN_CONFIG
. /etc/rc.status
rc_reset
case "$1" in
start)
echo -n "Starting fail2ban "
if [ ! -d $FAIL2BAN_SOCK_DIR ]; then
mkdir -p $FAIL2BAN_SOCK_DIR
fi
if [ -e $FAIL2BAN_SOCK ]; then
if ! lsof -n $FAIL2BAN_SOCK &>/dev/null; then
rm $FAIL2BAN_SOCK
fi
fi
## Start daemon with startproc(8). If this fails
## the return value is set appropriately by startproc.
$FAIL2BAN_CLI -x -q $FAIL2BAN_OPTIONS start &>/dev/null 2>&1
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down fail2ban "
## Stop daemon with built-in functionality 'stop'
startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1
# Remember status and be verbose
rc_status -v
;;
try-restart|condrestart)
## Do a restart only if the service was active before.
## Note: try-restart is now part of LSB (as of 1.9).
## RH has a similar command named condrestart.
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
## If it does not support it, restart the service if it
## is running.
echo -n "Reload service fail2ban "
killproc -HUP $FAIL2BAN_SRV
rc_status -v
## Otherwise:
#$0 try-restart
#rc_status
;;
reload)
## Like force-reload, but if daemon does not support
## signaling, do nothing (!)
# If it supports signaling:
echo -n "Reload service fail2ban "
startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1
rc_status -v
## Otherwise if it does not support reload:
#rc_failed 3
#rc_status -v
;;
status)
echo -n "Checking for service fail2ban "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Return value is slightly different for the status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
# NOTE: checkproc returns LSB compliant status values.
checkproc $FAIL2BAN_SRV
# NOTE: rc_status knows that we called this init script with
# "status" option and adapts its messages accordingly.
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload, print out the
## argument to this init script which is required for a reload.
## Note: probe is not (yet) part of LSB (as of 1.9)
test /etc/fail2ban/fail2ban.conf -nt /var/run/fail2ban/fail2ban.pid && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit
++++++ fail2ban.sysconfig ++++++
## Path: System/Security/Fail2ban
## Description: fail2ban options
## Type: string
## Default: ""
## ServiceReload: fail2ban
## ServiceRestart: fail2ban
#
# Options for fail2ban
#
FAIL2BAN_OPTIONS=""
++++++ fix-tmp-usage.diff ++++++
From: yarikoptic