Hello community, here is the log from the commit of package fail2ban.1800 for openSUSE:12.3:Update checked in at 2013-07-02 11:14:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/fail2ban.1800 (Old) and /work/SRC/openSUSE:12.3:Update/.fail2ban.1800.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "fail2ban.1800" Changes: -------- New Changes file: --- /dev/null 2013-07-02 09:26:14.908030755 +0200 +++ /work/SRC/openSUSE:12.3:Update/.fail2ban.1800.new/fail2ban.changes 2013-07-02 11:14:36.000000000 +0200 @@ -0,0 +1,205 @@ +------------------------------------------------------------------- +Fri Jun 14 12:46:35 UTC 2013 - jweberhofer@weberhofer.at + +- Fixes: Yaroslav Halchenko + * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor + failregex at the beginning (and where applicable at the end). + Addresses a possible DoS. + Closes gh#fail2ban/fail2ban#248, CVE-2013-2178, bnc#824710 + +------------------------------------------------------------------- +Thu Dec 6 15:32:02 UTC 2012 - jweberhofer@weberhofer.at + +One of the important changes is escaping of the <matches> content -- so if you +crafted some custom action which uses it -- you must upgrade, or you +would be at a significant security risk. + +- Fixes: + Alan Jenkins + * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid + banning due to misconfigured DNS. Close gh-64 + Yaroslav Halchenko + * [83109bc] IMPORTANT: escape the content of <matches> (if used in + custom action files) since its value could contain arbitrary + symbols. Thanks for discovery go to the NBS System security + team + * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh-83 + * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3 + * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages + in the console. Close gh-91 + +- New features: + David Engeset + * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching + the log file to take 'banip' or 'unbanip' in effect. Close gh-81, gh-86 + +- Enhancements: + * [2d66f31] replaced uninformative "Invalid command" message with warning log + exception why command actually failed + * [958a1b0] improved failregex to "support" auth.backend = "htdigest" + * [9e7a3b7] until we make it proper module -- adjusted sys.path only if + system-wide run + * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79 + * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00 + for this gh-87) + * Various others: travis-ci integration, script to run tests + against all available Python versions, etc + +------------------------------------------------------------------- +Mon Dec 3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at + +- Fixed initscript as discussed in bnc#790557 + +------------------------------------------------------------------- +Wed Oct 3 09:53:40 UTC 2012 - meissner@suse.com + +- use Source URL pointing to github + +------------------------------------------------------------------- +Tue Oct 2 12:09:08 UTC 2012 - jweberhofer@weberhofer.at + +- Do not longer replace main config-files +- Use variables for directories in spec file + +------------------------------------------------------------------- +Tue Oct 2 10:48:24 UTC 2012 - jweberhofer@weberhofer.at + +- Added dependencies to python-pyinotifyi, python-gamin and iptables + +------------------------------------------------------------------- +Tue Oct 2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at + +- Upgraded to version 0.8.7.1 + +- Yaroslav Halchenko + * [e9762f3] Removed sneaked in comment on sys.path.insert + Tom Hendrikx & Jeremy Olexa + * [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated. + See http://forums.gentoo.org/viewtopic-t-899018.html +- Chris Reffett + * [a018a26] Fixed addBannedIP to add enough failures to trigger a ban, + rather than just one failure. +- Yaroslav Halchenko + * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf + * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf + * [ed16ecc] enforce "ip" field returned as str, not unicode so that log + message stays non-unicode. Close gh-32 + * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if + already present in the pattern + * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be + friend to developers stuck with Windows (Closes gh-66) + * [80b191c] anchor grep regexp in actioncheck to not match partial names + of the jails (Closes: #672228) (Thanks Szépe Viktor for the report) +- New features: +- François Boulogne + * [a7cb20e..] add lighttpd-auth filter/jail +- Lee Clemens & Yaroslav Halchenko + * [e442503] pyinotify backend (default if backend='auto' and pyinotify + is available) + * [d73a71f,3989d24] usedns parameter for the jails to allow disabling + use of DNS +- Tom Hendrikx + * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban + repeated offenders. Close gh-19 +- Xavier Devlamynck + * [7d465f9..] Add asterisk support +- Zbigniew Jedrzejewski-Szmek + * [de502cf..] allow running fail2ban as non-root user (disabled by + default) via xt_recent. See doc/run-rootless.txt +- Enhancements +- Lee Clemens + * [47c03a2] files/nagios - spelling/grammar fixes + * [b083038] updated Free Software Foundation's address + * [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606 + * [642d9af,3282f86] reformated printing of jail's name to be consistent + with init's info messages + * [3282f86] uniform use of capitalized Jail in the messages +- Leonardo Chiquitto + * [4502adf] Fix comments in dshield.conf and mynetwatchman.conf + to reflect code + * [a7d47e8] Update Free Software Foundation's address +- Petr Voralek + * [4007751] catch failed ssh logins due to being listed in DenyUsers. + Close gh-47 (Closes: #669063) +- Yaroslav Halchenko + * [MANY] extended and robustified unittests: test different backends + * [d9248a6] refactored Filter's to avoid duplicate functionality + * [7821174] direct users to issues on github + * [d2ffee0..] re-factored fail2ban-regex -- more condensed output by + default with -v to control verbosity + * [b4099da] adjusted header for config/*.conf to mention .local and way + to comment (Thanks Stefano Forli for the note) + * [6ad55f6] added failregex for wu-ftpd to match against syslog instead + of DoS-prone auth.log's rhost (Closes: #514239) + * [2082fee] match possibly present "pam_unix(sshd:auth):" portion for + sshd filter (Closes: #648020) +- Yehuda Katz & Yaroslav Halchenko + * [322f53e,bd40cc7] ./DEVELOP -- documentation for developers + +------------------------------------------------------------------- +Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de + +- Adding to fail2ban.init remove of pid and sock files on stop + in case not removed before (prevents start fail) + +------------------------------------------------------------------- +Sun Jun 3 13:08:36 UTC 2012 - jweberhofer@weberhofer.at + +- Update to version 0.8.6. containing various fixes and enhancements + +------------------------------------------------------------------- +Fri Nov 18 22:04:03 UTC 2011 - lchiquitto@suse.com + +- Update to version 0.8.5: many bug fixes, enhancements and, as + a bonus, drop two patches that are now upstream +- Update FSF address to silent rpmlint warnings +- Drop stale socket files on startup (bnc#537239, bnc#730044) + +------------------------------------------------------------------- +Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de + +- Apply packaging guidelines (remove redundant/obsolete + tags/sections from specfile, etc.) + +------------------------------------------------------------------- +Thu Sep 1 14:07:28 UTC 2011 - coolo@suse.com + +- Use /var/run/fail2ban instead of /tmp for temp files in + actions: see bugs.debian.org/544232, bnc#690853, + CVE-2009-5023 + +------------------------------------------------------------------- +Thu Jan 6 16:56:30 UTC 2011 - lchiquitto@suse.com + +- Use $FAIL2BAN_OPTIONS when starting (bnc#662495) +- Clean up sysconfig file + +------------------------------------------------------------------- +Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org + +- Use O_CLOEXEC on fds (patch from Fedora) + +------------------------------------------------------------------- +Wed May 5 16:48:46 UTC 2010 - lchiquitto@suse.com + +- Create /var/run/fail2ban during startup to support systems that + mount /var/run as tmpfs +- Build package as noarch +- Spec file cleanup: fix a couple of rpmlint warnings +- Init script: look for fail2ban-server when checking if the + daemon is running + +------------------------------------------------------------------- +Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.com + +- Update to version 0.8.4. Important changes: + * New "Ban IP" command + * New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve ++++ 8 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.fail2ban.1800.new/fail2ban.changes New: ---- fail2ban-CVE-2013-2178.patch fail2ban.changes fail2ban.init fail2ban.spec fail2ban.sysconfig fail2ban_0.8.8.orig.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ # # spec file for package fail2ban # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: fail2ban Requires: cron Requires: iptables Requires: logrotate Requires: lsof Requires: python >= 2.5 %if 0%{?suse_version} >= 1140 && 0%{?sles_version} == 0 Requires: python-pyinotify %endif %if 0%{?suse_version} >= 1220 Requires: python-gamin %endif BuildRequires: python-devel PreReq: %fillup_prereq Version: 0.8.8 Release: 0 Url: http://www.fail2ban.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ Group: Productivity/Networking/Security Source0: https://github.com/downloads/fail2ban/fail2ban/%{name}_%{version}.orig.tar.gz Source1: %{name}.init Source2: %{name}.sysconfig # PATCH-FIX-UPSTREAM fail2ban-CVE-2013-2178.patch CVE-2013-2178 bnc#824710 Patch0: fail2ban-CVE-2013-2178.patch %description Fail2ban scans log files like /var/log/messages and bans IP addresses that makes too many password failures. It updates firewall rules to reject the IP address, can send e-mails, or set host.deny entries. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones. %prep %setup %patch0 -p1 %build export CFLAGS="$RPM_OPT_FLAGS" python setup.py build gzip man/*.1 %install python setup.py install \ --root=$RPM_BUILD_ROOT \ --prefix=%{_prefix} install -d -m755 $RPM_BUILD_ROOT/%{_mandir}/man1 for i in fail2ban-client fail2ban-regex fail2ban-server; do install -m644 man/${i}.1.gz $RPM_BUILD_ROOT/%{_mandir}/man1 done install -d -m755 $RPM_BUILD_ROOT/%{_initrddir} install -d -m755 $RPM_BUILD_ROOT/%{_sbindir} install -m755 %{SOURCE1} $RPM_BUILD_ROOT/%{_initrddir}/%{name} ln -sf %{_initrddir}/%{name} ${RPM_BUILD_ROOT}%{_sbindir}/rc%{name} install -d -m755 $RPM_BUILD_ROOT/var/adm/fillup-templates install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.%{name} %post %{fillup_only} %preun %stop_on_removal %{name} %postun %restart_on_update %{name} %insserv_cleanup %files %defattr(-, root, root) %dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/%{name}/action.d %dir %{_sysconfdir}/%{name}/filter.d %config(noreplace) %{_sysconfdir}/%{name}/*.conf %config(noreplace) %{_sysconfdir}/%{name}/action.d/*.conf %config(noreplace) %{_sysconfdir}/%{name}/filter.d/*.conf %{_initrddir}/%{name} %{_bindir}/%{name}* %{_sbindir}/rc%{name} %{_datadir}/%{name} %dir %ghost /var/run/%{name} /var/adm/fillup-templates/sysconfig.%{name} %doc %{_mandir}/man1/* %doc COPYING ChangeLog README TODO files/cacti %changelog ++++++ fail2ban-CVE-2013-2178.patch ++++++ diff -Nur fail2ban-0.8.8-orig/config/filter.d/apache-auth.conf fail2ban-0.8.8/config/filter.d/apache-auth.conf --- fail2ban-0.8.8-orig/config/filter.d/apache-auth.conf 2012-12-06 04:51:29.000000000 +0100 +++ fail2ban-0.8.8/config/filter.d/apache-auth.conf 2013-06-14 14:40:59.830173175 +0200 @@ -5,6 +5,12 @@ # $Revision$ # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = apache-common.conf + [Definition] # Option: failregex @@ -14,9 +20,7 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = [[]client <HOST>[]] user .* authentication failure - [[]client <HOST>[]] user .* not found - [[]client <HOST>[]] user .* password mismatch +failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -Nur fail2ban-0.8.8-orig/config/filter.d/apache-common.conf fail2ban-0.8.8/config/filter.d/apache-common.conf --- fail2ban-0.8.8-orig/config/filter.d/apache-common.conf 1970-01-01 01:00:00.000000000 +0100 +++ fail2ban-0.8.8/config/filter.d/apache-common.conf 2013-06-14 14:40:59.838173327 +0200 @@ -0,0 +1,17 @@ +# Generic configuration items (to be used as interpolations) in other +# apache filters +# +# Author: Yaroslav Halchenko +# +# + +[INCLUDES] + +# Load customizations if any available +after = apache-common.local + + +[DEFAULT] + +# Common prefix for [error] apache messages which also would include <HOST> +_apache_error_client = \[[^]]+\] \[error\] \[client <HOST>\] diff -Nur fail2ban-0.8.8-orig/config/filter.d/apache-nohome.conf fail2ban-0.8.8/config/filter.d/apache-nohome.conf --- fail2ban-0.8.8-orig/config/filter.d/apache-nohome.conf 2012-12-06 04:51:29.000000000 +0100 +++ fail2ban-0.8.8/config/filter.d/apache-nohome.conf 2013-06-14 14:40:59.850173555 +0200 @@ -5,6 +5,12 @@ # $Revision$ # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = apache-common.conf + [Definition] # Option: failregex @@ -14,7 +20,7 @@ # per-domain log files. # Values: TEXT # -failregex = [[]client <HOST>[]] File does not exist: .*/~.* +failregex = ^%(_apache_error_client)s File does not exist: .*/~.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -Nur fail2ban-0.8.8-orig/config/filter.d/apache-noscript.conf fail2ban-0.8.8/config/filter.d/apache-noscript.conf --- fail2ban-0.8.8-orig/config/filter.d/apache-noscript.conf 2012-12-06 04:51:29.000000000 +0100 +++ fail2ban-0.8.8/config/filter.d/apache-noscript.conf 2013-06-14 14:40:59.858173706 +0200 @@ -5,6 +5,12 @@ # $Revision$ # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = apache-common.conf + [Definition] # Option: failregex @@ -14,8 +20,8 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) - [[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$ +failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$ + ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -Nur fail2ban-0.8.8-orig/config/filter.d/apache-overflows.conf fail2ban-0.8.8/config/filter.d/apache-overflows.conf --- fail2ban-0.8.8-orig/config/filter.d/apache-overflows.conf 2012-12-06 04:51:29.000000000 +0100 +++ fail2ban-0.8.8/config/filter.d/apache-overflows.conf 2013-06-14 14:40:59.866173858 +0200 @@ -5,13 +5,19 @@ # $Revision$ # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = apache-common.conf + [Definition] # Option: failregex # Notes.: Regexp to catch Apache overflow attempts. # Values: TEXT # -failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string) +failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -Nur fail2ban-0.8.8-orig/testcases/files/logs/apache-auth fail2ban-0.8.8/testcases/files/logs/apache-auth --- fail2ban-0.8.8-orig/testcases/files/logs/apache-auth 1970-01-01 01:00:00.000000000 +0100 +++ fail2ban-0.8.8/testcases/files/logs/apache-auth 2013-06-14 14:40:59.878174086 +0200 @@ -0,0 +1,5 @@ +# Should not match -- DoS vector https://vndh.net/note:fail2ban-089-denial-service +[Sat Jun 01 02:17:42 2013] [error] [client 192.168.33.1] File does not exist: /srv/http/site/[client 192.168.0.1] user root not found + +# should match +[Sat Jun 01 02:17:42 2013] [error] [client 192.168.0.2] user root not found diff -Nur fail2ban-0.8.8-orig/testcases/files/logs/apache-noscript fail2ban-0.8.8/testcases/files/logs/apache-noscript --- fail2ban-0.8.8-orig/testcases/files/logs/apache-noscript 1970-01-01 01:00:00.000000000 +0100 +++ fail2ban-0.8.8/testcases/files/logs/apache-noscript 2013-06-14 14:40:59.886174237 +0200 @@ -0,0 +1 @@ +[Sun Jun 09 07:57:47 2013] [error] [client 192.0.43.10] script '/usr/lib/cgi-bin/gitweb.cgiwp-login.php' not found or unable to stat ++++++ fail2ban.init ++++++ #!/bin/sh # ### BEGIN INIT INFO # Provides: fail2ban # Required-Start: $syslog $remote_fs $local_fs # Should-Start: $time $network iptables # Required-Stop: $syslog $remote_fs $local_fs # Should-Stop: $time $network iptables # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Pidfile: /var/run/fail2ban/fail2ban.pid # Short-Description: Bans IPs with too many authentication failures # Description: Start fail2ban to scan logfiles and ban IP addresses # which make too many logfiles failures, and/or sent e-mails about ### END INIT INFO # Check for missing binaries (stale symlinks should not happen) FAIL2BAN_CLI=/usr/bin/fail2ban-client test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } FAIL2BAN_SRV=/usr/bin/fail2ban-server test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } FAIL2BAN_CONFIG="/etc/sysconfig/fail2ban" FAIL2BAN_SOCKET_DIR="/var/run/fail2ban" FAIL2BAN_SOCKET="$FAIL2BAN_SOCKET_DIR/fail2ban.sock" FAIL2BAN_PID="$FAIL2BAN_SOCKET_DIR/fail2ban.pid" if [ -e $FAIL2BAN_CONFIG ]; then . $FAIL2BAN_CONFIG fi . /etc/rc.status rc_reset case "$1" in start) echo -n "Starting fail2ban " if [ ! -d $FAIL2BAN_SOCKET_DIR ]; then mkdir -p $FAIL2BAN_SOCKET_DIR fi if [ -e $FAIL2BAN_SOCKET ]; then if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then rm $FAIL2BAN_SOCKET fi fi $FAIL2BAN_CLI -x -q $FAIL2BAN_OPTIONS start &>/dev/null 2>&1 rc_status -v ;; stop) echo -n "Shutting down fail2ban " ## Stop daemon with built-in functionality 'stop' /sbin/startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1 if [ -f $FAIL2BAN_SOCKET ] then echo "$FAIL2BAN_SOCKET not removed .. removing .." rm $FAIL2BAN_SOCKET fi if [ -f $FAIL2BAN_PID ] then echo "$FAIL2BAN_PID not removed .. removing .." rm $FAIL2BAN_PID fi rc_status -v ;; try-restart|condrestart) $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi rc_status ;; restart) $0 stop i=60 while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do sleep 1 i=$[$i-1] echo -n "." done $0 start rc_status ;; reload|force-reload) echo -n "Reload service Fail2ban " /sbin/startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1 rc_status -v ;; status) echo -n "Checking for service fail2ban " /sbin/checkproc $FAIL2BAN_SRV rc_status -v ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ fail2ban.sysconfig ++++++ ## Path: System/Security/Fail2ban ## Description: fail2ban options ## Type: string ## Default: "" ## ServiceReload: fail2ban ## ServiceRestart: fail2ban # # Options for fail2ban # FAIL2BAN_OPTIONS="" -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org