Update to 0.10.5

5 years ago · 0a5bad9a03
parent b9fa37fab6
commit 0a5bad9a03
8 changed files with 99 additions and 109 deletions
--- a/.gitignore
+++ b/.gitignore
@ -18,3 +18,4 @@ fail2ban-0.8.4.tar.bz2
 /fail2ban-0.10.2.tar.gz
 /fail2ban-0.10.3.1.tar.gz
 /fail2ban-0.10.4.tar.gz
+/fail2ban-0.10.5.tar.gz
--- a/2388.patch
+++ b/2388.patch
@ -1,96 +0,0 @@
-From 9e1fa4ff73a1566ae0c381930b6eaae9880b0f29 Mon Sep 17 00:00:00 2001
-From: Amir Caspi <cepheid666@users.noreply.github.com>
-Date: Fri, 29 Mar 2019 17:38:30 -0600
-Subject: [PATCH 1/7] Update sendmail-reject
-
-Added loglines to show TLSMTA and MSA port IDs (RHEL/CentOS sendmail default for ports 465 and 587, respectively)
---
- fail2ban/tests/files/logs/sendmail-reject | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject
-index 44f8eb92f..a76cbf4b6 100644
--- a/fail2ban/tests/files/logs/sendmail-reject
-+++ b/fail2ban/tests/files/logs/sendmail-reject
-@@ -95,3 +95,8 @@ Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=<anton@domain.co
- Mar  6 16:55:28 s192-168-0-1 sm-mta[20949]: v26LtRA0020949: some-host-24.example.org [192.0.2.194] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
- # failJSON: { "time": "2005-03-07T15:04:37", "match": true , "host": "192.0.2.195", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSP-mode, (may be forged)" }
- Mar  7 15:04:37 s192-168-0-1 sm-mta[18624]: v27K4Vj8018624: some-host-24.example.org [192.0.2.195] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v4
-+
-+# failJSON: { "time": "2019-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" }
-+Mar 29 22:33:47 kismet sm-mta[23221]: x2TMXH7Y023221: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA
-+# failJSON: { "time": "2019-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" }
-+Mar 29 22:51:42 kismet sm-mta[24202]: x2TMpAlI024202: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
-
-From ffd5d0db78af01afcdf7a2c615dc26b8558ad8f1 Mon Sep 17 00:00:00 2001
-From: Amir Caspi <cepheid666@users.noreply.github.com>
-Date: Fri, 29 Mar 2019 17:39:27 -0600
-Subject: [PATCH 2/7] Update sendmail-reject.conf
-
-On some distros (e.g., CentOS 7), sendmail default config labels port 465 as TLSMTA and port 587 as MSA. Update failregex to reflect. Relevant loglines included in https://github.com/fail2ban/fail2ban/commit/9e1fa4ff73a1566ae0c381930b6eaae9880b0f29
---
- config/filter.d/sendmail-reject.conf | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf
-index 985eac8b1..dd58f3e75 100644
--- a/config/filter.d/sendmail-reject.conf
-+++ b/config/filter.d/sendmail-reject.conf
-@@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[(?:IP
- 
- mdre-normal =
- 
-mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to M(?:TA|SP)(?:-\w+)?$
-+mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$
- 
- mdre-aggressive = %(mdre-extra)s
- 
-
-From 76816285e886eee0a53ba5c64c50101fbd87a760 Mon Sep 17 00:00:00 2001
-From: Amir Caspi <cepheid666@users.noreply.github.com>
-Date: Fri, 29 Mar 2019 18:21:47 -0600
-Subject: [PATCH 5/7] Update sendmail-reject
-
-Fixing timestamps to 2005 (oops)
---
- fail2ban/tests/files/logs/sendmail-reject | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject
-index a76cbf4b6..b6911c4df 100644
--- a/fail2ban/tests/files/logs/sendmail-reject
-+++ b/fail2ban/tests/files/logs/sendmail-reject
-@@ -96,7 +96,7 @@ Mar  6 16:55:28 s192-168-0-1 sm-mta[20949]: v26LtRA0020949: some-host-24.example
- # failJSON: { "time": "2005-03-07T15:04:37", "match": true , "host": "192.0.2.195", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSP-mode, (may be forged)" }
- Mar  7 15:04:37 s192-168-0-1 sm-mta[18624]: v27K4Vj8018624: some-host-24.example.org [192.0.2.195] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v4
- 
-# failJSON: { "time": "2019-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" }
-+# failJSON: { "time": "2005-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" }
- Mar 29 22:33:47 kismet sm-mta[23221]: x2TMXH7Y023221: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA
-# failJSON: { "time": "2019-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" }
-+# failJSON: { "time": "2005-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" }
- Mar 29 22:51:42 kismet sm-mta[24202]: x2TMpAlI024202: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
-
-From 6c7093c66dce9f695cde24149a78650868083617 Mon Sep 17 00:00:00 2001
-From: "Sergey G. Brester" <github@sebres.de>
-Date: Thu, 4 Apr 2019 02:28:50 +0200
-Subject: [PATCH 6/7] minor amend, refolding branches (SP|SA -> S[PA])
-
---
- config/filter.d/sendmail-reject.conf | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf
-index dd58f3e75..e6814a00c 100644
--- a/config/filter.d/sendmail-reject.conf
-+++ b/config/filter.d/sendmail-reject.conf
-@@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[(?:IP
- 
- mdre-normal =
- 
-mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$
-+mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|S[PA])(?:-\w+)?$
- 
- mdre-aggressive = %(mdre-extra)s
- 
-
--- a/8694c547285c4030d4bf7661981673038e6e9829.patch
+++ b/8694c547285c4030d4bf7661981673038e6e9829.patch
@ -0,0 +1,31 @@
+From 8694c547285c4030d4bf7661981673038e6e9829 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Tue, 14 Jan 2020 11:51:27 +0100
+Subject: [PATCH] increase test stack size to 128K (on some platforms min size
+ is greater then 32K), closes gh-2597
+
+---
+ fail2ban/tests/fail2banclienttestcase.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fail2ban/tests/fail2banclienttestcase.py b/fail2ban/tests/fail2banclienttestcase.py
+index 29adb1220..5caa4dd90 100644
+--- a/fail2ban/tests/fail2banclienttestcase.py
+++ b/fail2ban/tests/fail2banclienttestcase.py
+@@ -469,14 +469,14 @@ def _testStartForeground(self, tmp, startparams, phase):
+ 
+ 	@with_foreground_server_thread(startextra={'f2b_local':(
+ 			"[Thread]",
+-			"stacksize = 32"
+			"stacksize = 128"
+ 			"",
+ 		)})
+ 	def testStartForeground(self, tmp, startparams):
+ 		# check thread options were set:
+ 		self.pruneLog()
+ 		self.execCmd(SUCCESS, startparams, "get", "thread")
+-		self.assertLogged("{'stacksize': 32}")
+		self.assertLogged("{'stacksize': 128}")
+ 		# several commands to server:
+ 		self.execCmd(SUCCESS, startparams, "ping")
+ 		self.execCmd(FAILED, startparams, "~~unknown~cmd~failed~~")
--- a/b158f83aa3795f387c8475ceb48df197a94a37e8.patch
+++ b/b158f83aa3795f387c8475ceb48df197a94a37e8.patch
@ -0,0 +1,22 @@
+From b158f83aa3795f387c8475ceb48df197a94a37e8 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 13 Jan 2020 12:37:19 +0100
+Subject: [PATCH] testIPAddr_CompareDNS: add missing network constraint
+ (gh-2596)
+
+---
+ fail2ban/tests/filtertestcase.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py
+index d6ad82358..6ca8162bd 100644
+--- a/fail2ban/tests/filtertestcase.py
+++ b/fail2ban/tests/filtertestcase.py
+@@ -2064,6 +2064,7 @@ def testIPAddr_CIDR_Repr(self):
+ 		)
+ 
+ 	def testIPAddr_CompareDNS(self):
+		unittest.F2B.SkipIfNoNetwork()
+ 		ips = IPAddr('example.com')
+ 		self.assertTrue(IPAddr("93.184.216.34").isInNet(ips))
+ 		self.assertTrue(IPAddr("2606:2800:220:1:248:1893:25c8:1946").isInNet(ips))
--- a/ec37b1942c4da76f7a0f71efe81bea6835466648.patch
+++ b/ec37b1942c4da76f7a0f71efe81bea6835466648.patch
@ -0,0 +1,25 @@
+From ec37b1942c4da76f7a0f71efe81bea6835466648 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Tue, 14 Jan 2020 11:39:13 +0100
+Subject: [PATCH] action.d/nginx-block-map.conf: fixed backslash substitution
+ (different echo behavior in some shells, gh-2596)
+
+---
+ config/action.d/nginx-block-map.conf | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/config/action.d/nginx-block-map.conf b/config/action.d/nginx-block-map.conf
+index 0b6aa0ad7..ee702907e 100644
+--- a/config/action.d/nginx-block-map.conf
+++ b/config/action.d/nginx-block-map.conf
+@@ -103,6 +103,8 @@ actionstop = %(actionflush)s
+ 
+ actioncheck = 
+ 
+-actionban = echo "\\\\<fid> 1;" >> '%(blck_lst_file)s'; %(blck_lst_reload)s
+_echo_blck_row = printf '\%%s 1;\n' "<fid>"
+ 
+-actionunban = id=$(echo "<fid>" | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^\\\\$id 1;$/d" %(blck_lst_file)s; %(blck_lst_reload)s
+actionban = %(_echo_blck_row)s >> '%(blck_lst_file)s'; %(blck_lst_reload)s
+
+actionunban = id=$(%(_echo_blck_row)s | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^$id$/d" %(blck_lst_file)s; %(blck_lst_reload)s
--- a/fail2ban-partof.patch
+++ b/fail2ban-partof.patch
@ -1,11 +1,11 @@
-diff -up fail2ban-0.10.3.1/files/fail2ban.service.in.partof fail2ban-0.10.3.1/files/fail2ban.service.in
--- fail2ban-0.10.3.1/files/fail2ban.service.in.partof	2018-06-19 12:10:15.401391081 -0600
-+++ fail2ban-0.10.3.1/files/fail2ban.service.in	2018-06-19 12:10:38.892291609 -0600
+diff -up fail2ban-0.10.5/files/fail2ban.service.in.partof fail2ban-0.10.5/files/fail2ban.service.in
+--- fail2ban-0.10.5/files/fail2ban.service.in.partof	2020-01-10 05:34:46.000000000 -0700
+++ fail2ban-0.10.5/files/fail2ban.service.in	2020-01-11 16:13:53.372316861 -0700
@@ -2,7 +2,7 @@
 Description=Fail2Ban Service
 Documentation=man:fail2ban(1)
- After=network.target iptables.service firewalld.service ip6tables.service ipset.service
-PartOf=iptables.service firewalld.service ip6tables.service ipset.service
+ After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
+-PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
 +PartOf=firewalld.service
 
 [Service]
--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -1,18 +1,20 @@
 Summary: Daemon to ban hosts that cause multiple authentication errors
 Name: fail2ban
-Version: 0.10.4
-Release: 8%{?dist}
+Version: 0.10.5
+Release: 1%{?dist}
 License: GPLv2+
 URL: http://fail2ban.sourceforge.net/
 Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
-#Source0: https://github.com/sebres/%{name}/archive/f2b-perfom-prepare-716-cs.tar.gz#/%{name}-test.tar.gz
 # Give up being PartOf iptables and ipset for now
 # https://bugzilla.redhat.com/show_bug.cgi?id=1379141
 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185
 Patch0: fail2ban-partof.patch
-# Update sendmail-reject with TLSMTA & MSA port IDs
-# https://bugzilla.redhat.com/show_bug.cgi?id=1722625
-Patch1: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/2388.patch
+# Fix nginx-block-map
+Patch1: https://github.com/fail2ban/fail2ban/commit/ec37b1942c4da76f7a0f71efe81bea6835466648.patch
+# testIPAddr_CompareDNS: add missing network constraint
+Patch2: https://github.com/fail2ban/fail2ban/commit/b158f83aa3795f387c8475ceb48df197a94a37e8.patch
+# FIx test thread stack size on aarch64
+Patch3: https://github.com/fail2ban/fail2ban/commit/8694c547285c4030d4bf7661981673038e6e9829.patch

 BuildRequires: python3-devel
 BuildRequires: /usr/bin/2to3
@ -213,7 +215,9 @@ EOF
 rm -r %{buildroot}%{_docdir}/%{name}

 %check
-./fail2ban-testcases-all-python3 --no-network
+# testSampleRegexsSSHD fails for some reason when run alongside all other tests
+%python3 bin/fail2ban-testcases --no-network testSampleRegexsSSHD
+%python3 bin/fail2ban-testcases --no-network -i testSampleRegexsSSHD

 %post server
 %if 0%{?fedora} || 0%{?rhel} >= 7
@ -299,6 +303,9 @@ fi


 %changelog
+* Tue Jan 14 2020 Orion Poplawski <orion@nwra.com> - 0.10.5-1
+- Update to 0.10.5
+
 * Thu Nov 21 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-8
 - Define banaction_allports for firewalld, update banaction (bz#1775175)
 - Update sendmail-reject with TLSMTA & MSA port IDs (bz#1722625)
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (fail2ban-0.10.4.tar.gz) = 3f4af84b7e3332b887240c927c1f706d2b3020217df2a68c64897619d54eb6dfa972992e3153f4ea150d025e2c8a2b537da47cf71a6dfee1df3c8d029a6d5f42
+SHA512 (fail2ban-0.10.5.tar.gz) = 306153587a3fcda6e72856f0b7817ea76eda83cca84d5a9af2d182aaf06cc18379c31ae22b16f7544d988bf5abaf8e12df229c350a48bbdf01751a56c9be80c6