diff --git a/.gitignore b/.gitignore index 573439a..6535f8f 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ fail2ban-0.8.4.tar.bz2 /fail2ban-0.10.2.tar.gz /fail2ban-0.10.3.1.tar.gz /fail2ban-0.10.4.tar.gz +/fail2ban-0.10.5.tar.gz diff --git a/2388.patch b/2388.patch deleted file mode 100644 index d391969..0000000 --- a/2388.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 9e1fa4ff73a1566ae0c381930b6eaae9880b0f29 Mon Sep 17 00:00:00 2001 -From: Amir Caspi -Date: Fri, 29 Mar 2019 17:38:30 -0600 -Subject: [PATCH 1/7] Update sendmail-reject - -Added loglines to show TLSMTA and MSA port IDs (RHEL/CentOS sendmail default for ports 465 and 587, respectively) ---- - fail2ban/tests/files/logs/sendmail-reject | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject -index 44f8eb92f..a76cbf4b6 100644 ---- a/fail2ban/tests/files/logs/sendmail-reject -+++ b/fail2ban/tests/files/logs/sendmail-reject -@@ -95,3 +95,8 @@ Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from= -Date: Fri, 29 Mar 2019 17:39:27 -0600 -Subject: [PATCH 2/7] Update sendmail-reject.conf - -On some distros (e.g., CentOS 7), sendmail default config labels port 465 as TLSMTA and port 587 as MSA. Update failregex to reflect. Relevant loglines included in https://github.com/fail2ban/fail2ban/commit/9e1fa4ff73a1566ae0c381930b6eaae9880b0f29 ---- - config/filter.d/sendmail-reject.conf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf -index 985eac8b1..dd58f3e75 100644 ---- a/config/filter.d/sendmail-reject.conf -+++ b/config/filter.d/sendmail-reject.conf -@@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[(?:IP - - mdre-normal = - --mdre-extra = ^(?:\S+ )?\[(?:IPv6:|)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to M(?:TA|SP)(?:-\w+)?$ -+mdre-extra = ^(?:\S+ )?\[(?:IPv6:|)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$ - - mdre-aggressive = %(mdre-extra)s - - -From 76816285e886eee0a53ba5c64c50101fbd87a760 Mon Sep 17 00:00:00 2001 -From: Amir Caspi -Date: Fri, 29 Mar 2019 18:21:47 -0600 -Subject: [PATCH 5/7] Update sendmail-reject - -Fixing timestamps to 2005 (oops) ---- - fail2ban/tests/files/logs/sendmail-reject | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject -index a76cbf4b6..b6911c4df 100644 ---- a/fail2ban/tests/files/logs/sendmail-reject -+++ b/fail2ban/tests/files/logs/sendmail-reject -@@ -96,7 +96,7 @@ Mar 6 16:55:28 s192-168-0-1 sm-mta[20949]: v26LtRA0020949: some-host-24.example - # failJSON: { "time": "2005-03-07T15:04:37", "match": true , "host": "192.0.2.195", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSP-mode, (may be forged)" } - Mar 7 15:04:37 s192-168-0-1 sm-mta[18624]: v27K4Vj8018624: some-host-24.example.org [192.0.2.195] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v4 - --# failJSON: { "time": "2019-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" } -+# failJSON: { "time": "2005-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" } - Mar 29 22:33:47 kismet sm-mta[23221]: x2TMXH7Y023221: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA --# failJSON: { "time": "2019-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" } -+# failJSON: { "time": "2005-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" } - Mar 29 22:51:42 kismet sm-mta[24202]: x2TMpAlI024202: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA - -From 6c7093c66dce9f695cde24149a78650868083617 Mon Sep 17 00:00:00 2001 -From: "Sergey G. Brester" -Date: Thu, 4 Apr 2019 02:28:50 +0200 -Subject: [PATCH 6/7] minor amend, refolding branches (SP|SA -> S[PA]) - ---- - config/filter.d/sendmail-reject.conf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf -index dd58f3e75..e6814a00c 100644 ---- a/config/filter.d/sendmail-reject.conf -+++ b/config/filter.d/sendmail-reject.conf -@@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[(?:IP - - mdre-normal = - --mdre-extra = ^(?:\S+ )?\[(?:IPv6:|)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$ -+mdre-extra = ^(?:\S+ )?\[(?:IPv6:|)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|S[PA])(?:-\w+)?$ - - mdre-aggressive = %(mdre-extra)s - - diff --git a/8694c547285c4030d4bf7661981673038e6e9829.patch b/8694c547285c4030d4bf7661981673038e6e9829.patch new file mode 100644 index 0000000..71ead1e --- /dev/null +++ b/8694c547285c4030d4bf7661981673038e6e9829.patch @@ -0,0 +1,31 @@ +From 8694c547285c4030d4bf7661981673038e6e9829 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Tue, 14 Jan 2020 11:51:27 +0100 +Subject: [PATCH] increase test stack size to 128K (on some platforms min size + is greater then 32K), closes gh-2597 + +--- + fail2ban/tests/fail2banclienttestcase.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fail2ban/tests/fail2banclienttestcase.py b/fail2ban/tests/fail2banclienttestcase.py +index 29adb1220..5caa4dd90 100644 +--- a/fail2ban/tests/fail2banclienttestcase.py ++++ b/fail2ban/tests/fail2banclienttestcase.py +@@ -469,14 +469,14 @@ def _testStartForeground(self, tmp, startparams, phase): + + @with_foreground_server_thread(startextra={'f2b_local':( + "[Thread]", +- "stacksize = 32" ++ "stacksize = 128" + "", + )}) + def testStartForeground(self, tmp, startparams): + # check thread options were set: + self.pruneLog() + self.execCmd(SUCCESS, startparams, "get", "thread") +- self.assertLogged("{'stacksize': 32}") ++ self.assertLogged("{'stacksize': 128}") + # several commands to server: + self.execCmd(SUCCESS, startparams, "ping") + self.execCmd(FAILED, startparams, "~~unknown~cmd~failed~~") diff --git a/b158f83aa3795f387c8475ceb48df197a94a37e8.patch b/b158f83aa3795f387c8475ceb48df197a94a37e8.patch new file mode 100644 index 0000000..f4a2416 --- /dev/null +++ b/b158f83aa3795f387c8475ceb48df197a94a37e8.patch @@ -0,0 +1,22 @@ +From b158f83aa3795f387c8475ceb48df197a94a37e8 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Mon, 13 Jan 2020 12:37:19 +0100 +Subject: [PATCH] testIPAddr_CompareDNS: add missing network constraint + (gh-2596) + +--- + fail2ban/tests/filtertestcase.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py +index d6ad82358..6ca8162bd 100644 +--- a/fail2ban/tests/filtertestcase.py ++++ b/fail2ban/tests/filtertestcase.py +@@ -2064,6 +2064,7 @@ def testIPAddr_CIDR_Repr(self): + ) + + def testIPAddr_CompareDNS(self): ++ unittest.F2B.SkipIfNoNetwork() + ips = IPAddr('example.com') + self.assertTrue(IPAddr("93.184.216.34").isInNet(ips)) + self.assertTrue(IPAddr("2606:2800:220:1:248:1893:25c8:1946").isInNet(ips)) diff --git a/ec37b1942c4da76f7a0f71efe81bea6835466648.patch b/ec37b1942c4da76f7a0f71efe81bea6835466648.patch new file mode 100644 index 0000000..3878213 --- /dev/null +++ b/ec37b1942c4da76f7a0f71efe81bea6835466648.patch @@ -0,0 +1,25 @@ +From ec37b1942c4da76f7a0f71efe81bea6835466648 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Tue, 14 Jan 2020 11:39:13 +0100 +Subject: [PATCH] action.d/nginx-block-map.conf: fixed backslash substitution + (different echo behavior in some shells, gh-2596) + +--- + config/action.d/nginx-block-map.conf | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/config/action.d/nginx-block-map.conf b/config/action.d/nginx-block-map.conf +index 0b6aa0ad7..ee702907e 100644 +--- a/config/action.d/nginx-block-map.conf ++++ b/config/action.d/nginx-block-map.conf +@@ -103,6 +103,8 @@ actionstop = %(actionflush)s + + actioncheck = + +-actionban = echo "\\\\ 1;" >> '%(blck_lst_file)s'; %(blck_lst_reload)s ++_echo_blck_row = printf '\%%s 1;\n' "" + +-actionunban = id=$(echo "" | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^\\\\$id 1;$/d" %(blck_lst_file)s; %(blck_lst_reload)s ++actionban = %(_echo_blck_row)s >> '%(blck_lst_file)s'; %(blck_lst_reload)s ++ ++actionunban = id=$(%(_echo_blck_row)s | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^$id$/d" %(blck_lst_file)s; %(blck_lst_reload)s diff --git a/fail2ban-partof.patch b/fail2ban-partof.patch index 7f2f00d..ddb39e8 100644 --- a/fail2ban-partof.patch +++ b/fail2ban-partof.patch @@ -1,11 +1,11 @@ -diff -up fail2ban-0.10.3.1/files/fail2ban.service.in.partof fail2ban-0.10.3.1/files/fail2ban.service.in ---- fail2ban-0.10.3.1/files/fail2ban.service.in.partof 2018-06-19 12:10:15.401391081 -0600 -+++ fail2ban-0.10.3.1/files/fail2ban.service.in 2018-06-19 12:10:38.892291609 -0600 +diff -up fail2ban-0.10.5/files/fail2ban.service.in.partof fail2ban-0.10.5/files/fail2ban.service.in +--- fail2ban-0.10.5/files/fail2ban.service.in.partof 2020-01-10 05:34:46.000000000 -0700 ++++ fail2ban-0.10.5/files/fail2ban.service.in 2020-01-11 16:13:53.372316861 -0700 @@ -2,7 +2,7 @@ Description=Fail2Ban Service Documentation=man:fail2ban(1) - After=network.target iptables.service firewalld.service ip6tables.service ipset.service --PartOf=iptables.service firewalld.service ip6tables.service ipset.service + After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service +-PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service +PartOf=firewalld.service [Service] diff --git a/fail2ban.spec b/fail2ban.spec index eeb11ec..8f3669b 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,18 +1,20 @@ Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban -Version: 0.10.4 -Release: 8%{?dist} +Version: 0.10.5 +Release: 1%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz -#Source0: https://github.com/sebres/%{name}/archive/f2b-perfom-prepare-716-cs.tar.gz#/%{name}-test.tar.gz # Give up being PartOf iptables and ipset for now # https://bugzilla.redhat.com/show_bug.cgi?id=1379141 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185 Patch0: fail2ban-partof.patch -# Update sendmail-reject with TLSMTA & MSA port IDs -# https://bugzilla.redhat.com/show_bug.cgi?id=1722625 -Patch1: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/2388.patch +# Fix nginx-block-map +Patch1: https://github.com/fail2ban/fail2ban/commit/ec37b1942c4da76f7a0f71efe81bea6835466648.patch +# testIPAddr_CompareDNS: add missing network constraint +Patch2: https://github.com/fail2ban/fail2ban/commit/b158f83aa3795f387c8475ceb48df197a94a37e8.patch +# FIx test thread stack size on aarch64 +Patch3: https://github.com/fail2ban/fail2ban/commit/8694c547285c4030d4bf7661981673038e6e9829.patch BuildRequires: python3-devel BuildRequires: /usr/bin/2to3 @@ -213,7 +215,9 @@ EOF rm -r %{buildroot}%{_docdir}/%{name} %check -./fail2ban-testcases-all-python3 --no-network +# testSampleRegexsSSHD fails for some reason when run alongside all other tests +%python3 bin/fail2ban-testcases --no-network testSampleRegexsSSHD +%python3 bin/fail2ban-testcases --no-network -i testSampleRegexsSSHD %post server %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -299,6 +303,9 @@ fi %changelog +* Tue Jan 14 2020 Orion Poplawski - 0.10.5-1 +- Update to 0.10.5 + * Thu Nov 21 2019 Orion Poplawski - 0.10.4-8 - Define banaction_allports for firewalld, update banaction (bz#1775175) - Update sendmail-reject with TLSMTA & MSA port IDs (bz#1722625) diff --git a/sources b/sources index efd923a..96975ca 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (fail2ban-0.10.4.tar.gz) = 3f4af84b7e3332b887240c927c1f706d2b3020217df2a68c64897619d54eb6dfa972992e3153f4ea150d025e2c8a2b537da47cf71a6dfee1df3c8d029a6d5f42 +SHA512 (fail2ban-0.10.5.tar.gz) = 306153587a3fcda6e72856f0b7817ea76eda83cca84d5a9af2d182aaf06cc18379c31ae22b16f7544d988bf5abaf8e12df229c350a48bbdf01751a56c9be80c6