Update to 0.8.10 security release

- Use upstream provided systemd files
- Drop upstreamed patches, rebase log2syslog and notmp patches
i9ce
Orion Poplawski 12 years ago
parent 6bfd65edcf
commit d0f8175ad9

1
.gitignore vendored

@ -2,3 +2,4 @@ fail2ban-FAIL2BAN-0_8.tar.bz2
fail2ban-0.8.4.tar.bz2 fail2ban-0.8.4.tar.bz2
/fail2ban_0.8.7.1.orig.tar.gz /fail2ban_0.8.7.1.orig.tar.gz
/fail2ban_0.8.8.orig.tar.gz /fail2ban_0.8.8.orig.tar.gz
/fail2ban-0.8.10.tar.gz

@ -1,35 +0,0 @@
From 20c717c25c5d180b720bec6902475f07b02f8b87 Mon Sep 17 00:00:00 2001
From: Jonathan G. Underwood <jonathan.underwood@gmail.com>
Date: Sun, 3 Jan 2010 02:16:09 +0000
Subject: [PATCH] Set socket file descriptor in AsyncServer.start to be CLOEXEC
https://bugzilla.redhat.com/show_bug.cgi?id=522767
---
server/asyncserver.py | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/server/asyncserver.py b/server/asyncserver.py
index 35cebf1..96b62d0 100644
--- a/server/asyncserver.py
+++ b/server/asyncserver.py
@@ -26,7 +26,7 @@ __license__ = "GPL"
from pickle import dumps, loads, HIGHEST_PROTOCOL
from common import helpers
-import asyncore, asynchat, socket, os, logging, sys, traceback
+import asyncore, asynchat, socket, os, logging, sys, traceback, fcntl
# Gets the instance of the logger.
logSys = logging.getLogger("fail2ban.server")
@@ -126,6 +126,8 @@ class AsyncServer(asyncore.dispatcher):
raise AsyncServerException("Server already running")
# Creates the socket.
self.create_socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ fd = self.fileno()
+ fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)
self.set_reuse_addr()
try:
self.bind(sock)
--
1.6.5.2

@ -1,11 +0,0 @@
--- fail2ban-0.8.3/config/fail2ban.conf~ 2008-02-27 22:44:55.000000000 +0100
+++ fail2ban-0.8.3/config/fail2ban.conf 2009-08-27 20:48:25.000000000 +0200
@@ -22,7 +22,7 @@
# Only one log target can be specified.
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
#
-logtarget = /var/log/fail2ban.log
+logtarget = SYSLOG
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do

@ -1,35 +0,0 @@
diff -U0 fail2ban-0.8.7.1/ChangeLog.notmp fail2ban-0.8.7.1/ChangeLog
--- fail2ban-0.8.7.1/ChangeLog.notmp 2012-07-31 19:45:04.000000000 -0600
+++ fail2ban-0.8.7.1/ChangeLog 2012-10-11 11:49:16.317481660 -0600
@@ -511 +511 @@
-- Changed default PID lock file location from /tmp to /var/run
+- Changed default PID lock file location from /var/lib/fail2ban to /var/run
diff -up fail2ban-0.8.7.1/client/fail2banreader.py.notmp fail2ban-0.8.7.1/client/fail2banreader.py
--- fail2ban-0.8.7.1/client/fail2banreader.py.notmp 2012-07-31 19:45:04.000000000 -0600
+++ fail2ban-0.8.7.1/client/fail2banreader.py 2012-10-11 11:49:16.318481661 -0600
@@ -42,7 +42,7 @@ class Fail2banReader(ConfigReader):
ConfigReader.read(self, "fail2ban")
def getEarlyOptions(self):
- opts = [["string", "socket", "/tmp/fail2ban.sock"]]
+ opts = [["string", "socket", "/var/lib/fail2ban/fail2ban.sock"]]
return ConfigReader.getOptions(self, "Definition", opts)
def getOptions(self):
diff -up fail2ban-0.8.7.1/config/action.d/dshield.conf.notmp fail2ban-0.8.7.1/config/action.d/dshield.conf
diff -up fail2ban-0.8.7.1/config/action.d/mail-buffered.conf.notmp fail2ban-0.8.7.1/config/action.d/mail-buffered.conf
diff -up fail2ban-0.8.7.1/config/action.d/mynetwatchman.conf.notmp fail2ban-0.8.7.1/config/action.d/mynetwatchman.conf
diff -up fail2ban-0.8.7.1/config/action.d/sendmail-buffered.conf.notmp fail2ban-0.8.7.1/config/action.d/sendmail-buffered.conf
diff -up fail2ban-0.8.7.1/files/nagios/f2ban.txt.notmp fail2ban-0.8.7.1/files/nagios/f2ban.txt
--- fail2ban-0.8.7.1/files/nagios/f2ban.txt.notmp 2012-07-31 19:45:04.000000000 -0600
+++ fail2ban-0.8.7.1/files/nagios/f2ban.txt 2012-10-11 11:53:32.323532817 -0600
@@ -6,7 +6,7 @@ HELP:
/etc/init.d/fail2ban stop
2.) delete the socket if available
-rm /tmp/fail2ban.sock
+rm /var/run/fail2ban/fail2ban.sock
3.) start the Service
/etc/init.d/fail2ban start
diff -up fail2ban-0.8.7.1/testcases/actiontestcase.py.notmp fail2ban-0.8.7.1/testcases/actiontestcase.py

@ -1,11 +0,0 @@
diff -up fail2ban-0.8.8/config/filter.d/sshd.conf.sshd-pam fail2ban-0.8.8/config/filter.d/sshd.conf
--- fail2ban-0.8.8/config/filter.d/sshd.conf.sshd-pam 2012-12-05 20:51:29.000000000 -0700
+++ fail2ban-0.8.8/config/filter.d/sshd.conf 2013-01-18 14:29:00.300902426 -0700
@@ -30,7 +30,6 @@ failregex = ^%(__prefix_line)s(?:error:
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
- ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

@ -0,0 +1,12 @@
diff -up fail2ban-0.8.10/config/fail2ban.conf.log2syslog fail2ban-0.8.10/config/fail2ban.conf
--- fail2ban-0.8.10/config/fail2ban.conf.log2syslog 2013-06-12 11:21:12.000000000 -0600
+++ fail2ban-0.8.10/config/fail2ban.conf 2013-06-12 16:12:48.233512068 -0600
@@ -30,7 +30,7 @@ loglevel = 3
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
#
-logtarget = /var/log/fail2ban.log
+logtarget = SYSLOG
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do

@ -0,0 +1,12 @@
diff -up fail2ban-0.8.10/client/fail2banreader.py.notmp fail2ban-0.8.10/client/fail2banreader.py
--- fail2ban-0.8.10/client/fail2banreader.py.notmp 2013-06-12 11:21:12.000000000 -0600
+++ fail2ban-0.8.10/client/fail2banreader.py 2013-06-12 16:17:43.820837700 -0600
@@ -39,7 +39,7 @@ class Fail2banReader(ConfigReader):
ConfigReader.read(self, "fail2ban")
def getEarlyOptions(self):
- opts = [["string", "socket", "/tmp/fail2ban.sock"],
+ opts = [["string", "socket", "/var/run/fail2ban/fail2ban.sock"],
["string", "pidfile", "/var/run/fail2ban/fail2ban.pid"]]
return ConfigReader.getOptions(self, "Definition", opts)

@ -1,32 +1,16 @@
Summary: Ban IPs that make too many password failures Summary: Ban IPs that make too many password failures
Name: fail2ban Name: fail2ban
Version: 0.8.8 Version: 0.8.10
Release: 4%{?dist} Release: 1%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Daemons Group: System Environment/Daemons
URL: http://fail2ban.sourceforge.net/ URL: http://fail2ban.sourceforge.net/
Source0: https://github.com/downloads/%{name}/%{name}/%{name}_%{version}.orig.tar.gz Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: fail2ban-logrotate Source1: fail2ban-logrotate
Source2: fail2ban-tmpfiles.conf
%if 0%{?fedora} >= 19
Source3: fail2ban.service
%endif
Patch0: fail2ban-0.8.3-init.patch Patch0: fail2ban-0.8.3-init.patch
Patch1: fail2ban-0.8.7.1-sshd.patch Patch1: fail2ban-0.8.7.1-sshd.patch
# Do not use pam_unix failure messages to ban sshd Patch6: fail2ban-log2syslog.patch
# https://github.com/fail2ban/fail2ban/issues/106 Patch8: fail2ban-notmp.patch
Patch2: fail2ban-0.8.8-sshd-pam.patch
# Upstream patch to fix module loading
# https://github.com/fail2ban/fail2ban/issues/112
# https://bugzilla.redhat.com/show_bug.cgi?id=892365
Patch3: fail2ban-import.patch
# Upstream patch to fix UTF-8 characters in hostnames
# https://github.com/fail2ban/fail2ban/issues/113
# https://bugzilla.redhat.com/show_bug.cgi?id=905097
Patch4: fail2ban-utf8.patch
Patch6: fail2ban-0.8.3-log2syslog.patch
Patch7: asyncserver.start_selinux.patch
Patch8: fail2ban-0.8.7.1-notmp.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: python-devel >= 2.3 BuildRequires: python-devel >= 2.3
# For testcases # For testcases
@ -60,11 +44,7 @@ and shorewall respectively.
%setup -q %setup -q
%patch0 -p1 -b .init %patch0 -p1 -b .init
%patch1 -p1 -b .sshd %patch1 -p1 -b .sshd
%patch2 -p1 -b .sshd-pam
%patch3 -p1 -b .import
%patch4 -p1 -b .utf8
%patch6 -p1 -b .log2syslog %patch6 -p1 -b .log2syslog
%patch7 -p1 -b .fd_cloexec2
%patch8 -p1 -b .notmp %patch8 -p1 -b .notmp
%build %build
@ -75,7 +55,7 @@ rm -rf %{buildroot}
python setup.py install -O1 --root %{buildroot} python setup.py install -O1 --root %{buildroot}
%if 0%{?fedora} >= 19 %if 0%{?fedora} >= 19
mkdir -p %{buildroot}%{_unitdir} mkdir -p %{buildroot}%{_unitdir}
cp -p %SOURCE3 %{buildroot}%{_unitdir}/ cp -p files/fail2ban.service %{buildroot}%{_unitdir}/
%else %else
mkdir -p %{buildroot}%{_initddir} mkdir -p %{buildroot}%{_initddir}
install -p -m 755 files/redhat-initd %{buildroot}%{_initddir}/fail2ban install -p -m 755 files/redhat-initd %{buildroot}%{_initddir}/fail2ban
@ -87,7 +67,9 @@ install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban
install -d -m 0755 %{buildroot}%{_localstatedir}/run/fail2ban/ install -d -m 0755 %{buildroot}%{_localstatedir}/run/fail2ban/
install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/tmpfiles.d/fail2ban.conf install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_sysconfdir}/tmpfiles.d/fail2ban.conf
# Remove installed doc, use doc macro instead
rm -r %{buildroot}%{_docdir}/%{name}
# Testcases need network access # Testcases need network access
#%check #%check
@ -120,7 +102,7 @@ fi
%files %files
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc README TODO ChangeLog COPYING %doc README.md TODO ChangeLog COPYING doc/*.txt
#doc config/fail2ban.conf* #doc config/fail2ban.conf*
%{_bindir}/fail2ban-server %{_bindir}/fail2ban-server
%{_bindir}/fail2ban-client %{_bindir}/fail2ban-client
@ -131,7 +113,7 @@ fi
%else %else
%{_initddir}/fail2ban %{_initddir}/fail2ban
%endif %endif
%{_mandir}/man1/fail2ban-*.1* %{_mandir}/man1/fail2ban*.1*
%dir %{_sysconfdir}/fail2ban %dir %{_sysconfdir}/fail2ban
%dir %{_sysconfdir}/fail2ban/action.d %dir %{_sysconfdir}/fail2ban/action.d
%dir %{_sysconfdir}/fail2ban/filter.d %dir %{_sysconfdir}/fail2ban/filter.d
@ -145,6 +127,11 @@ fi
%dir %{_localstatedir}/lib/fail2ban/ %dir %{_localstatedir}/lib/fail2ban/
%changelog %changelog
* Wed Jun 12 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.10-1
- Update to 0.8.10 security release
- Use upstream provided systemd files
- Drop upstreamed patches, rebase log2syslog and notmp patches
* Fri Mar 15 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-4 * Fri Mar 15 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-4
- Use systemd init for Fedora 19+ (bug #883158) - Use systemd init for Fedora 19+ (bug #883158)

@ -1 +1 @@
48a7cfa29c30227f0e1361bd3c88ec8e fail2ban_0.8.8.orig.tar.gz 48327ac0f5938dcc2f82c63728fc8918 fail2ban-0.8.10.tar.gz

Loading…
Cancel
Save