--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2018-e45c0e6856
2018-06-28 14:06:06.103643
--------------------------------------------------------------------------------
Name : fail2ban
Product : Fedora 28
Version : 0.10.3.1
Release : 2.fc28
URL :
http://fail2ban.sourceforge.net/
Summary : Daemon to ban hosts that cause multiple authentication errors
Description :
Fail2Ban scans log files and bans IP addresses that makes too many password
failures. It updates firewall rules to reject the IP address. These rules can
be defined by the user. Fail2Ban can read multiple log files such as sshd or
Apache web server ones.
Fail2Ban is able to reduce the rate of incorrect authentications attempts
however it cannot eliminate the risk that weak authentication presents.
Configure services to use only two factor or public/private authentication
mechanisms if you really want to protect services.
This is a meta-package that will install the default configuration. Other
sub-packages are available to install support for other actions and
configurations.
--------------------------------------------------------------------------------
Update Information:
# Update to 0.10.3.1: ### Fixes * fixed JSON serialization for the set-object
within dump into database (gh-2103). * `filter.d/asterisk.conf`: fixed failregex
prefix by log over remote syslog server (gh-2060); * `filter.d/exim.conf`:
failregex extended - SMTP call dropped: too many syntax or protocol errors
(gh-2048); * `filter.d/recidive.conf`: fixed if logging into systemd-journal
(SYSLOG) with daemon name in prefix, gh-2069; * `filter.d/sendmail-auth.conf`,
`filter.d/sendmail-reject.conf` : - fixed failregex, sendmail uses prefix
'IPv6:' logging of IPv6 addresses (gh-2064); * `filter.d/sshd.conf`: -
failregex got an optional space in order to match new log-format (see gh-2061);
- fixed ddos-mode regex to match refactored message (some versions can contain
port now, see gh-2062); - fixed root login refused regex (optional port before
preauth, gh-2080); - avoid banning of legitimate users when pam_unix used in
combination with other password method, so bypass pam_unix failures if
accepted available for this user gh-2070; - amend to gh-1263 with better
handling of multiple attempts (failures for different user-names recognized
immediatelly); - mode `ddos` (and `aggressive`) extended to catch `Connection
closed by ... [preauth]`, so in DDOS mode it counts failure on closing
connection within preauth-stage (gh-2085); * `action.d/abuseipdb.conf`: fixed
curl cypher errors and comment quote-issue (gh-2044, gh-2101); *
`action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected
string, IPAddr found" (gh-2059); * `action.d/hostsdeny.conf`: fixed IPv6 syntax
(enclosed in square brackets, gh-2066); * (Free)BSD ipfw actionban fixed to
allow same rule added several times (gh-2054); ### New Features * several
stability and performance optimizations, more effective filter parsing, etc; *
stable runnable within python versions 3.6 (as well as within 3.7-dev); ###
Enhancements * `filter.d/apache-auth.conf`: detection of Apache SNI errors resp.
misredirect attempts (gh-2017, gh-2097); * `filter.d/apache-noscript.conf`:
extend failregex to match "Primary script unknown", e. g. from php-fpm
(gh-2073); * date-detector extended with long epoch (`LEPOCH`) to parse
milliseconds/microseconds posix-dates (gh-2029); * possibility to specify own
regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]`
(gh-2038); the epoch-pattern similar to `{DATE}` patterns does the capture and
cuts out the match of whole pattern from the log-line, e. g. date-pattern
`^\[{LEPOCH}\]\s+:` will match and cut out `[1516469849551000] :` from begin of
the log-line. * badips.py now uses https instead of plain http when requesting
badips.com (gh-2057); * add support for "any" badips.py bancategory, to be able
to retrieve IPs from all categories with a desired score (gh-2056); * Introduced
new parameter `padding` for logging within fail2ban-server (default on,
excepting SYSLOG): Usage `logtarget = target[padding=on|off]` Remove
ipset.service from PartOf in service file (bug #1573185)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jun 19 2018 Orion Poplawski <orion(a)nwra.com> - 0.10.3.1-2
- Remove PartOf ipset.service (bug #1573185)
* Tue Jun 19 2018 Orion Poplawski <orion(a)nwra.com> - 0.10.3.1-1
- Update to 0.10.3.1
* Tue Jun 19 2018 Miro Hron��ok <mhroncok(a)redhat.com> - 0.10.2-2
- Rebuilt for Python 3.7
* Wed Mar 28 2018 Orion Poplawski <orion(a)nwra.com> - 0.10.2-1
- Update to 0.10.2
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1573185 - Fail2ban prevents restarting firewalld (again, this time
conflicting on ipset.service)
https://bugzilla.redhat.com/show_bug.cgi?id=1573185
[ 2 ] Bug #1536235 - fail2ban-0.10.3.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1536235
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2018-e45c0e6856' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------