rpms/fail2ban/EL-4 0001-BF-anchoring-regex-for-IP-with-at-the-end.patch, NONE, 1.1 fail2ban-0.8.1-sshd.patch, NONE, 1.1 fail2ban-0.8.2-fd_cloexec.patch, NONE, 1.1 fail2ban-0.8.3-init.patch, NONE, 1.1 fail2ban-logrotate, NONE, 1.1 import.log, NONE, 1.1 .cvsignore, 1.2, 1.3 fail2ban.spec, 1.2, 1.3 sources, 1.2, 1.3 fail2ban-0.6.2-init.patch, 1.1, NONE
Adam Miller
maxamillion at fedoraproject.org
Mon May 4 19:31:34 UTC 2009
- Previous message: rpms/fail2ban/EL-5 0001-BF-anchoring-regex-for-IP-with-at-the-end.patch, NONE, 1.1 fail2ban-0.8.1-sshd.patch, NONE, 1.1 fail2ban-0.8.2-fd_cloexec.patch, NONE, 1.1 fail2ban-0.8.3-init.patch, NONE, 1.1 fail2ban-logrotate, NONE, 1.1 import.log, NONE, 1.1 .cvsignore, 1.2, 1.3 fail2ban.spec, 1.2, 1.3 sources, 1.2, 1.3 fail2ban-0.6.2-init.patch, 1.1, NONE
- Next message: rpms/selinux-policy/F-11 selinux-policy.spec,1.850,1.851
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: maxamillion
Update of /cvs/extras/rpms/fail2ban/EL-4
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12609/EL-4
Modified Files:
.cvsignore fail2ban.spec sources
Added Files:
0001-BF-anchoring-regex-for-IP-with-at-the-end.patch
fail2ban-0.8.1-sshd.patch fail2ban-0.8.2-fd_cloexec.patch
fail2ban-0.8.3-init.patch fail2ban-logrotate import.log
Removed Files:
fail2ban-0.6.2-init.patch
Log Message:
Fail2Ban 0.8.3-18 rebuild for EPEL
0001-BF-anchoring-regex-for-IP-with-at-the-end.patch:
--- NEW FILE 0001-BF-anchoring-regex-for-IP-with-at-the-end.patch ---
>From a8f963a2803acef984c66cd1910631eb06363ac1 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian at onerussian.com>
Date: Wed, 4 Feb 2009 15:38:11 -0500
Subject: [PATCH] BF: anchoring regex for IP with " *$" at the end
to forbid matching IP encoded in the hostname prior doing actual DNS
lookup.
It is quite important and actually security hazard: DoS is easy to
perform...
---
server/filter.py | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/server/filter.py b/server/filter.py
index 457bb03..77042ad 100644
--- a/server/filter.py
+++ b/server/filter.py
@@ -492,7 +492,7 @@ import socket, struct
class DNSUtils:
- IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}")
+ IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3} *$")
#@staticmethod
def dnsToIp(dns):
--
1.5.6.5
fail2ban-0.8.1-sshd.patch:
--- NEW FILE fail2ban-0.8.1-sshd.patch ---
--- fail2ban-0.8.1/config/jail.conf.sshd 2007-08-09 00:49:59.000000000 +0200
+++ fail2ban-0.8.1/config/jail.conf 2007-08-15 21:41:33.000000000 +0200
@@ -42,11 +42,11 @@
[ssh-iptables]
-enabled = false
+enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
- sendmail-whois[name=SSH, dest=you at mail.com, sender=fail2ban at mail.com]
-logpath = /var/log/sshd.log
+ sendmail-whois[name=SSH, dest=root, sender=fail2ban at mail.com]
+logpath = /var/log/secure
maxretry = 5
[proftpd-iptables]
fail2ban-0.8.2-fd_cloexec.patch:
--- NEW FILE fail2ban-0.8.2-fd_cloexec.patch ---
--- fail2ban-0.8.2/server/filter.py.orig 2008-03-27 16:26:59.000000000 +0000
+++ fail2ban-0.8.2/server/filter.py 2008-03-27 15:29:48.000000000 +0000
@@ -428,6 +428,7 @@
# is computed and compared to the previous hash of this line.
import md5
+import fcntl
class FileContainer:
@@ -455,6 +456,11 @@
def open(self):
self.__handler = open(self.__filename)
+
+ # Set the file descriptor to be FD_CLOEXEC
+ fd = self.__handler.fileno()
+ fcntl.fcntl (self.__handler.fileno(), fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)
+
firstLine = self.__handler.readline()
# Computes the MD5 of the first line.
myHash = md5.new(firstLine).digest()
fail2ban-0.8.3-init.patch:
--- NEW FILE fail2ban-0.8.3-init.patch ---
--- fail2ban-0.8.3/files/redhat-initd.init 2008-03-10 23:36:22.000000000 +0100
+++ fail2ban-0.8.3/files/redhat-initd 2008-08-24 20:46:01.000000000 +0200
@@ -1,6 +1,6 @@
#!/bin/bash
#
-# chkconfig: 345 92 08
+# chkconfig: - 92 08
# description: Fail2ban daemon
# http://fail2ban.sourceforge.net/wiki/index.php/Main_Page
# process name: fail2ban-server
@@ -27,8 +27,7 @@
echo -n $"Starting fail2ban: "
getpid
if [ -z "$pid" ]; then
- rm -rf /var/run/fail2ban/fail2ban.sock # in case of unclean shutdown
- $FAIL2BAN start > /dev/null
+ $FAIL2BAN -x start > /dev/null
RETVAL=$?
fi
if [ $RETVAL -eq 0 ]; then
--- NEW FILE fail2ban-logrotate ---
/var/log/fail2ban.log {
missingok
notifempty
size 30k
create 0600 root root
postrotate
/usr/bin/fail2ban-client reload 2> /dev/null || true
endscript
}
--- NEW FILE import.log ---
fail2ban-0_8_3-18:EL-4:fail2ban-0.8.3-18.src.rpm:1241465271
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/fail2ban/EL-4/.cvsignore,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- .cvsignore 30 Dec 2006 19:12:03 -0000 1.2
+++ .cvsignore 4 May 2009 19:31:03 -0000 1.3
@@ -1 +1 @@
-fail2ban-0.6.2.tar.bz2
+fail2ban-0.8.3.tar.bz2
Index: fail2ban.spec
===================================================================
RCS file: /cvs/extras/rpms/fail2ban/EL-4/fail2ban.spec,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- fail2ban.spec 29 Jan 2009 14:16:02 -0000 1.2
+++ fail2ban.spec 4 May 2009 19:31:03 -0000 1.3
@@ -1,16 +1,24 @@
+# Not defined in Fedora's buildsystem
+%global _initdir %{_sysconfdir}/rc.d/init.d
+
Summary: Ban IPs that make too many password failures
Name: fail2ban
-Version: 0.6.2
-Release: 3%{?dist}
-License: GPL
+Version: 0.8.3
+Release: 18%{?dist}
+License: GPLv2+
Group: System Environment/Daemons
URL: http://fail2ban.sourceforge.net/
Source0: http://prdownloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
-Patch0: fail2ban-0.6.2-init.patch
+Source1: fail2ban-logrotate
+Patch0: fail2ban-0.8.3-init.patch
+Patch1: fail2ban-0.8.1-sshd.patch
+#Patch2: fail2ban-0.8.1-sock.patch
+Patch3: fail2ban-0.8.2-fd_cloexec.patch
+Patch4: 0001-BF-anchoring-regex-for-IP-with-at-the-end.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-BuildRequires: python-devel >= 2.3, dos2unix
+BuildRequires: python-devel >= 2.3
BuildArch: noarch
-Requires: iptables, tcp_wrappers, shorewall
+Requires: iptables, tcp_wrappers, shorewall, gamin-python
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig
Requires(preun): /sbin/service
@@ -22,10 +30,11 @@ failures. It updates firewall rules to r
%prep
%setup -q
-grep -rl /usr/lib/fail2ban . \
- | xargs sed -i -e's,/usr/lib/fail2ban,%{_datadir}/fail2ban,g'
-dos2unix config/redhat-initd
%patch0 -p1 -b .init
+%patch1 -p1 -b .sshd
+#patch2 -p1 -b .sock
+%patch3 -p1 -b .fd_cloexec
+%patch4 -p1 -b .CVE-2009-0362
%build
python setup.py build
@@ -33,13 +42,14 @@ python setup.py build
%install
rm -rf %{buildroot}
python setup.py install -O1 --root %{buildroot}
-mkdir -p %{buildroot}%{_initrddir}
-install -p -m 755 config/redhat-initd %{buildroot}%{_initrddir}/fail2ban
-mkdir -p %{buildroot}%{_sysconfdir}
-install -p -m 644 config/fail2ban.conf.iptables %{buildroot}%{_sysconfdir}/fail2ban.conf
-mkdir -p %{buildroot}%{_mandir}/man{8,5}
-install -p -m 644 man/fail2ban.8 %{buildroot}%{_mandir}/man8
-install -p -m 644 man/fail2ban.conf.5 %{buildroot}%{_mandir}/man5
+mkdir -p %{buildroot}%{_initdir}
+install -p -m 755 files/redhat-initd %{buildroot}%{_initdir}/fail2ban
+mkdir -p %{buildroot}%{_mandir}/man1
+install -p -m 644 man/fail2ban*.1 %{buildroot}%{_mandir}/man1
+mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
+install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban
+mkdir -p %{buildroot}%{_localstatedir}/run/fail2ban
+chmod 0755 %{buildroot}%{_localstatedir}/run/fail2ban
%clean
rm -rf %{buildroot}
@@ -55,18 +65,77 @@ fi
%files
%defattr(-,root,root,-)
-%doc README TODO CHANGELOG
-%doc config/fail2ban.conf*
-%config(noreplace) %{_sysconfdir}/fail2ban.conf
-%{_bindir}/fail2ban
+%doc README TODO ChangeLog COPYING
+#doc config/fail2ban.conf*
+%{_bindir}/fail2ban-server
+%{_bindir}/fail2ban-client
+%{_bindir}/fail2ban-regex
%{_datadir}/fail2ban
-%{_initrddir}/fail2ban
-%{_mandir}/man8/fail2ban.8*
-%{_mandir}/man5/fail2ban.conf.5*
+%{_initdir}/fail2ban
+%{_mandir}/man1/fail2ban-*.1*
+%dir %{_sysconfdir}/fail2ban
+%dir %{_sysconfdir}/fail2ban/action.d
+%dir %{_sysconfdir}/fail2ban/filter.d
+%config(noreplace) %{_sysconfdir}/fail2ban/fail2ban.conf
+%config(noreplace) %{_sysconfdir}/fail2ban/jail.conf
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/*.conf
+%config(noreplace) %{_sysconfdir}/fail2ban/filter.d/*.conf
+%config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban
+%dir %{_localstatedir}/run/fail2ban
%changelog
-* Thu Jan 29 2009 Adam Miller <maxamillion [AT] gmail.com> - 0.6.2-3
-- Rebuild for EPEL - EL4
+* Mon Mar 04 2009 Adam Miller <maxamillion [AT] gmail.com> - 0.8.3-18
+- Rebuild For EPEL
+
+* Sat Feb 14 2009 Axel Thimm <Axel.Thimm at ATrpms.net> - 0.8.3-18
+- Fix CVE-2009-0362 (Fedora bugs #485461, #485464, #485465, #485466).
+
+* Mon Dec 01 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm at gmail.com> - 0.8.3-17
+- Rebuild for Python 2.6
+
+* Sun Aug 24 2008 Axel Thimm <Axel.Thimm at ATrpms.net> - 0.8.3-16
+- Update to 0.8.3.
+
+* Wed May 21 2008 Tom "spot" Callaway <tcallawa at redhat.com> - 0.8.2-15
+- fix license tag
+
+* Thu Mar 27 2008 Axel Thimm <Axel.Thimm at ATrpms.net> - 0.8.2-14
+- Close on exec fixes by Jonathan Underwood.
+
+* Sun Mar 16 2008 Axel Thimm <Axel.Thimm at ATrpms.net> - 0.8.2-13
+- Add %%{_localstatedir}/run/fail2ban (David Rees).
+
+* Fri Mar 14 2008 Axel Thimm <Axel.Thimm at ATrpms.net> - 0.8.2-12
+- Update to 0.8.2.
+
+* Thu Jan 31 2008 Jonathan G. Underwood <jonathan.underwood at gmail.com> - 0.8.1-11
+- Move socket file from /tmp to /var/run to prevent SElinux from stopping
+ fail2ban from starting (BZ #429281)
+- Change logic in init file to start with -x to remove the socket file in case
+ of unclean shutdown
+
+* Wed Aug 15 2007 Axel Thimm <Axel.Thimm at ATrpms.net> - 0.8.1-10
+- Update to 0.8.1.
+- Remove patch fixing CVE-2007-4321 (upstream).
+- Remove AllowUsers patch (upstream).
+- Add dependency to gamin-python.
+
+* Thu Jun 21 2007 Axel Thimm <Axel.Thimm at ATrpms.net> - 0.8.0-9
+- Fix remote log injection (no CVE assignment yet).
+
+* Sun Jun 3 2007 Axel Thimm <Axel.Thimm at ATrpms.net> - 0.8.0-8
+- Also trigger on non-AllowUsers failures (Jonathan Underwood
+ <jonathan.underwood at gmail.com>).
+
+* Wed May 23 2007 Axel Thimm <Axel.Thimm at ATrpms.net> - 0.8.0-7
+- logrotate should restart fail2ban (Zing <zing at fastmail.fm>).
+- send mail to root; logrotate (Jonathan Underwood
+ <jonathan.underwood at gmail.com>)
+
+* Sat May 19 2007 Axel Thimm <Axel.Thimm at ATrpms.net> - 0.8.0-4
+- Update to 0.8.0.
+- enable ssh by default, fix log file for ssh scanning, adjust python
+ dependency (Jonathan Underwood <jonathan.underwood at gmail.com>)
* Sat Dec 30 2006 Axel Thimm <Axel.Thimm at ATrpms.net> - 0.6.2-3
- Remove forgotten condrestart.
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/fail2ban/EL-4/sources,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- sources 30 Dec 2006 19:12:03 -0000 1.2
+++ sources 4 May 2009 19:31:03 -0000 1.3
@@ -1 +1 @@
-7c686e610f0ad7678688a1bb2cd913da fail2ban-0.6.2.tar.bz2
+b438d7e2ce77a469fb0cca2a5cc0b81c fail2ban-0.8.3.tar.bz2
--- fail2ban-0.6.2-init.patch DELETED ---
- Previous message: rpms/fail2ban/EL-5 0001-BF-anchoring-regex-for-IP-with-at-the-end.patch, NONE, 1.1 fail2ban-0.8.1-sshd.patch, NONE, 1.1 fail2ban-0.8.2-fd_cloexec.patch, NONE, 1.1 fail2ban-0.8.3-init.patch, NONE, 1.1 fail2ban-logrotate, NONE, 1.1 import.log, NONE, 1.1 .cvsignore, 1.2, 1.3 fail2ban.spec, 1.2, 1.3 sources, 1.2, 1.3 fail2ban-0.6.2-init.patch, 1.1, NONE
- Next message: rpms/selinux-policy/F-11 selinux-policy.spec,1.850,1.851
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list