[denyhosts] Security fix and long-overdue cleanups
Jason ティビツ
tibbs at fedoraproject.org
Wed Jan 15 19:57:13 UTC 2014
commit 940f90339f5c22ea02ae7d7011037324825f1025
Author: Jason Tibbitts <tibbs at math.uh.edu>
Date: Wed Jan 15 13:20:41 2014 -0600
Security fix and long-overdue cleanups
README.fedora | 15 ++++++-
denyhosts.spec | 112 +++++++++++++++++++++++++-------------------------------
2 files changed, 63 insertions(+), 64 deletions(-)
---
diff --git a/README.fedora b/README.fedora
index 0c3eeb0..8416db9 100644
--- a/README.fedora
+++ b/README.fedora
@@ -1,6 +1,17 @@
Some useful information about DenyHosts as packaged by Fedora Extras
--------------------------------------------------------------------
+It requires a syslog daemon to be configured and running in order to produce
+parseable log output. Fedora has several syslog daemons, but if you have no
+preference, then:
+
+ yum install rsyslog
+ systemctl start rsyslog.service
+
+should get you going with the default configuration of both rsyslog and
+denyhosts, which work together out of the box.
+
+
It installs and runs as a service, so you can start it with:
systemctl start denyhosts.service
@@ -12,7 +23,7 @@ and enable it at boot time with:
By default denyhosts runs continuously waking up to process your logs
every thirty seconds. However, you can choose to have it run
-periodically via cron. To do so, make sure the daemon is stopped and disabbled:
+periodically via cron. To do so, make sure the daemon is stopped and disabled:
systemctl stop denyhosts.service
systemctl disable denyhosts.service
@@ -71,7 +82,7 @@ the denyhosts unit file specifies that it should be started before sshd, this
implies that startup of sshd and anything that depends upon it may also be
delayed significantly.
-If you need ALLOWED_HOSTS_HOSTNAME_LOOKUP, you specify a large number of hosts
+If you need ALLOWED_HOSTS_HOSTNAME_LOOKUP, you specify a large number of hosts,
your DNS is slow, and you are having issues with sshd not coming up
sufficiently quickly, consider copying the systemd.service file from
/lib/systemd/system to /etc/systemd/system and editing it to remove the
diff --git a/denyhosts.spec b/denyhosts.spec
index e246535..0734dea 100644
--- a/denyhosts.spec
+++ b/denyhosts.spec
@@ -1,12 +1,12 @@
Name: denyhosts
Version: 2.6
-Release: 29%{?dist}
+Release: 30%{?dist}
Summary: A script to help thwart ssh server attacks
Group: Applications/System
License: GPLv2
URL: http://denyhosts.sourceforge.net/
-Source0: http://dl.sourceforge.net/denyhosts/DenyHosts-%{version}.tar.gz
+Source0: http://downloads.sourceforge.net/denyhosts/DenyHosts-%{version}.tar.gz
Source1: denyhosts.cron
Source2: denyhosts.service
Source3: denyhosts-allowed-hosts
@@ -19,8 +19,9 @@ Patch2: denyhosts-2.6-daemon-control.patch
Patch3: denyhosts-2.6-defconffile.patch
Patch4: denyhosts-2.6-commandlinesync.patch
Patch5: denyhosts-2.6-hostname.patch
-# Patch10 is a security fix
+# Patch10+ are security fixes
Patch10: denyhosts-2.6-regex.patch
+Patch11: denyhosts-2.6-CVE-2013-6890.patch
BuildArch: noarch
BuildRequires: python2-devel systemd-units
@@ -49,6 +50,7 @@ be sent to a system admin.
%patch4 -p1 -b .commandlinesync
%patch5 -p0 -b .hostname
%patch10 -p1 -b .regex
+%patch11 -p1 -b .CVE-2013-6890
cp %{SOURCE6} .
@@ -72,95 +74,81 @@ chmod +x plugins/*
%install
%{__python} setup.py install -O1 --skip-build --root=%{buildroot}
-install -d %{buildroot}/%{_bindir}
-install -d %{buildroot}/%{_sysconfdir}/cron.d
-install -d %{buildroot}/%{_sysconfdir}/logrotate.d
+install -d %{buildroot}/usr/bin
+install -d %{buildroot}/etc/cron.d
+install -d %{buildroot}/etc/logrotate.d
-install -d -m 700 %{buildroot}/%{_localstatedir}/lib/denyhosts
-install -d %{buildroot}/%{_localstatedir}/log
+install -d -m 700 %{buildroot}/var/lib/denyhosts
+install -d %{buildroot}/var/log
install -d -m 755 %{buildroot}/%{_unitdir}
-install -p -m 600 denyhosts.cfg-dist %{buildroot}/%{_sysconfdir}/denyhosts.conf
-install -p -m 755 daemon-control-dist %{buildroot}/%{_bindir}/denyhosts-control
-install -p -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/cron.d/denyhosts
+install -p -m 600 denyhosts.cfg-dist %{buildroot}/etc/denyhosts.conf
+install -p -m 755 daemon-control-dist %{buildroot}/usr/bin/denyhosts-control
+install -p -m 644 %{SOURCE1} %{buildroot}/etc/cron.d/denyhosts
install -p -m 644 %{SOURCE2} %{buildroot}/%{_unitdir}/denyhosts.service
-install -p -m 644 %{SOURCE3} %{buildroot}/%{_localstatedir}/lib/denyhosts/allowed-hosts
-install -p -m 644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/logrotate.d/denyhosts
+install -p -m 644 %{SOURCE3} %{buildroot}/var/lib/denyhosts/allowed-hosts
+install -p -m 644 %{SOURCE5} %{buildroot}/etc/logrotate.d/denyhosts
-install -p -m 755 %{SOURCE10} %{buildroot}/%{_datadir}/denyhosts/plugins/restorecon.sh
+install -p -m 755 %{SOURCE10} %{buildroot}/usr/share/denyhosts/plugins/restorecon.sh
-touch %{buildroot}/%{_localstatedir}/log/denyhosts
+touch %{buildroot}/var/log/denyhosts
for i in allowed-warned-hosts hosts hosts-restricted hosts-root \
hosts-valid offset suspicious-logins sync-hosts \
users-hosts users-invalid users-valid; do
- touch %{buildroot}/%{_localstatedir}/lib/denyhosts/$i
+ touch %{buildroot}/var/lib/denyhosts/$i
done
%post
-if [ $1 -eq 1 ] ; then
- # Initial installation
- /bin/systemctl daemon-reload >/dev/null 2>&1 || :
-fi
+%systemd_post denyhosts.service
%preun
-if [ $1 -eq 0 ] ; then
- # Package removal, not upgrade
- /bin/systemctl --no-reload disable denyhosts.service > /dev/null 2>&1 || :
- /bin/systemctl stop denyhosts.service > /dev/null 2>&1 || :
-fi
+%systemd_preun denyhosts.service
%postun
-/bin/systemctl daemon-reload >/dev/null 2>&1 || :
-if [ $1 -ge 1 ] ; then
- # Package upgrade, not uninstall
- /bin/systemctl try-restart denyhosts.service >/dev/null 2>&1 || :
-fi
-
-%triggerun -- denyhosts < 2.6-25
-# Save the current service runlevel info
-# User must manually run systemd-sysv-convert --apply denyhosts
-# to migrate them to systemd targets
-/usr/bin/systemd-sysv-convert --save denyhosts >/dev/null 2>&1 ||:
-
-# Run these because the SysV package being removed won't do them
-/sbin/chkconfig --del denyhosts >/dev/null 2>&1 || :
-/bin/systemctl try-restart denyhosts.service >/dev/null 2>&1 || :
+%systemd_postun_with_restart denyhosts.service
%files
%defattr(-,root,root,-)
%doc CHANGELOG.txt denyhosts.cfg-dist LICENSE.txt
%doc README.fedora README.txt setup.py README.contrib
-%{_bindir}/denyhosts.py
+/usr/bin/denyhosts.py
-%{_bindir}/denyhosts-control
-%{_datadir}/denyhosts
+/usr/bin/denyhosts-control
+/usr/share/denyhosts
%{python_sitelib}/*
%{_unitdir}/denyhosts.service
-%config(noreplace) %{_sysconfdir}/denyhosts.conf
-%config(noreplace) %{_sysconfdir}/cron.d/denyhosts
-%config(noreplace) %{_sysconfdir}/logrotate.d/denyhosts
-%config(noreplace) %{_localstatedir}/lib/denyhosts/allowed-hosts
-
-%ghost %{_localstatedir}/log/denyhosts
-%ghost %{_localstatedir}/lib/denyhosts/allowed-warned-hosts
-%ghost %{_localstatedir}/lib/denyhosts/hosts
-%ghost %{_localstatedir}/lib/denyhosts/hosts-restricted
-%ghost %{_localstatedir}/lib/denyhosts/hosts-root
-%ghost %{_localstatedir}/lib/denyhosts/hosts-valid
-%ghost %{_localstatedir}/lib/denyhosts/offset
-%ghost %{_localstatedir}/lib/denyhosts/suspicious-logins
-%ghost %{_localstatedir}/lib/denyhosts/sync-hosts
-%ghost %{_localstatedir}/lib/denyhosts/users-hosts
-%ghost %{_localstatedir}/lib/denyhosts/users-invalid
-%ghost %{_localstatedir}/lib/denyhosts/users-valid
-
-%dir %{_localstatedir}/lib/denyhosts
+%config(noreplace) /etc/denyhosts.conf
+%config(noreplace) /etc/cron.d/denyhosts
+%config(noreplace) /etc/logrotate.d/denyhosts
+%config(noreplace) /var/lib/denyhosts/allowed-hosts
+
+%ghost /var/log/denyhosts
+%ghost /var/lib/denyhosts/allowed-warned-hosts
+%ghost /var/lib/denyhosts/hosts
+%ghost /var/lib/denyhosts/hosts-restricted
+%ghost /var/lib/denyhosts/hosts-root
+%ghost /var/lib/denyhosts/hosts-valid
+%ghost /var/lib/denyhosts/offset
+%ghost /var/lib/denyhosts/suspicious-logins
+%ghost /var/lib/denyhosts/sync-hosts
+%ghost /var/lib/denyhosts/users-hosts
+%ghost /var/lib/denyhosts/users-invalid
+%ghost /var/lib/denyhosts/users-valid
+
+%dir /var/lib/denyhosts
%changelog
+* Wed Jan 15 2014 Jason L Tibbitts III <tibbs at math.uh.edu> - 2.6-30
+- Add Patch for CVE-2013-6890 (rhbz 1045983).
+- Update Source URL.
+- Update README.Fedora to indicate syslog requirement.
+- Use systemd scriptlet macros.
+- Remove pointless macroization.
+
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.6-29
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
More information about the scm-commits
mailing list