[denyhosts] Security fix and long-overdue cleanups

Wed Jan 15 19:57:13 UTC 2014

commit 940f90339f5c22ea02ae7d7011037324825f1025
Author: Jason Tibbitts <tibbs at math.uh.edu>
Date:   Wed Jan 15 13:20:41 2014 -0600

    Security fix and long-overdue cleanups

 README.fedora  |   15 ++++++-
 denyhosts.spec |  112 +++++++++++++++++++++++++-------------------------------
 2 files changed, 63 insertions(+), 64 deletions(-)
---

diff --git a/README.fedora b/README.fedora
index 0c3eeb0..8416db9 100644
--- a/README.fedora
+++ b/README.fedora
@@ -1,6 +1,17 @@
 Some useful information about DenyHosts as packaged by Fedora Extras
 --------------------------------------------------------------------
 
+It requires a syslog daemon to be configured and running in order to produce
+parseable log output.  Fedora has several syslog daemons, but if you have no
+preference, then:
+
+  yum install rsyslog
+  systemctl start rsyslog.service
+
+should get you going with the default configuration of both rsyslog and
+denyhosts, which work together out of the box.
+
+
 It installs and runs as a service, so you can start it with:
 
   systemctl start denyhosts.service
@@ -12,7 +23,7 @@ and enable it at boot time with:
 
 By default denyhosts runs continuously waking up to process your logs
 every thirty seconds.  However, you can choose to have it run
-periodically via cron.  To do so, make sure the daemon is stopped and disabbled:
+periodically via cron.  To do so, make sure the daemon is stopped and disabled:
 
   systemctl stop denyhosts.service
   systemctl disable denyhosts.service
@@ -71,7 +82,7 @@ the denyhosts unit file specifies that it should be started before sshd, this
 implies that startup of sshd and anything that depends upon it may also be
 delayed significantly.
 
-If you need ALLOWED_HOSTS_HOSTNAME_LOOKUP, you specify a large number of hosts
+If you need ALLOWED_HOSTS_HOSTNAME_LOOKUP, you specify a large number of hosts,
 your DNS is slow, and you are having issues with sshd not coming up
 sufficiently quickly, consider copying the systemd.service file from
 /lib/systemd/system to /etc/systemd/system and editing it to remove the
diff --git a/denyhosts.spec b/denyhosts.spec
index e246535..0734dea 100644
--- a/denyhosts.spec
+++ b/denyhosts.spec
@@ -1,12 +1,12 @@
 Name:       denyhosts
 Version:    2.6
-Release:    29%{?dist}
+Release:    30%{?dist}
 Summary:    A script to help thwart ssh server attacks
 
 Group:      Applications/System
 License:    GPLv2
 URL:        http://denyhosts.sourceforge.net/
-Source0:    http://dl.sourceforge.net/denyhosts/DenyHosts-%{version}.tar.gz
+Source0:    http://downloads.sourceforge.net/denyhosts/DenyHosts-%{version}.tar.gz
 Source1:    denyhosts.cron
 Source2:    denyhosts.service
 Source3:    denyhosts-allowed-hosts
@@ -19,8 +19,9 @@ Patch2:     denyhosts-2.6-daemon-control.patch
 Patch3:     denyhosts-2.6-defconffile.patch
 Patch4:     denyhosts-2.6-commandlinesync.patch
 Patch5:     denyhosts-2.6-hostname.patch
-# Patch10 is a security fix
+# Patch10+ are security fixes
 Patch10:    denyhosts-2.6-regex.patch
+Patch11:    denyhosts-2.6-CVE-2013-6890.patch
 BuildArch:  noarch
 
 BuildRequires:  python2-devel systemd-units
@@ -49,6 +50,7 @@ be sent to a system admin.
 %patch4 -p1 -b .commandlinesync
 %patch5 -p0 -b .hostname
 %patch10 -p1 -b .regex
+%patch11 -p1 -b .CVE-2013-6890
 
 cp %{SOURCE6} .
 
@@ -72,95 +74,81 @@ chmod +x plugins/*
 %install
 %{__python} setup.py install -O1 --skip-build --root=%{buildroot}
 
-install -d %{buildroot}/%{_bindir}
-install -d %{buildroot}/%{_sysconfdir}/cron.d
-install -d %{buildroot}/%{_sysconfdir}/logrotate.d
+install -d %{buildroot}/usr/bin
+install -d %{buildroot}/etc/cron.d
+install -d %{buildroot}/etc/logrotate.d
 
-install -d -m 700 %{buildroot}/%{_localstatedir}/lib/denyhosts
-install -d %{buildroot}/%{_localstatedir}/log
+install -d -m 700 %{buildroot}/var/lib/denyhosts
+install -d %{buildroot}/var/log
 install -d -m 755 %{buildroot}/%{_unitdir}
 
 
-install -p -m 600 denyhosts.cfg-dist %{buildroot}/%{_sysconfdir}/denyhosts.conf
-install -p -m 755 daemon-control-dist %{buildroot}/%{_bindir}/denyhosts-control
-install -p -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/cron.d/denyhosts
+install -p -m 600 denyhosts.cfg-dist %{buildroot}/etc/denyhosts.conf
+install -p -m 755 daemon-control-dist %{buildroot}/usr/bin/denyhosts-control
+install -p -m 644 %{SOURCE1} %{buildroot}/etc/cron.d/denyhosts
 install -p -m 644 %{SOURCE2} %{buildroot}/%{_unitdir}/denyhosts.service
-install -p -m 644 %{SOURCE3} %{buildroot}/%{_localstatedir}/lib/denyhosts/allowed-hosts
-install -p -m 644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/logrotate.d/denyhosts
+install -p -m 644 %{SOURCE3} %{buildroot}/var/lib/denyhosts/allowed-hosts
+install -p -m 644 %{SOURCE5} %{buildroot}/etc/logrotate.d/denyhosts
 
-install -p -m 755 %{SOURCE10} %{buildroot}/%{_datadir}/denyhosts/plugins/restorecon.sh
+install -p -m 755 %{SOURCE10} %{buildroot}/usr/share/denyhosts/plugins/restorecon.sh
 
-touch %{buildroot}/%{_localstatedir}/log/denyhosts
+touch %{buildroot}/var/log/denyhosts
 
 for i in allowed-warned-hosts hosts hosts-restricted hosts-root \
          hosts-valid offset suspicious-logins sync-hosts \
          users-hosts users-invalid users-valid; do
-  touch %{buildroot}/%{_localstatedir}/lib/denyhosts/$i
+  touch %{buildroot}/var/lib/denyhosts/$i
 done
 
 %post
-if [ $1 -eq 1 ] ; then 
-    # Initial installation 
-    /bin/systemctl daemon-reload >/dev/null 2>&1 || :
-fi
+%systemd_post denyhosts.service
 
 %preun
-if [ $1 -eq 0 ] ; then
-    # Package removal, not upgrade
-    /bin/systemctl --no-reload disable denyhosts.service > /dev/null 2>&1 || :
-    /bin/systemctl stop denyhosts.service > /dev/null 2>&1 || :
-fi
+%systemd_preun denyhosts.service
 
 %postun
-/bin/systemctl daemon-reload >/dev/null 2>&1 || :
-if [ $1 -ge 1 ] ; then
-    # Package upgrade, not uninstall
-    /bin/systemctl try-restart denyhosts.service >/dev/null 2>&1 || :
-fi
-
-%triggerun -- denyhosts < 2.6-25
-# Save the current service runlevel info
-# User must manually run systemd-sysv-convert --apply denyhosts
-# to migrate them to systemd targets
-/usr/bin/systemd-sysv-convert --save denyhosts >/dev/null 2>&1 ||:
-
-# Run these because the SysV package being removed won't do them
-/sbin/chkconfig --del denyhosts >/dev/null 2>&1 || :
-/bin/systemctl try-restart denyhosts.service >/dev/null 2>&1 || :
+%systemd_postun_with_restart denyhosts.service
 
 %files
 %defattr(-,root,root,-)
 %doc CHANGELOG.txt denyhosts.cfg-dist LICENSE.txt
 %doc README.fedora README.txt setup.py README.contrib
 
-%{_bindir}/denyhosts.py
+/usr/bin/denyhosts.py
 
-%{_bindir}/denyhosts-control
-%{_datadir}/denyhosts
+/usr/bin/denyhosts-control
+/usr/share/denyhosts
 %{python_sitelib}/*
 %{_unitdir}/denyhosts.service
 
-%config(noreplace) %{_sysconfdir}/denyhosts.conf
-%config(noreplace) %{_sysconfdir}/cron.d/denyhosts
-%config(noreplace) %{_sysconfdir}/logrotate.d/denyhosts
-%config(noreplace) %{_localstatedir}/lib/denyhosts/allowed-hosts
-
-%ghost %{_localstatedir}/log/denyhosts
-%ghost %{_localstatedir}/lib/denyhosts/allowed-warned-hosts
-%ghost %{_localstatedir}/lib/denyhosts/hosts
-%ghost %{_localstatedir}/lib/denyhosts/hosts-restricted
-%ghost %{_localstatedir}/lib/denyhosts/hosts-root
-%ghost %{_localstatedir}/lib/denyhosts/hosts-valid
-%ghost %{_localstatedir}/lib/denyhosts/offset
-%ghost %{_localstatedir}/lib/denyhosts/suspicious-logins
-%ghost %{_localstatedir}/lib/denyhosts/sync-hosts
-%ghost %{_localstatedir}/lib/denyhosts/users-hosts
-%ghost %{_localstatedir}/lib/denyhosts/users-invalid
-%ghost %{_localstatedir}/lib/denyhosts/users-valid
-
-%dir %{_localstatedir}/lib/denyhosts
+%config(noreplace) /etc/denyhosts.conf
+%config(noreplace) /etc/cron.d/denyhosts
+%config(noreplace) /etc/logrotate.d/denyhosts
+%config(noreplace) /var/lib/denyhosts/allowed-hosts
+
+%ghost /var/log/denyhosts
+%ghost /var/lib/denyhosts/allowed-warned-hosts
+%ghost /var/lib/denyhosts/hosts
+%ghost /var/lib/denyhosts/hosts-restricted
+%ghost /var/lib/denyhosts/hosts-root
+%ghost /var/lib/denyhosts/hosts-valid
+%ghost /var/lib/denyhosts/offset
+%ghost /var/lib/denyhosts/suspicious-logins
+%ghost /var/lib/denyhosts/sync-hosts
+%ghost /var/lib/denyhosts/users-hosts
+%ghost /var/lib/denyhosts/users-invalid
+%ghost /var/lib/denyhosts/users-valid
+
+%dir /var/lib/denyhosts
 
 %changelog
+* Wed Jan 15 2014 Jason L Tibbitts III <tibbs at math.uh.edu> - 2.6-30
+- Add Patch for CVE-2013-6890 (rhbz 1045983).
+- Update Source URL.
+- Update README.Fedora to indicate syslog requirement.
+- Use systemd scriptlet macros.
+- Remove pointless macroization.
+
 * Sat Aug 03 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.6-29
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
 
