From d0f8175ad9ce08a811ff9512740214e9001f1e8a Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Jun 12 2013 22:34:16 +0000 Subject: Update to 0.8.10 security release - Use upstream provided systemd files - Drop upstreamed patches, rebase log2syslog and notmp patches --- diff --git a/.gitignore b/.gitignore index a463bbc..fa2b88b 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ fail2ban-FAIL2BAN-0_8.tar.bz2 fail2ban-0.8.4.tar.bz2 /fail2ban_0.8.7.1.orig.tar.gz /fail2ban_0.8.8.orig.tar.gz +/fail2ban-0.8.10.tar.gz diff --git a/asyncserver.start_selinux.patch b/asyncserver.start_selinux.patch deleted file mode 100644 index 7f36ae4..0000000 --- a/asyncserver.start_selinux.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 20c717c25c5d180b720bec6902475f07b02f8b87 Mon Sep 17 00:00:00 2001 -From: Jonathan G. Underwood -Date: Sun, 3 Jan 2010 02:16:09 +0000 -Subject: [PATCH] Set socket file descriptor in AsyncServer.start to be CLOEXEC - -https://bugzilla.redhat.com/show_bug.cgi?id=522767 ---- - server/asyncserver.py | 4 +++- - 1 files changed, 3 insertions(+), 1 deletions(-) - -diff --git a/server/asyncserver.py b/server/asyncserver.py -index 35cebf1..96b62d0 100644 ---- a/server/asyncserver.py -+++ b/server/asyncserver.py -@@ -26,7 +26,7 @@ __license__ = "GPL" - - from pickle import dumps, loads, HIGHEST_PROTOCOL - from common import helpers --import asyncore, asynchat, socket, os, logging, sys, traceback -+import asyncore, asynchat, socket, os, logging, sys, traceback, fcntl - - # Gets the instance of the logger. - logSys = logging.getLogger("fail2ban.server") -@@ -126,6 +126,8 @@ class AsyncServer(asyncore.dispatcher): - raise AsyncServerException("Server already running") - # Creates the socket. - self.create_socket(socket.AF_UNIX, socket.SOCK_STREAM) -+ fd = self.fileno() -+ fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC) - self.set_reuse_addr() - try: - self.bind(sock) --- -1.6.5.2 - diff --git a/fail2ban-0.8.3-log2syslog.patch b/fail2ban-0.8.3-log2syslog.patch deleted file mode 100644 index 5ee11f6..0000000 --- a/fail2ban-0.8.3-log2syslog.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- fail2ban-0.8.3/config/fail2ban.conf~ 2008-02-27 22:44:55.000000000 +0100 -+++ fail2ban-0.8.3/config/fail2ban.conf 2009-08-27 20:48:25.000000000 +0200 -@@ -22,7 +22,7 @@ - # Only one log target can be specified. - # Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log - # --logtarget = /var/log/fail2ban.log -+logtarget = SYSLOG - - # Option: socket - # Notes.: Set the socket file. This is used to communicate with the daemon. Do diff --git a/fail2ban-0.8.7.1-notmp.patch b/fail2ban-0.8.7.1-notmp.patch deleted file mode 100644 index 6c52c96..0000000 --- a/fail2ban-0.8.7.1-notmp.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff -U0 fail2ban-0.8.7.1/ChangeLog.notmp fail2ban-0.8.7.1/ChangeLog ---- fail2ban-0.8.7.1/ChangeLog.notmp 2012-07-31 19:45:04.000000000 -0600 -+++ fail2ban-0.8.7.1/ChangeLog 2012-10-11 11:49:16.317481660 -0600 -@@ -511 +511 @@ --- Changed default PID lock file location from /tmp to /var/run -+- Changed default PID lock file location from /var/lib/fail2ban to /var/run -diff -up fail2ban-0.8.7.1/client/fail2banreader.py.notmp fail2ban-0.8.7.1/client/fail2banreader.py ---- fail2ban-0.8.7.1/client/fail2banreader.py.notmp 2012-07-31 19:45:04.000000000 -0600 -+++ fail2ban-0.8.7.1/client/fail2banreader.py 2012-10-11 11:49:16.318481661 -0600 -@@ -42,7 +42,7 @@ class Fail2banReader(ConfigReader): - ConfigReader.read(self, "fail2ban") - - def getEarlyOptions(self): -- opts = [["string", "socket", "/tmp/fail2ban.sock"]] -+ opts = [["string", "socket", "/var/lib/fail2ban/fail2ban.sock"]] - return ConfigReader.getOptions(self, "Definition", opts) - - def getOptions(self): -diff -up fail2ban-0.8.7.1/config/action.d/dshield.conf.notmp fail2ban-0.8.7.1/config/action.d/dshield.conf -diff -up fail2ban-0.8.7.1/config/action.d/mail-buffered.conf.notmp fail2ban-0.8.7.1/config/action.d/mail-buffered.conf -diff -up fail2ban-0.8.7.1/config/action.d/mynetwatchman.conf.notmp fail2ban-0.8.7.1/config/action.d/mynetwatchman.conf -diff -up fail2ban-0.8.7.1/config/action.d/sendmail-buffered.conf.notmp fail2ban-0.8.7.1/config/action.d/sendmail-buffered.conf -diff -up fail2ban-0.8.7.1/files/nagios/f2ban.txt.notmp fail2ban-0.8.7.1/files/nagios/f2ban.txt ---- fail2ban-0.8.7.1/files/nagios/f2ban.txt.notmp 2012-07-31 19:45:04.000000000 -0600 -+++ fail2ban-0.8.7.1/files/nagios/f2ban.txt 2012-10-11 11:53:32.323532817 -0600 -@@ -6,7 +6,7 @@ HELP: - /etc/init.d/fail2ban stop - - 2.) delete the socket if available --rm /tmp/fail2ban.sock -+rm /var/run/fail2ban/fail2ban.sock - - 3.) start the Service - /etc/init.d/fail2ban start -diff -up fail2ban-0.8.7.1/testcases/actiontestcase.py.notmp fail2ban-0.8.7.1/testcases/actiontestcase.py diff --git a/fail2ban-0.8.8-sshd-pam.patch b/fail2ban-0.8.8-sshd-pam.patch deleted file mode 100644 index cfe0772..0000000 --- a/fail2ban-0.8.8-sshd-pam.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up fail2ban-0.8.8/config/filter.d/sshd.conf.sshd-pam fail2ban-0.8.8/config/filter.d/sshd.conf ---- fail2ban-0.8.8/config/filter.d/sshd.conf.sshd-pam 2012-12-05 20:51:29.000000000 -0700 -+++ fail2ban-0.8.8/config/filter.d/sshd.conf 2013-01-18 14:29:00.300902426 -0700 -@@ -30,7 +30,6 @@ failregex = ^%(__prefix_line)s(?:error: - ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ - ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$ - ^%(__prefix_line)sUser .+ from not allowed because listed in DenyUsers\s*$ -- ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$ - ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ - ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ - diff --git a/fail2ban-log2syslog.patch b/fail2ban-log2syslog.patch new file mode 100644 index 0000000..49c220d --- /dev/null +++ b/fail2ban-log2syslog.patch @@ -0,0 +1,12 @@ +diff -up fail2ban-0.8.10/config/fail2ban.conf.log2syslog fail2ban-0.8.10/config/fail2ban.conf +--- fail2ban-0.8.10/config/fail2ban.conf.log2syslog 2013-06-12 11:21:12.000000000 -0600 ++++ fail2ban-0.8.10/config/fail2ban.conf 2013-06-12 16:12:48.233512068 -0600 +@@ -30,7 +30,7 @@ loglevel = 3 + # (e.g. /etc/logrotate.d/fail2ban on Debian systems) + # Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log + # +-logtarget = /var/log/fail2ban.log ++logtarget = SYSLOG + + # Option: socket + # Notes.: Set the socket file. This is used to communicate with the daemon. Do diff --git a/fail2ban-notmp.patch b/fail2ban-notmp.patch new file mode 100644 index 0000000..8799101 --- /dev/null +++ b/fail2ban-notmp.patch @@ -0,0 +1,12 @@ +diff -up fail2ban-0.8.10/client/fail2banreader.py.notmp fail2ban-0.8.10/client/fail2banreader.py +--- fail2ban-0.8.10/client/fail2banreader.py.notmp 2013-06-12 11:21:12.000000000 -0600 ++++ fail2ban-0.8.10/client/fail2banreader.py 2013-06-12 16:17:43.820837700 -0600 +@@ -39,7 +39,7 @@ class Fail2banReader(ConfigReader): + ConfigReader.read(self, "fail2ban") + + def getEarlyOptions(self): +- opts = [["string", "socket", "/tmp/fail2ban.sock"], ++ opts = [["string", "socket", "/var/run/fail2ban/fail2ban.sock"], + ["string", "pidfile", "/var/run/fail2ban/fail2ban.pid"]] + return ConfigReader.getOptions(self, "Definition", opts) + diff --git a/fail2ban.spec b/fail2ban.spec index 0e7283b..40164e5 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,32 +1,16 @@ Summary: Ban IPs that make too many password failures Name: fail2ban -Version: 0.8.8 -Release: 4%{?dist} +Version: 0.8.10 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://fail2ban.sourceforge.net/ -Source0: https://github.com/downloads/%{name}/%{name}/%{name}_%{version}.orig.tar.gz +Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: fail2ban-logrotate -Source2: fail2ban-tmpfiles.conf -%if 0%{?fedora} >= 19 -Source3: fail2ban.service -%endif Patch0: fail2ban-0.8.3-init.patch Patch1: fail2ban-0.8.7.1-sshd.patch -# Do not use pam_unix failure messages to ban sshd -# https://github.com/fail2ban/fail2ban/issues/106 -Patch2: fail2ban-0.8.8-sshd-pam.patch -# Upstream patch to fix module loading -# https://github.com/fail2ban/fail2ban/issues/112 -# https://bugzilla.redhat.com/show_bug.cgi?id=892365 -Patch3: fail2ban-import.patch -# Upstream patch to fix UTF-8 characters in hostnames -# https://github.com/fail2ban/fail2ban/issues/113 -# https://bugzilla.redhat.com/show_bug.cgi?id=905097 -Patch4: fail2ban-utf8.patch -Patch6: fail2ban-0.8.3-log2syslog.patch -Patch7: asyncserver.start_selinux.patch -Patch8: fail2ban-0.8.7.1-notmp.patch +Patch6: fail2ban-log2syslog.patch +Patch8: fail2ban-notmp.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: python-devel >= 2.3 # For testcases @@ -60,11 +44,7 @@ and shorewall respectively. %setup -q %patch0 -p1 -b .init %patch1 -p1 -b .sshd -%patch2 -p1 -b .sshd-pam -%patch3 -p1 -b .import -%patch4 -p1 -b .utf8 %patch6 -p1 -b .log2syslog -%patch7 -p1 -b .fd_cloexec2 %patch8 -p1 -b .notmp %build @@ -75,7 +55,7 @@ rm -rf %{buildroot} python setup.py install -O1 --root %{buildroot} %if 0%{?fedora} >= 19 mkdir -p %{buildroot}%{_unitdir} -cp -p %SOURCE3 %{buildroot}%{_unitdir}/ +cp -p files/fail2ban.service %{buildroot}%{_unitdir}/ %else mkdir -p %{buildroot}%{_initddir} install -p -m 755 files/redhat-initd %{buildroot}%{_initddir}/fail2ban @@ -87,7 +67,9 @@ install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban install -d -m 0755 %{buildroot}%{_localstatedir}/run/fail2ban/ install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d -install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/tmpfiles.d/fail2ban.conf +install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_sysconfdir}/tmpfiles.d/fail2ban.conf +# Remove installed doc, use doc macro instead +rm -r %{buildroot}%{_docdir}/%{name} # Testcases need network access #%check @@ -120,7 +102,7 @@ fi %files %defattr(-,root,root,-) -%doc README TODO ChangeLog COPYING +%doc README.md TODO ChangeLog COPYING doc/*.txt #doc config/fail2ban.conf* %{_bindir}/fail2ban-server %{_bindir}/fail2ban-client @@ -131,7 +113,7 @@ fi %else %{_initddir}/fail2ban %endif -%{_mandir}/man1/fail2ban-*.1* +%{_mandir}/man1/fail2ban*.1* %dir %{_sysconfdir}/fail2ban %dir %{_sysconfdir}/fail2ban/action.d %dir %{_sysconfdir}/fail2ban/filter.d @@ -145,6 +127,11 @@ fi %dir %{_localstatedir}/lib/fail2ban/ %changelog +* Wed Jun 12 2013 Orion Poplawski - 0.8.10-1 +- Update to 0.8.10 security release +- Use upstream provided systemd files +- Drop upstreamed patches, rebase log2syslog and notmp patches + * Fri Mar 15 2013 Orion Poplawski - 0.8.8-4 - Use systemd init for Fedora 19+ (bug #883158) diff --git a/sources b/sources index 47627bf..72b95f0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -48a7cfa29c30227f0e1361bd3c88ec8e fail2ban_0.8.8.orig.tar.gz +48327ac0f5938dcc2f82c63728fc8918 fail2ban-0.8.10.tar.gz