Hello community, here is the log from the commit of package fail2ban for openSUSE:Factory checked in at 2020-12-05 20:51:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fail2ban (Old) and /work/SRC/openSUSE:Factory/.fail2ban.new.5913 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fail2ban" Sat Dec 5 20:51:30 2020 rev:60 rq:853311 version:0.11.2 Changes: -------- --- /work/SRC/openSUSE:Factory/fail2ban/fail2ban.changes 2020-08-20 22:35:41.184173674 +0200 +++ /work/SRC/openSUSE:Factory/.fail2ban.new.5913/fail2ban.changes 2020-12-05 20:51:33.663576641 +0100 @@ -1,0 +2,78 @@ +Sat Dec 5 17:25:17 UTC 2020 - Johannes Weberhofer <jweberho...@weberhofer.at> + +- Integrate change to resolve bnc#1146856 + +------------------------------------------------------------------- +Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberho...@weberhofer.at> + +- Update to 0.11.2 + increased stability, filter and action updates + +- New Features and Enhancements + * fail2ban-regex: + - speedup formatted output (bypass unneeded stats creation) + - extended with prefregex statistic + - more informative output for `datepattern` (e. g. set from filter) - pattern : description + * parsing of action in jail-configs considers space between action-names as separator also + (previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b` + * new filter and jail for GitLab recognizing failed application logins (gh#fail2ban/fail2ban#2689) + * new filter and jail for Grafana recognizing failed application logins (gh#fail2ban/fail2ban#2855) + * new filter and jail for SoftEtherVPN recognizing failed application logins (gh#fail2ban/fail2ban#2723) + * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured + (gh#fail2ban/fail2ban#2631) + * `filter.d/bitwarden.conf` enhanced to support syslog (gh#fail2ban/fail2ban#2778) + * introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex; + * datetemplate: improved anchor detection for capturing groups `(^...)`; + * datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc) + as well as some warnings signaling user about invalid pattern or zone (gh#fail2ban/fail2ban#2814): + - filter gets mode in-operation, which gets activated if filter starts processing of new messages; + in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much + from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected + bypass of failure (previously exceeding `findtime`); + - better interaction with non-matching optional datepattern or invalid timestamps; + - implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages, + whereas filter will use now as timestamp (gh#fail2ban/fail2ban#2802) + * performance optimization of `datepattern` (better search algorithm in datedetector, especially for single template); + * fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh#fail2ban/fail2ban#2791; + * extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag + prefix `<F-TUPLE_`, that would combine value of `<F-V>` with all value of `<F-TUPLE_V?_n?>` tags (gh#fail2ban/fail2ban#2755) + +- Fixes + * [stability] prevent race condition - no ban if filter (backend) is continuously busy if + too many messages will be found in log, e. g. initial scan of large log-file or journal (gh#fail2ban/fail2ban#2660) + * pyinotify-backend sporadically avoided initial scanning of log-file by start + * python 3.9 compatibility (and Travis CI support) + * restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed + * manual ban is written to database, so can be restored by restart (gh#fail2ban/fail2ban#2647) + * `jail.conf`: don't specify `action` directly in jails (use `action_` or `banaction` instead) + * no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified + per jail or in default section in jail.local), closes gh#fail2ban/fail2ban#2357 + * ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh#fail2ban/fail2ban#2686) + * don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes), + so would bother the action interpolation + * fixed type conversion in config readers (take place after all interpolations get ready), that allows to + specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters. + * `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy + between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh#fail2ban/fail2ban#2703) + * `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line chars and optionally real json-parsing + with `jq`, gh#fail2ban/fail2ban#2140, gh#fail2ban/fail2ban#2656) + * `action.d/nftables.conf` (type=multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2763) + * `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2821) + * `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh#fail2ban/fail2ban#2836) + * `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line` + should be interpolated in definition section (inside the filter-config, gh#fail2ban/fail2ban#2650) + * `filter.d/dovecot.conf`: + - add managesieve and submission support (gh#fail2ban/fail2ban#2795); + - accept messages with more verbose logging (gh#fail2ban/fail2ban#2573); + * `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh#fail2ban/fail2ban#2697) + * `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle + the match of username differently (gh#fail2ban/fail2ban#2693): + - `normal`: matches 401 with supplied username only + - `ddos`: matches 401 without supplied username only + - `aggressive`: matches 401 and any variant (with and without username) + * `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh#fail2ban/fail2ban#2749) + +- Rebased patches +- Removed upstream patch fail2ban-0.10.4-upstream-pid-file-location.patch + +------------------------------------------------------------------- Old: ---- fail2ban-0.10.4-upstream-pid-file-location.patch fail2ban-0.11.1.tar.gz fail2ban-0.11.1.tar.gz.asc New: ---- fail2ban-0.11.2.tar.gz fail2ban-0.11.2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ --- /var/tmp/diff_new_pack.Jknasu/_old 2020-12-05 20:51:34.483577428 +0100 +++ /var/tmp/diff_new_pack.Jknasu/_new 2020-12-05 20:51:34.487577432 +0100 @@ -22,13 +22,13 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: fail2ban -Version: 0.11.1 +Version: 0.11.2 Release: 0 Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0-or-later Group: Productivity/Networking/Security URL: http://www.fail2ban.org/ -Source0: https://github.com/fail2ban/fail2ban/archive/%{version}/%{name}-%{version}.tar.gz +Source0: https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: https://github.com/fail2ban/fail2ban/releases/download/%{version}/%{name}-%{version}.tar.gz.asc Source2: %{name}.sysconfig Source3: %{name}.logrotate @@ -47,8 +47,6 @@ Patch200: %{name}-disable-iptables-w-option.patch # PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberho...@weberhofer.at -- use exact path to define interpretor Patch201: %{name}-0.10.4-env-script-interpreter.patch -# PATH-FIX-UPSTREAM fail2ban-0.10.4-upstream-pid-file-location.patch boo#1145181 jweberho...@weberhofer.at -- changed fail2ban pid file location (gh#fail2ban/fail2ban#2474) -Patch202: %{name}-0.10.4-upstream-pid-file-location.patch # PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch jweberho...@weberhofer.at -- start after SuSEfirewall2 only for older distributions Patch300: fail2ban-opensuse-service-sfw.patch BuildRequires: fdupes @@ -126,13 +124,12 @@ # Use openSUSE paths sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf -%patch100 +%patch100 -p1 %patch101 -p1 %if 0%{?suse_version} < 1310 %patch200 -p1 %endif %patch201 -p1 -%patch202 -p1 %if !0%{?suse_version} > 1500 %patch300 -p1 %endif ++++++ fail2ban-0.11.1.tar.gz -> fail2ban-0.11.2.tar.gz ++++++ ++++ 7385 lines of diff (skipped) ++++++ fail2ban-opensuse-locations.patch ++++++ --- /var/tmp/diff_new_pack.Jknasu/_old 2020-12-05 20:51:34.739577674 +0100 +++ /var/tmp/diff_new_pack.Jknasu/_new 2020-12-05 20:51:34.739577674 +0100 @@ -1,8 +1,7 @@ -Index: config/jail.conf -=================================================================== ---- config/jail.conf.orig -+++ config/jail.conf -@@ -688,7 +688,7 @@ backend = %(syslog_backend)s +diff -ur fail2ban-0.11.2-orig/config/jail.conf fail2ban-0.11.2/config/jail.conf +--- fail2ban-0.11.2-orig/config/jail.conf 2020-11-23 21:43:03.000000000 +0100 ++++ fail2ban-0.11.2/config/jail.conf 2020-11-29 10:14:13.229200191 +0100 +@@ -731,7 +731,7 @@ # filter = named-refused # port = domain,953 # protocol = udp @@ -11,7 +10,7 @@ # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. -@@ -696,7 +696,7 @@ backend = %(syslog_backend)s +@@ -739,7 +739,7 @@ [named-refused] port = domain,953 @@ -20,11 +19,11 @@ [nsd] -Index: config/paths-common.conf -=================================================================== ---- config/paths-common.conf.orig -+++ config/paths-common.conf -@@ -90,7 +90,7 @@ solidpop3d_log = %(syslog_local0)s +Nur in fail2ban-0.11.2/config: jail.conf.orig. +diff -ur fail2ban-0.11.2-orig/config/paths-common.conf fail2ban-0.11.2/config/paths-common.conf +--- fail2ban-0.11.2-orig/config/paths-common.conf 2020-11-23 21:43:03.000000000 +0100 ++++ fail2ban-0.11.2/config/paths-common.conf 2020-11-29 10:14:13.237200352 +0100 +@@ -90,7 +90,7 @@ mysql_log = %(syslog_daemon)s mysql_backend = %(default_backend)s ++++++ fail2ban-opensuse-service.patch ++++++ --- /var/tmp/diff_new_pack.Jknasu/_old 2020-12-05 20:51:34.751577686 +0100 +++ /var/tmp/diff_new_pack.Jknasu/_new 2020-12-05 20:51:34.751577686 +0100 @@ -1,23 +1,27 @@ ---- a/files/fail2ban.service.in 2020-01-11 11:01:00.000000000 +0100 -+++ b/files/fail2ban.service.in 2020-05-21 09:48:12.049645909 +0200 -@@ -6,13 +6,14 @@ +diff -ur fail2ban-0.11.2-orig/files/fail2ban.service.in fail2ban-0.11.2/files/fail2ban.service.in +--- fail2ban-0.11.2-orig/files/fail2ban.service.in 2020-11-23 21:43:03.000000000 +0100 ++++ fail2ban-0.11.2/files/fail2ban.service.in 2020-12-05 18:22:01.503018894 +0100 +@@ -2,17 +2,18 @@ + Description=Fail2Ban Service + Documentation=man:fail2ban(1) + After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service +-PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service ++PartOf=firewalld.service ipset.service nftables.service [Service] Type=simple --ExecStartPre=/bin/mkdir -p /run/fail2ban --ExecStart=@BINDIR@/fail2ban-server -xf start +EnvironmentFile=-/etc/sysconfig/fail2ban -+ExecStartPre=/bin/mkdir -p /var/run/fail2ban + Environment="PYTHONNOUSERSITE=1" + ExecStartPre=/bin/mkdir -p /run/fail2ban +-ExecStart=@BINDIR@/fail2ban-server -xf start +ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local -# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start -ExecStop=@BINDIR@/fail2ban-client stop -ExecReload=@BINDIR@/fail2ban-client reload --PIDFile=/run/fail2ban/fail2ban.pid +# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start +ExecStop=/usr/bin/fail2ban-client stop +ExecReload=/usr/bin/fail2ban-client reload -+PIDFile=/var/run/fail2ban/fail2ban.pid + PIDFile=/run/fail2ban/fail2ban.pid Restart=on-failure RestartPreventExitStatus=0 255 - _______________________________________________ openSUSE Commits mailing list -- commit@lists.opensuse.org To unsubscribe, email commit-le...@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/commit@lists.opensuse.org