Hello community,
here is the log from the commit of package fail2ban for openSUSE:Factory
checked in at 2020-12-05 20:51:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/fail2ban (Old)
and /work/SRC/openSUSE:Factory/.fail2ban.new.5913 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fail2ban"
Sat Dec 5 20:51:30 2020 rev:60 rq:853311 version:0.11.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/fail2ban/fail2ban.changes 2020-08-20
22:35:41.184173674 +0200
+++ /work/SRC/openSUSE:Factory/.fail2ban.new.5913/fail2ban.changes
2020-12-05 20:51:33.663576641 +0100
@@ -1,0 +2,78 @@
+Sat Dec 5 17:25:17 UTC 2020 - Johannes Weberhofer <jweberho...@weberhofer.at>
+
+- Integrate change to resolve bnc#1146856
+
+-------------------------------------------------------------------
+Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberho...@weberhofer.at>
+
+- Update to 0.11.2
+ increased stability, filter and action updates
+
+- New Features and Enhancements
+ * fail2ban-regex:
+ - speedup formatted output (bypass unneeded stats creation)
+ - extended with prefregex statistic
+ - more informative output for `datepattern` (e. g. set from filter) -
pattern : description
+ * parsing of action in jail-configs considers space between action-names as
separator also
+ (previously only new-line was allowed), for example `action = a b` would
specify 2 actions `a` and `b`
+ * new filter and jail for GitLab recognizing failed application logins
(gh#fail2ban/fail2ban#2689)
+ * new filter and jail for Grafana recognizing failed application logins
(gh#fail2ban/fail2ban#2855)
+ * new filter and jail for SoftEtherVPN recognizing failed application logins
(gh#fail2ban/fail2ban#2723)
+ * `filter.d/guacamole.conf` extended with `logging` parameter to follow
webapp-logging if it's configured
+ (gh#fail2ban/fail2ban#2631)
+ * `filter.d/bitwarden.conf` enhanced to support syslog
(gh#fail2ban/fail2ban#2778)
+ * introduced new prefix `{UNB}` for `datepattern` to disable word boundaries
in regex;
+ * datetemplate: improved anchor detection for capturing groups `(^...)`;
+ * datepattern: improved handling with wrong recognized timestamps
(timezones, no datepattern, etc)
+ as well as some warnings signaling user about invalid pattern or zone
(gh#fail2ban/fail2ban#2814):
+ - filter gets mode in-operation, which gets activated if filter starts
processing of new messages;
+ in this mode a timestamp read from log-line that appeared recently (not
an old line), deviating too much
+ from now (up too 24h), will be considered as now (assuming a timezone
issue), so could avoid unexpected
+ bypass of failure (previously exceeding `findtime`);
+ - better interaction with non-matching optional datepattern or invalid
timestamps;
+ - implements special datepattern `{NONE}` - allow to find failures totally
without date-time in log messages,
+ whereas filter will use now as timestamp (gh#fail2ban/fail2ban#2802)
+ * performance optimization of `datepattern` (better search algorithm in
datedetector, especially for single template);
+ * fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or
hostname (DNS), gh#fail2ban/fail2ban#2791;
+ * extended capturing of alternate tags in filter, allowing combine of
multiple groups to single tuple token with new tag
+ prefix `<F-TUPLE_`, that would combine value of `<F-V>` with all value of
`<F-TUPLE_V?_n?>` tags (gh#fail2ban/fail2ban#2755)
+
+- Fixes
+ * [stability] prevent race condition - no ban if filter (backend) is
continuously busy if
+ too many messages will be found in log, e. g. initial scan of large
log-file or journal (gh#fail2ban/fail2ban#2660)
+ * pyinotify-backend sporadically avoided initial scanning of log-file by
start
+ * python 3.9 compatibility (and Travis CI support)
+ * restoring a large number (500+ depending on files ulimit) of current bans
when using PyPy fixed
+ * manual ban is written to database, so can be restored by restart
(gh#fail2ban/fail2ban#2647)
+ * `jail.conf`: don't specify `action` directly in jails (use `action_` or
`banaction` instead)
+ * no mails-action added per default anymore (e. g. to allow that `action =
%(action_mw)s` should be specified
+ per jail or in default section in jail.local), closes
gh#fail2ban/fail2ban#2357
+ * ensure we've unique action name per jail (also if parameter `actname` is
not set but name deviates from standard name, gh#fail2ban/fail2ban#2686)
+ * don't use `%(banaction)s` interpolation because it can be complex value
(containing `[...]` and/or quotes),
+ so would bother the action interpolation
+ * fixed type conversion in config readers (take place after all
interpolations get ready), that allows to
+ specify typed parameters variable (as substitutions) as well as to supply
it in other sections or as init parameters.
+ * `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per
default anymore), so no discrepancy
+ between ipset and fail2ban (removal from ipset will be managed by fail2ban
only, gh#fail2ban/fail2ban#2703)
+ * `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line
chars and optionally real json-parsing
+ with `jq`, gh#fail2ban/fail2ban#2140, gh#fail2ban/fail2ban#2656)
+ * `action.d/nftables.conf` (type=multiport only): fixed port range selector,
replacing `:` with `-` (gh#fail2ban/fail2ban#2763)
+ * `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector,
replacing `:` with `-` (gh#fail2ban/fail2ban#2821)
+ * `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or
initial `lowest_rule_num` (gh#fail2ban/fail2ban#2836)
+ * `filter.d/common.conf`: avoid substitute of default values in related
`lt_*` section, `__prefix_line`
+ should be interpolated in definition section (inside the filter-config,
gh#fail2ban/fail2ban#2650)
+ * `filter.d/dovecot.conf`:
+ - add managesieve and submission support (gh#fail2ban/fail2ban#2795);
+ - accept messages with more verbose logging (gh#fail2ban/fail2ban#2573);
+ * `filter.d/courier-smtp.conf`: prefregex extended to consider port in
log-message (gh#fail2ban/fail2ban#2697)
+ * `filter.d/traefik-auth.conf`: filter extended with parameter mode
(`normal`, `ddos`, `aggressive`) to handle
+ the match of username differently (gh#fail2ban/fail2ban#2693):
+ - `normal`: matches 401 with supplied username only
+ - `ddos`: matches 401 without supplied username only
+ - `aggressive`: matches 401 and any variant (with and without username)
+ * `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing
empty user (gh#fail2ban/fail2ban#2749)
+
+- Rebased patches
+- Removed upstream patch fail2ban-0.10.4-upstream-pid-file-location.patch
+
+-------------------------------------------------------------------
Old:
----
fail2ban-0.10.4-upstream-pid-file-location.patch
fail2ban-0.11.1.tar.gz
fail2ban-0.11.1.tar.gz.asc
New:
----
fail2ban-0.11.2.tar.gz
fail2ban-0.11.2.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ fail2ban.spec ++++++
--- /var/tmp/diff_new_pack.Jknasu/_old 2020-12-05 20:51:34.483577428 +0100
+++ /var/tmp/diff_new_pack.Jknasu/_new 2020-12-05 20:51:34.487577432 +0100
@@ -22,13 +22,13 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: fail2ban
-Version: 0.11.1
+Version: 0.11.2
Release: 0
Summary: Bans IP addresses that make too many authentication failures
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
URL: http://www.fail2ban.org/
-Source0:
https://github.com/fail2ban/fail2ban/archive/%{version}/%{name}-%{version}.tar.gz
+Source0:
https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1:
https://github.com/fail2ban/fail2ban/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
Source2: %{name}.sysconfig
Source3: %{name}.logrotate
@@ -47,8 +47,6 @@
Patch200: %{name}-disable-iptables-w-option.patch
# PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch
jweberho...@weberhofer.at -- use exact path to define interpretor
Patch201: %{name}-0.10.4-env-script-interpreter.patch
-# PATH-FIX-UPSTREAM fail2ban-0.10.4-upstream-pid-file-location.patch
boo#1145181 jweberho...@weberhofer.at -- changed fail2ban pid file location
(gh#fail2ban/fail2ban#2474)
-Patch202: %{name}-0.10.4-upstream-pid-file-location.patch
# PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch
jweberho...@weberhofer.at -- start after SuSEfirewall2 only for older
distributions
Patch300: fail2ban-opensuse-service-sfw.patch
BuildRequires: fdupes
@@ -126,13 +124,12 @@
# Use openSUSE paths
sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
-%patch100
+%patch100 -p1
%patch101 -p1
%if 0%{?suse_version} < 1310
%patch200 -p1
%endif
%patch201 -p1
-%patch202 -p1
%if !0%{?suse_version} > 1500
%patch300 -p1
%endif
++++++ fail2ban-0.11.1.tar.gz -> fail2ban-0.11.2.tar.gz ++++++
++++ 7385 lines of diff (skipped)
++++++ fail2ban-opensuse-locations.patch ++++++
--- /var/tmp/diff_new_pack.Jknasu/_old 2020-12-05 20:51:34.739577674 +0100
+++ /var/tmp/diff_new_pack.Jknasu/_new 2020-12-05 20:51:34.739577674 +0100
@@ -1,8 +1,7 @@
-Index: config/jail.conf
-===================================================================
---- config/jail.conf.orig
-+++ config/jail.conf
-@@ -688,7 +688,7 @@ backend = %(syslog_backend)s
+diff -ur fail2ban-0.11.2-orig/config/jail.conf fail2ban-0.11.2/config/jail.conf
+--- fail2ban-0.11.2-orig/config/jail.conf 2020-11-23 21:43:03.000000000
+0100
++++ fail2ban-0.11.2/config/jail.conf 2020-11-29 10:14:13.229200191 +0100
+@@ -731,7 +731,7 @@
# filter = named-refused
# port = domain,953
# protocol = udp
@@ -11,7 +10,7 @@
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
-@@ -696,7 +696,7 @@ backend = %(syslog_backend)s
+@@ -739,7 +739,7 @@
[named-refused]
port = domain,953
@@ -20,11 +19,11 @@
[nsd]
-Index: config/paths-common.conf
-===================================================================
---- config/paths-common.conf.orig
-+++ config/paths-common.conf
-@@ -90,7 +90,7 @@ solidpop3d_log = %(syslog_local0)s
+Nur in fail2ban-0.11.2/config: jail.conf.orig.
+diff -ur fail2ban-0.11.2-orig/config/paths-common.conf
fail2ban-0.11.2/config/paths-common.conf
+--- fail2ban-0.11.2-orig/config/paths-common.conf 2020-11-23
21:43:03.000000000 +0100
++++ fail2ban-0.11.2/config/paths-common.conf 2020-11-29 10:14:13.237200352
+0100
+@@ -90,7 +90,7 @@
mysql_log = %(syslog_daemon)s
mysql_backend = %(default_backend)s
++++++ fail2ban-opensuse-service.patch ++++++
--- /var/tmp/diff_new_pack.Jknasu/_old 2020-12-05 20:51:34.751577686 +0100
+++ /var/tmp/diff_new_pack.Jknasu/_new 2020-12-05 20:51:34.751577686 +0100
@@ -1,23 +1,27 @@
---- a/files/fail2ban.service.in 2020-01-11 11:01:00.000000000 +0100
-+++ b/files/fail2ban.service.in 2020-05-21 09:48:12.049645909 +0200
-@@ -6,13 +6,14 @@
+diff -ur fail2ban-0.11.2-orig/files/fail2ban.service.in
fail2ban-0.11.2/files/fail2ban.service.in
+--- fail2ban-0.11.2-orig/files/fail2ban.service.in 2020-11-23
21:43:03.000000000 +0100
++++ fail2ban-0.11.2/files/fail2ban.service.in 2020-12-05 18:22:01.503018894
+0100
+@@ -2,17 +2,18 @@
+ Description=Fail2Ban Service
+ Documentation=man:fail2ban(1)
+ After=network.target iptables.service firewalld.service ip6tables.service
ipset.service nftables.service
+-PartOf=iptables.service firewalld.service ip6tables.service ipset.service
nftables.service
++PartOf=firewalld.service ipset.service nftables.service
[Service]
Type=simple
--ExecStartPre=/bin/mkdir -p /run/fail2ban
--ExecStart=@BINDIR@/fail2ban-server -xf start
+EnvironmentFile=-/etc/sysconfig/fail2ban
-+ExecStartPre=/bin/mkdir -p /var/run/fail2ban
+ Environment="PYTHONNOUSERSITE=1"
+ ExecStartPre=/bin/mkdir -p /run/fail2ban
+-ExecStart=@BINDIR@/fail2ban-server -xf start
+ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start
# if should be logged in systemd journal, use following line or set logtarget
to sysout in fail2ban.local
-# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start
-ExecStop=@BINDIR@/fail2ban-client stop
-ExecReload=@BINDIR@/fail2ban-client reload
--PIDFile=/run/fail2ban/fail2ban.pid
+# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
+ExecStop=/usr/bin/fail2ban-client stop
+ExecReload=/usr/bin/fail2ban-client reload
-+PIDFile=/var/run/fail2ban/fail2ban.pid
+ PIDFile=/run/fail2ban/fail2ban.pid
Restart=on-failure
RestartPreventExitStatus=0 255
-
_______________________________________________
openSUSE Commits mailing list -- commit@lists.opensuse.org
To unsubscribe, email commit-le...@lists.opensuse.org
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives:
https://lists.opensuse.org/archives/list/commit@lists.opensuse.org
