Hello community, here is the log from the commit of package fail2ban for openSUSE:Factory checked in at 2015-09-08 17:44:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fail2ban (Old) and /work/SRC/openSUSE:Factory/.fail2ban.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fail2ban" Changes: -------- --- /work/SRC/openSUSE:Factory/fail2ban/fail2ban.changes 2015-07-03 00:03:49.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.fail2ban.new/fail2ban.changes 2015-09-08 18:05:10.000000000 +0200 @@ -1,0 +2,92 @@ +Mon Sep 7 09:45:56 UTC 2015 - jweberho...@weberhofer.at + +- patches are no longer included conditionally + +------------------------------------------------------------------- +Mon Sep 7 06:54:33 UTC 2015 - jweberho...@weberhofer.at + +- fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch excludes the + ExecuteTimeoutWithNastyChildren test, as it doesn't run correctly on + openSUSE. + +- fail2ban-disable-iptables-w-option.patch disables iptables "-w" option for + older releases. + +- Update to version 0.9.3 + +- IMPORTANT incompatible changes: + * filter.d/roundcube-auth.conf + - Changed logpath to 'errors' log (was 'userlogins') + * action.d/iptables-common.conf + - All calls to iptables command now use -w switch introduced in + iptables 1.4.20 (some distribution could have patched their + earlier base version as well) to provide this locking mechanism + useful under heavy load to avoid contesting on iptables calls. + If you need to disable, define 'action.d/iptables-common.local' + with empty value for 'lockingopt' in `[Init]` section. + * mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines + actions now include by default only the first 1000 log lines in + the emails. Adjust <grepopts> to augment the behavior. + +- Fixes: + * reload in interactive mode appends all the jails twice (gh-825) + * reload server/jail failed if database used (but was not changed) and + some jail active (gh-1072) + * filter.d/dovecot.conf - also match unknown user in passwd-file. + Thanks Anton Shestakov + * Fix fail2ban-regex not parsing journalmatch correctly from filter config + * filter.d/asterisk.conf - fix security log support for Asterisk 12+ + * filter.d/roundcube-auth.conf + - Updated regex to work with 'errors' log (1.0.5 and 1.1.1) + - Added regex to work with 'userlogins' log + * action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override + locale on systems with customized LC_ALL + * performance fix: minimizes connection overhead, close socket only at + communication end (gh-1099) + * unbanip always deletes ip from database (independent of bantime, also if + currently not banned or persistent) + * guarantee order of dbfile to be before dbpurgeage (gh-1048) + * always set 'dbfile' before other database options (gh-1050) + * kill the entire process group of the child process upon timeout (gh-1129). + Otherwise could lead to resource exhaustion due to hanging whois + processes. + * resolve /var/run/fail2ban path in setup.py to help installation + on platforms with /var/run -> /run symlink (gh-1142) + +- New Features: + * RETURN iptables target is now a variable: <returntype> + * New type of operation: pass2allow, use fail2ban for "knocking", + opening a closed port by swapping blocktype and returntype + * New filters: + - froxlor-auth - Thanks Joern Muehlencord + - apache-pass - filter Apache access log for successful authentication + * New actions: + - shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires + manual pre-configuration of the shorewall. See the action file for detail. + * New jails: + - pass2allow-ftp - allows FTP traffic after successful HTTP authentication + +- Enhancements: + * action.d/cloudflare.conf - improved documentation on how to allow + multiple CF accounts, and jail.conf got new compound action + definition action_cf_mwl to submit cloudflare report. + * Check access to socket for more detailed logging on error (gh-595) + * fail2ban-testcases man page + * filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add + HEAD method verb + * Revamp of Travis and coverage automated testing + * Added a space between IP address and the following colon + in notification emails for easier text selection + * Character detection heuristics for whois output via optional setting + in mail-whois*.conf. Thanks Thomas Mayer. + Not enabled by default, if _whois_command is set to be + %(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local), + it + - detects character set of whois output (which is undefined by + RFC 3912) via heuristics of the file command + - converts whois data to UTF-8 character set with iconv + - sends the whois output in UTF-8 character set to mail program + - avoids that heirloom mailx creates binary attachment for input with + unknown character set + +------------------------------------------------------------------- Old: ---- fail2ban-0.9.2.tar.gz New: ---- fail2ban-0.9.3.tar.gz fail2ban-disable-iptables-w-option.patch fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ --- /var/tmp/diff_new_pack.eQfo51/_old 2015-09-08 18:05:12.000000000 +0200 +++ /var/tmp/diff_new_pack.eQfo51/_new 2015-09-08 18:05:12.000000000 +0200 @@ -17,7 +17,7 @@ Name: fail2ban -Version: 0.9.2 +Version: 0.9.3 Release: 0 Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ @@ -37,6 +37,12 @@ Patch100: fail2ban-opensuse-locations.patch # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberho...@weberhofer.at -- openSUSE modifications to the service file Patch101: fail2ban-opensuse-service.patch +# PATCH-FIX-OPENSUSE fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch jweberho...@weberhofer.at -- disable test which currently fails on some systems +Patch102: fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch +# PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberho...@weberhofer.at -- disable iptables "-w" option for older releases +Patch200: fail2ban-disable-iptables-w-option.patch +# PATCH-FIX-OPENSUSE fail2ban-exclude-dev-log-tests.patch jweberho...@weberhofer.at -- remove tests that can't work on opensuse < 13.3 +Patch201: fail2ban-exclude-dev-log-tests.patch BuildRequires: fdupes BuildRequires: logrotate BuildRequires: python-devel @@ -49,10 +55,6 @@ Requires: python >= 2.5 Requires: whois BuildRoot: %{_tmppath}/%{name}-%{version}-build -%if 0%{?suse_version} < 1321 -# PATCH-FIX-OPENSUSE fail2ban-exclude-dev-log-tests.patch jweberho...@weberhofer.at -- remove tests that can't work on opensuse < 13.3 -Patch102: fail2ban-exclude-dev-log-tests.patch -%endif %if 0%{?suse_version} != 1110 BuildArch: noarch %endif @@ -123,8 +125,12 @@ %patch100 -p1 %patch101 -p1 -%if 0%{?suse_version} < 1321 %patch102 -p1 +%if 0%{?suse_version} < 1310 +%patch200 -p1 +%endif +%if 0%{?suse_version} < 1321 +%patch201 -p1 %endif rm config/paths-debian.conf \ ++++++ fail2ban-0.9.2.tar.gz -> fail2ban-0.9.3.tar.gz ++++++ ++++ 4309 lines of diff (skipped) ++++++ fail2ban-disable-iptables-w-option.patch ++++++ diff -ur fail2ban-0.9.3-orig/config/action.d/iptables-common.conf fail2ban-0.9.3/config/action.d/iptables-common.conf --- fail2ban-0.9.3-orig/config/action.d/iptables-common.conf 2015-08-01 03:32:13.000000000 +0200 +++ fail2ban-0.9.3/config/action.d/iptables-common.conf 2015-08-26 13:35:33.542992089 +0200 @@ -55,8 +55,10 @@ # running concurrently and causing irratic behavior. -w was introduced # in iptables 1.4.20, so might be absent on older systems # See https://github.com/fail2ban/fail2ban/issues/1122 +# The default option "-w" can be used for openSUSE versions 13.2+ and +# for updated versions of openSUSE 13.1; SLE 12 supports this option. # Values: STRING -lockingopt = -w +lockingopt = # Option: iptables # Notes.: Actual command to be executed, including common to all calls options ++++++ fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch ++++++ diff -ur fail2ban-0.9.3-orig/fail2ban/tests/actiontestcase.py fail2ban-0.9.3/fail2ban/tests/actiontestcase.py --- fail2ban-0.9.3-orig/fail2ban/tests/actiontestcase.py 2015-08-01 03:32:13.000000000 +0200 +++ fail2ban-0.9.3/fail2ban/tests/actiontestcase.py 2015-09-07 08:37:30.842249270 +0200 @@ -204,44 +204,44 @@ or self._is_logged('sleep 60 -- timed out after 3 seconds')) self.assertTrue(self._is_logged('sleep 60 -- killed with SIGTERM')) - def testExecuteTimeoutWithNastyChildren(self): - # temporary file for a nasty kid shell script - tmpFilename = tempfile.mktemp(".sh", "fail2ban_") - # Create a nasty script which would hang there for a while - with open(tmpFilename, 'w') as f: - f.write("""#!/bin/bash - trap : HUP EXIT TERM - - echo "$$" > %s.pid - echo "my pid $$ . sleeping lo-o-o-ong" - sleep 10000 - """ % tmpFilename) - - def getnastypid(): - with open(tmpFilename + '.pid') as f: - return int(f.read()) - - # First test if can kill the bastard - self.assertRaises( - RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1) - # Verify that the proccess itself got killed - self.assertFalse(pid_exists(getnastypid())) # process should have been killed - self.assertTrue(self._is_logged('timed out')) - self.assertTrue(self._is_logged('killed with SIGTERM')) - - # A bit evolved case even though, previous test already tests killing children processes - self.assertRaises( - RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename, - timeout=.2) - # Verify that the proccess itself got killed - self.assertFalse(pid_exists(getnastypid())) - self.assertTrue(self._is_logged('timed out')) - self.assertTrue(self._is_logged('killed with SIGTERM')) - - os.unlink(tmpFilename) - os.unlink(tmpFilename + '.pid') - - +# def testExecuteTimeoutWithNastyChildren(self): +# # temporary file for a nasty kid shell script +# tmpFilename = tempfile.mktemp(".sh", "fail2ban_") +# # Create a nasty script which would hang there for a while +# with open(tmpFilename, 'w') as f: +# f.write("""#!/bin/bash +# trap : HUP EXIT TERM +# +# echo "$$" > %s.pid +# echo "my pid $$ . sleeping lo-o-o-ong" +# sleep 10000 +# """ % tmpFilename) +# +# def getnastypid(): +# with open(tmpFilename + '.pid') as f: +# return int(f.read()) +# +# # First test if can kill the bastard +# self.assertRaises( +# RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1) +# # Verify that the proccess itself got killed +# self.assertFalse(pid_exists(getnastypid())) # process should have been killed +# self.assertTrue(self._is_logged('timed out')) +# self.assertTrue(self._is_logged('killed with SIGTERM')) +# +# # A bit evolved case even though, previous test already tests killing children processes +# self.assertRaises( +# RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename, +# timeout=.2) +# # Verify that the proccess itself got killed +# self.assertFalse(pid_exists(getnastypid())) +# self.assertTrue(self._is_logged('timed out')) +# self.assertTrue(self._is_logged('killed with SIGTERM')) +# +# os.unlink(tmpFilename) +# os.unlink(tmpFilename + '.pid') +# +# def testCaptureStdOutErr(self): CommandAction.executeCmd('echo "How now brown cow"') self.assertTrue(self._is_logged("'How now brown cow\\n'")) ++++++ fail2ban-opensuse-locations.patch ++++++ --- /var/tmp/diff_new_pack.eQfo51/_old 2015-09-08 18:05:12.000000000 +0200 +++ /var/tmp/diff_new_pack.eQfo51/_new 2015-09-08 18:05:12.000000000 +0200 @@ -1,16 +1,16 @@ -diff -ur fail2ban-0.9.2-orig/config/jail.conf fail2ban-0.9.2/config/jail.conf ---- fail2ban-0.9.2-orig/config/jail.conf 2015-04-29 05:52:48.000000000 +0200 -+++ fail2ban-0.9.2/config/jail.conf 2015-05-08 17:03:32.377375630 +0200 -@@ -344,7 +344,7 @@ +diff -ur fail2ban-0.9.3-orig/config/jail.conf fail2ban-0.9.3/config/jail.conf +--- fail2ban-0.9.3-orig/config/jail.conf 2015-08-01 03:32:13.000000000 +0200 ++++ fail2ban-0.9.3/config/jail.conf 2015-08-26 14:39:57.561851833 +0200 +@@ -348,7 +348,7 @@ [roundcube-auth] port = http,https --logpath = /var/log/roundcube/userlogins -+logpath = /srv/www/roundcubemail/logs/errors +-logpath = logpath = %(roundcube_errors_log)s ++logpath = %(roundcube_errors_log)s [openwebmail] -@@ -617,7 +617,7 @@ +@@ -628,7 +628,7 @@ # filter = named-refused # port = domain,953 # protocol = udp @@ -19,7 +19,7 @@ # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. -@@ -625,7 +625,7 @@ +@@ -636,7 +636,7 @@ [named-refused] port = domain,953 @@ -28,3 +28,15 @@ [nsd] +diff -ur fail2ban-0.9.3-orig/config/paths-common.conf fail2ban-0.9.3/config/paths-common.conf +--- fail2ban-0.9.3-orig/config/paths-common.conf 2015-08-01 03:32:13.000000000 +0200 ++++ fail2ban-0.9.3/config/paths-common.conf 2015-08-26 14:40:58.187091888 +0200 +@@ -62,7 +62,7 @@ + + mysql_log = %(syslog_daemon)s + +-roundcube_errors_log = /var/log/roundcube/errors ++roundcube_errors_log = /srv/www/roundcubemail/logs/errors + + # Directory with ignorecommand scripts + ignorecommands_dir = /etc/fail2ban/filter.d/ignorecommands ++++++ paths-opensuse.conf ++++++ --- /var/tmp/diff_new_pack.eQfo51/_old 2015-09-08 18:05:13.000000000 +0200 +++ /var/tmp/diff_new_pack.eQfo51/_new 2015-09-08 18:05:13.000000000 +0200 @@ -33,4 +33,6 @@ mysql_log = /var/log/mysql/mysqld.log +roundcube_errors_log = /srv/www/roundcubemail/logs/errors + solidpop3d_log = %(syslog_mail)s