diff options
| author |   Alex Legler <a3li@gentoo.org> | 2009-08-23 21:04:48 +0000 |
|---|---|---|
| committer | Alex Legler <a3li@gentoo.org> | 2009-08-23 21:04:48 +0000 |
| commit | 692ee3fb961a49b085e5360bb051ef1390011619 (patch) | |
| tree | 2e5b7bd8104e9b84243093325f8c3fe9305df7c1 /net-analyzer | |
| parent | Readding 0.4.2 to satisfy a dependency of dev-ruby/nitro (diff) | |
| download | gentoo-2-692ee3fb961a49b085e5360bb051ef1390011619.tar.gz gentoo-2-692ee3fb961a49b085e5360bb051ef1390011619.tar.bz2 gentoo-2-692ee3fb961a49b085e5360bb051ef1390011619.zip | |
Non-maintainer commit: Revbump to fix security bug 258866. Removing unneeded vulnerable versions.
(Portage version: 2.2_rc33/cvs/Linux x86_64)
Diffstat (limited to 'net-analyzer')
| -rw-r--r-- | net-analyzer/fail2ban/ChangeLog | 10 | ||||
| -rw-r--r-- | net-analyzer/fail2ban/fail2ban-0.8.1.ebuild | 61 | ||||
| -rw-r--r-- | net-analyzer/fail2ban/fail2ban-0.8.3-r1.ebuild (renamed from net-analyzer/fail2ban/fail2ban-0.8.2.ebuild) | 11 | ||||
| -rw-r--r-- | net-analyzer/fail2ban/fail2ban-0.8.3.ebuild | 56 | ||||
| -rw-r--r-- | net-analyzer/fail2ban/files/fail2ban-CVE-2009-0362.patch | 277 |
5 files changed, 295 insertions, 120 deletions
diff --git a/net-analyzer/fail2ban/ChangeLog b/net-analyzer/fail2ban/ChangeLog index acb1cf9ae579..957402f7bd39 100644 --- a/net-analyzer/fail2ban/ChangeLog +++ b/net-analyzer/fail2ban/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for net-analyzer/fail2ban # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-analyzer/fail2ban/ChangeLog,v 1.46 2009/06/01 19:48:27 pva Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/fail2ban/ChangeLog,v 1.47 2009/08/23 21:04:47 a3li Exp $ + +*fail2ban-0.8.3-r1 (23 Aug 2009) + + 23 Aug 2009; Alex Legler <a3li@gentoo.org> -fail2ban-0.8.1.ebuild, + -fail2ban-0.8.2.ebuild, -fail2ban-0.8.3.ebuild, +fail2ban-0.8.3-r1.ebuild, + +files/fail2ban-CVE-2009-0362.patch: + Non-maintainer commit: Revbump to fix security bug 258866. Removing + unneeded vulnerable versions. 01 Jun 2009; Peter Volkov <pva@gentoo.org> -fail2ban-0.6.2-r1.ebuild: Removed vulnerable version, bug #271687, thank Robert Buchholz for report. diff --git a/net-analyzer/fail2ban/fail2ban-0.8.1.ebuild b/net-analyzer/fail2ban/fail2ban-0.8.1.ebuild deleted file mode 100644 index 664b35edd45f..000000000000 --- a/net-analyzer/fail2ban/fail2ban-0.8.1.ebuild +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright 1999-2008 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-analyzer/fail2ban/fail2ban-0.8.1.ebuild,v 1.5 2008/06/15 09:21:26 zmedico Exp $ - -inherit distutils - -DESCRIPTION="Bans IP that make too many password failures" -HOMEPAGE="http://fail2ban.sourceforge.net/" -SRC_URI="mirror://sourceforge/fail2ban/${P}.tar.bz2" - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="~amd64 ~hppa ~ppc ~ppc64 ~x86 ~x86-fbsd" -IUSE="" - -DEPEND=">=dev-lang/python-2.4" -RDEPEND="${DEPEND} - virtual/mta" - -src_install() { - distutils_src_install - - newconfd files/gentoo-confd fail2ban - newinitd files/gentoo-initd fail2ban - dodoc CHANGELOG README TODO || die "dodoc failed" - doman man/*.1 || die "doman failed" - - # Use INSTALL_MASK if you do not want to touch /etc/logrotate.d. - # See http://thread.gmane.org/gmane.linux.gentoo.devel/35675 - insinto /etc/logrotate.d - newins "${FILESDIR}"/${PN}-logrotate ${PN} || die -} - -pkg_preinst() { - has_version "<${CATEGORY}/${PN}-0.7" - previous_less_than_0_7=$? -} - -pkg_postinst() { - if [[ $previous_less_than_0_7 = 0 ]] ; then - elog - elog "Configuration files are now in /etc/fail2ban/" - elog "You probably have to manually update your configuration" - elog "files before restarting Fail2ban!" - elog - elog "Fail2ban is not installed under /usr/lib anymore. The" - elog "new location is under /usr/share." - elog - elog "You are upgrading from version 0.6.x, please see:" - elog "http://www.fail2ban.org/wiki/index.php/HOWTO_Upgrade_from_0.6_to_0.8" - fi -} - -pkg_setup() { - if ! built_with_use dev-lang/python readline ; then - echo - eerror "dev-lang/python is missing readline support. Please add" - eerror "'readline' to your USE flags, and re-emerge dev-lang/python." - die "dev-lang/python needs readline support" - fi -} diff --git a/net-analyzer/fail2ban/fail2ban-0.8.2.ebuild b/net-analyzer/fail2ban/fail2ban-0.8.3-r1.ebuild index b6967166e95e..2f63b63a75f5 100644 --- a/net-analyzer/fail2ban/fail2ban-0.8.2.ebuild +++ b/net-analyzer/fail2ban/fail2ban-0.8.3-r1.ebuild @@ -1,6 +1,6 @@ -# Copyright 1999-2008 Gentoo Foundation +# Copyright 1999-2009 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-analyzer/fail2ban/fail2ban-0.8.2.ebuild,v 1.4 2008/06/21 11:02:09 bluebird Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/fail2ban/fail2ban-0.8.3-r1.ebuild,v 1.1 2009/08/23 21:04:47 a3li Exp $ inherit distutils @@ -17,6 +17,13 @@ DEPEND=">=dev-lang/python-2.4" RDEPEND="${DEPEND} virtual/mta" +src_unpack() { + unpack ${A} + cd "${S}" + + epatch "${FILESDIR}/${PN}-CVE-2009-0362.patch" +} + src_install() { distutils_src_install diff --git a/net-analyzer/fail2ban/fail2ban-0.8.3.ebuild b/net-analyzer/fail2ban/fail2ban-0.8.3.ebuild deleted file mode 100644 index 831030f44bfc..000000000000 --- a/net-analyzer/fail2ban/fail2ban-0.8.3.ebuild +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 1999-2008 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-analyzer/fail2ban/fail2ban-0.8.3.ebuild,v 1.1 2008/07/30 14:40:56 jer Exp $ - -inherit distutils - -DESCRIPTION="Bans IP that make too many password failures" -HOMEPAGE="http://fail2ban.sourceforge.net/" -SRC_URI="mirror://sourceforge/fail2ban/${P}.tar.bz2" - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="~amd64 ~hppa ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd" -IUSE="" - -DEPEND=">=dev-lang/python-2.4" -RDEPEND="${DEPEND} - virtual/mta" - -src_install() { - distutils_src_install - - diropts -m 0755 -o root -g root - dodir /var/run/${PN} - keepdir /var/run/${PN} - - newconfd files/gentoo-confd fail2ban - newinitd files/gentoo-initd fail2ban - dodoc ChangeLog README TODO || die "dodoc failed" - doman man/*.1 || die "doman failed" - - # Use INSTALL_MASK if you do not want to touch /etc/logrotate.d. - # See http://thread.gmane.org/gmane.linux.gentoo.devel/35675 - insinto /etc/logrotate.d - newins "${FILESDIR}"/${PN}-logrotate ${PN} || die -} - -pkg_preinst() { - has_version "<${CATEGORY}/${PN}-0.7" - previous_less_than_0_7=$? -} - -pkg_postinst() { - if [[ $previous_less_than_0_7 = 0 ]] ; then - elog - elog "Configuration files are now in /etc/fail2ban/" - elog "You probably have to manually update your configuration" - elog "files before restarting Fail2ban!" - elog - elog "Fail2ban is not installed under /usr/lib anymore. The" - elog "new location is under /usr/share." - elog - elog "You are upgrading from version 0.6.x, please see:" - elog "http://www.fail2ban.org/wiki/index.php/HOWTO_Upgrade_from_0.6_to_0.8" - fi -} diff --git a/net-analyzer/fail2ban/files/fail2ban-CVE-2009-0362.patch b/net-analyzer/fail2ban/files/fail2ban-CVE-2009-0362.patch new file mode 100644 index 000000000000..a22132e9c46f --- /dev/null +++ b/net-analyzer/fail2ban/files/fail2ban-CVE-2009-0362.patch @@ -0,0 +1,277 @@ +Patch for bug 258866. Taken via svn diff from upstream SVN. +Removed Changelog and cyrus filter changes as they didn't apply. --a3li + +Index: testcases/filtertestcase.py +=================================================================== +--- testcases/filtertestcase.py (revision 727) ++++ testcases/filtertestcase.py (revision 728) +@@ -99,7 +99,7 @@ + output = ('193.168.0.128', 3, 1124013599.0) + + self.__filter.addLogPath(GetFailures.FILENAME_01) +- self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)") ++ self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) <HOST>") + + self.__filter.getFailures(GetFailures.FILENAME_01) + +@@ -116,7 +116,7 @@ + output = ('141.3.81.106', 4, 1124013539.0) + + self.__filter.addLogPath(GetFailures.FILENAME_02) +- self.__filter.addFailRegex("Failed .* (?:::f{4,6}:)(?P<host>\S*)") ++ self.__filter.addFailRegex("Failed .* from <HOST>") + + self.__filter.getFailures(GetFailures.FILENAME_02) + +@@ -133,7 +133,7 @@ + output = ('203.162.223.135', 6, 1124013544.0) + + self.__filter.addLogPath(GetFailures.FILENAME_03) +- self.__filter.addFailRegex("error,relay=(?:::f{4,6}:)?(?P<host>\S*),.*550 User unknown") ++ self.__filter.addFailRegex("error,relay=<HOST>,.*550 User unknown") + + self.__filter.getFailures(GetFailures.FILENAME_03) + +@@ -151,7 +151,7 @@ + ('212.41.96.185', 4, 1124013598.0)] + + self.__filter.addLogPath(GetFailures.FILENAME_04) +- self.__filter.addFailRegex("Invalid user .* (?P<host>\S*)") ++ self.__filter.addFailRegex("Invalid user .* <HOST>") + + self.__filter.getFailures(GetFailures.FILENAME_04) + +Index: config/filter.d/postfix.conf +=================================================================== +--- config/filter.d/postfix.conf (revision 727) ++++ config/filter.d/postfix.conf (revision 728) +@@ -11,7 +11,7 @@ + # Notes.: regex to match the password failures messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = reject: RCPT from (.*)\[<HOST>\]: 554 +Index: config/filter.d/sshd.conf +=================================================================== +--- config/filter.d/sshd.conf (revision 727) ++++ config/filter.d/sshd.conf (revision 728) +@@ -20,7 +20,7 @@ + # Notes.: regex to match the password failures messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$ +Index: config/filter.d/courierlogin.conf +=================================================================== +--- config/filter.d/courierlogin.conf (revision 727) ++++ config/filter.d/courierlogin.conf (revision 728) +@@ -12,7 +12,7 @@ + # Notes.: regex to match the password failures messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$ +Index: config/filter.d/sasl.conf +=================================================================== +--- config/filter.d/sasl.conf (revision 727) ++++ config/filter.d/sasl.conf (revision 728) +@@ -11,7 +11,7 @@ + # Notes.: regex to match the password failures messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ +Index: config/filter.d/exim.conf +=================================================================== +--- config/filter.d/exim.conf (revision 727) ++++ config/filter.d/exim.conf (revision 728) +@@ -11,7 +11,7 @@ + # Notes.: regex to match the password failures messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address) +Index: config/filter.d/qmail.conf +=================================================================== +--- config/filter.d/qmail.conf (revision 727) ++++ config/filter.d/qmail.conf (revision 728) +@@ -11,7 +11,7 @@ + # Notes.: regex to match the password failures messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST> +Index: config/filter.d/xinetd-fail.conf +=================================================================== +--- config/filter.d/xinetd-fail.conf (revision 727) ++++ config/filter.d/xinetd-fail.conf (revision 728) +@@ -11,7 +11,7 @@ + # Notes.: regex to match the password failures messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + # Cfr.: /var/log/(daemon\.|sys)log +Index: config/filter.d/vsftpd.conf +=================================================================== +--- config/filter.d/vsftpd.conf (revision 727) ++++ config/filter.d/vsftpd.conf (revision 728) +@@ -11,7 +11,7 @@ + # Notes.: regex to match the password failures messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ +Index: config/filter.d/pure-ftpd.conf +=================================================================== +--- config/filter.d/pure-ftpd.conf (revision 727) ++++ config/filter.d/pure-ftpd.conf (revision 728) +@@ -16,7 +16,7 @@ + # Notes.: regex to match the password failures messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$ +Index: config/filter.d/couriersmtp.conf +=================================================================== +--- config/filter.d/couriersmtp.conf (revision 727) ++++ config/filter.d/couriersmtp.conf (revision 728) +@@ -11,7 +11,7 @@ + # Notes.: regex to match the password failures messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = error,relay=<HOST>,.*550 User unknown +Index: config/filter.d/proftpd.conf +=================================================================== +--- config/filter.d/proftpd.conf (revision 727) ++++ config/filter.d/proftpd.conf (revision 728) +@@ -11,7 +11,7 @@ + # Notes.: regex to match the password failures messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ +Index: config/filter.d/apache-noscript.conf +=================================================================== +--- config/filter.d/apache-noscript.conf (revision 727) ++++ config/filter.d/apache-noscript.conf (revision 728) +@@ -11,7 +11,7 @@ + # Notes.: regex to match the password failure messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) +Index: config/filter.d/apache-auth.conf +=================================================================== +--- config/filter.d/apache-auth.conf (revision 727) ++++ config/filter.d/apache-auth.conf (revision 728) +@@ -11,7 +11,7 @@ + # Notes.: regex to match the password failure messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = [[]client <HOST>[]] user .* authentication failure +Index: config/filter.d/webmin-auth.conf +=================================================================== +--- config/filter.d/webmin-auth.conf (revision 727) ++++ config/filter.d/webmin-auth.conf (revision 728) +@@ -15,7 +15,7 @@ + # Notes.: regex to match the password failure messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = webmin.* Non-existent login as .+ from <HOST>$ +Index: config/filter.d/common.conf +=================================================================== +--- config/filter.d/common.conf (revision 727) ++++ config/filter.d/common.conf (revision 728) +@@ -3,7 +3,7 @@ + # + # Author: Yaroslav Halchenko + # +-# $Revision: 1.1 $ ++# $Revision: 1.1 $ + # + + [INCLUDES] +Index: config/filter.d/sshd-ddos.conf +=================================================================== +--- config/filter.d/sshd-ddos.conf (revision 727) ++++ config/filter.d/sshd-ddos.conf (revision 728) +@@ -11,7 +11,7 @@ + # Notes.: regex to match the password failures messages in the logfile. The + # host must be matched by a group named "host". The tag "<HOST>" can + # be used for standard IP/hostname matching and is only an alias for +-# (?:::f{4,6}:)?(?P<host>\S+) ++# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) + # Values: TEXT + # + failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$ +Index: server/failregex.py +=================================================================== +--- server/failregex.py (revision 727) ++++ server/failregex.py (revision 728) +@@ -44,7 +44,7 @@ + self._matchCache = None + # Perform shortcuts expansions. + # Replace "<HOST>" with default regular expression for host. +- regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)") ++ regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)") + if regex.lstrip() == '': + raise RegexException("Cannot add empty regex") + try: +Index: server/filter.py +=================================================================== +--- server/filter.py (revision 727) ++++ server/filter.py (revision 728) +@@ -492,7 +492,7 @@ + + class DNSUtils: + +- IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}") ++ IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$") + + #@staticmethod + def dnsToIp(dns): |