From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id aPkkKfC50WKhyQAAbAwnHQ (envelope-from ) for ; Fri, 15 Jul 2022 21:03:12 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id eJevJ/C50WKPpAAAG6o9tA (envelope-from ) for ; Fri, 15 Jul 2022 21:03:12 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E661A25D21 for ; Fri, 15 Jul 2022 21:03:11 +0200 (CEST) Received: from localhost ([::1]:34896 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oCQak-0004RH-A0 for larch@yhetil.org; Fri, 15 Jul 2022 15:03:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41766) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oCQac-0004Pq-C4 for guix-patches@gnu.org; Fri, 15 Jul 2022 15:03:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:44398) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oCQac-0007HF-3R for guix-patches@gnu.org; Fri, 15 Jul 2022 15:03:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oCQab-0004B3-R4 for guix-patches@gnu.org; Fri, 15 Jul 2022 15:03:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#56579] [PATCH v2] gnu: admin: Add fail2ban 0.11.2. Resent-From: muradm Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 15 Jul 2022 19:03:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 56579 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 56579@debbugs.gnu.org Received: via spool by 56579-submit@debbugs.gnu.org id=B56579.165791177416038 (code B ref 56579); Fri, 15 Jul 2022 19:03:01 +0000 Received: (at 56579) by debbugs.gnu.org; 15 Jul 2022 19:02:54 +0000 Received: from localhost ([127.0.0.1]:42157 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oCQaS-0004Ab-Nm for submit@debbugs.gnu.org; Fri, 15 Jul 2022 15:02:54 -0400 Received: from nomad-cl1.staging.muradm.net ([139.162.159.157]:50010 helo=nomad-cl1.muradm.net) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oCQaP-0004AR-1u for 56579@debbugs.gnu.org; Fri, 15 Jul 2022 15:02:50 -0400 Received: from localhost ([127.0.0.1]:37982) by nomad-cl1.muradm.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1oCQaG-0002W1-2N for 56579@debbugs.gnu.org; Fri, 15 Jul 2022 19:02:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=muradm.net; s=mail; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=UTZDPvX3RGFAUEw65CDWnKg8auOyKysPlkY3UdBORBI=; b=CwWI39yuZms/Uc72kgv77b2J/8 rpZnRqa5jVJ6eGFbnGO+wdmtePqK+B92g9nL9HsmCnve9O0fIFWqpap59zjB/PHi+u1wjW1HEm3qu SAp/6tas8QjEjkIORn/lKlb5tRoPO8YK75rxrg+uH+WuQ3o4mPQCACLWMRMyMG1l+1hztFkkC16zI 0PkTsI25Wh6i6BzIMHTQlQd06bk6dYIyYFmyLBa0VMHdE8ldbXHN2QZ7FTW1bvr7UywG53/81trUl sUC+JCyZC2orRjFC86KR+kYwNHr82wNbKklVaIDHm425SAwRQfYeDNM+au5k+UQmX9hOVQcRuYQSR 9zKRPVp3rOATbosvDP3AGBuC44Fl2AOyGqcsL1BjjZIOMRZAVkREILTh/FnLdgwIItGLS9VSdy9eu ViiCR8kgwNGhuY1jv+3YIvucyCVR7EuHCjBCeK7jNq+h/FcjQQKEI/7aPV3658oW40Ajh1yRI/v3A +h1VOAr/c49doACrvvmwBYcZ; Received: from muradm by localhost with local (Exim 4.96) (envelope-from ) id 1oCQaM-0007mr-22 for 56579@debbugs.gnu.org; Fri, 15 Jul 2022 22:02:46 +0300 From: muradm Date: Fri, 15 Jul 2022 22:02:46 +0300 Message-Id: <20220715190246.29929-1-mail@muradm.net> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220715181703.27416-1-mail@muradm.net> References: <20220715181703.27416-1-mail@muradm.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1657911792; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=UTZDPvX3RGFAUEw65CDWnKg8auOyKysPlkY3UdBORBI=; b=N47EzMNTTi4L6Q/zcykB0SLdj/8HlmpaOsDrbnKRvrO7gzEFgItUjTFDPDbmPhALgqSYfJ udeIYoiAQxnIPvCoJ6QzGx9bxKqCOkTZGxg9zUxhsw5jKQ02QdVphdGhgJMHpaRE9Ou0vc gEYVngulEdU02SbjzSkFJMAv1SIYXZvyZPFvbwLdmXldQT6UWNjjorvpWzcHYELWdH54KH VP2q0n/ANLsCvZi62/yjyPDZCjAtG49Zp79Hk7vgPjf/wyqKeDcbvQtp3O8elvJIsrMRqn AlKFu7MUhLyg7kRfmhLqGhzrpov2uM5/Wsym6E+Q6jyKee9uPhgNIkPhjX8dVA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1657911792; a=rsa-sha256; cv=none; b=ZXQRVCPMIY0GoZgR94hFMK8OZ/YO4yRFr74Re7AZ2ecH4QZ6v5g88l/sz3eLAmswl67vhn QYak0On810IWj9GGClejefFJ7dQiSSVn8iHVkWXVBk2ZXg4io3RxDbxJNXqHYilP7uMe/J vrxIuWh4ECRp9NrKkf+pIxX6eKvUfmD7wIpBGN1dNHfx9lBQ8II8GNmmoGCLRY/D8uudSV Gj+X27qf6UT/8ZvsxTx3KLO2i3av6z0snOKM7F99h6u6Kz4f1t70BdR6DyHHb5zpk+bMBa KIh3BlBhPc/Ry3jD2n7kSxvn7pmsCfBkkjlIYvwwGNVPZBUCkNs/J+H2zI931Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=muradm.net header.s=mail header.b=CwWI39yu; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 2.56 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=muradm.net header.s=mail header.b=CwWI39yu; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: E661A25D21 X-Spam-Score: 2.56 X-Migadu-Scanner: scn0.migadu.com X-TUID: kTqg4LSLTTXB * gnu/packages/admin.scm (fail2ban): New variable. --- gnu/packages/admin.scm | 181 ++++++++++++++++++ .../fail2ban-0.11.2_CVE-2021-32749.patch | 155 +++++++++++++++ ...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 +++++++ .../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++ .../patches/fail2ban-paths-guix-conf.patch | 32 ++++ .../fail2ban-python310-server-action.patch | 27 +++ .../fail2ban-python310-server-actions.patch | 25 +++ .../fail2ban-python310-server-jails.patch | 25 +++ 8 files changed, 557 insertions(+) create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index 88cb8fded9..183d0a0cb5 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -100,6 +100,7 @@ (define-module (gnu packages admin) #:use-module (gnu packages cross-base) #:use-module (gnu packages crypto) #:use-module (gnu packages cryptsetup) + #:use-module (gnu packages curl) #:use-module (gnu packages cyrus-sasl) #:use-module (gnu packages dns) #:use-module (gnu packages elf) @@ -134,6 +135,7 @@ (define-module (gnu packages admin) #:use-module (gnu packages mcrypt) #:use-module (gnu packages mpi) #:use-module (gnu packages ncurses) + #:use-module (gnu packages networking) #:use-module (gnu packages openldap) #:use-module (gnu packages patchutils) #:use-module (gnu packages pciutils) @@ -152,6 +154,7 @@ (define-module (gnu packages admin) #:use-module (gnu packages ruby) #:use-module (gnu packages selinux) #:use-module (gnu packages serialization) + #:use-module (gnu packages sqlite) #:use-module (gnu packages ssh) #:use-module (gnu packages sphinx) #:use-module (gnu packages tcl) @@ -5231,3 +5234,181 @@ (define-public seatd mediate access to shared devices, such as graphics and input, for applications that require it.") (license license:expat))) + +(define-public fail2ban + (package + (name "fail2ban") + (version "0.11.2") + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/fail2ban/fail2ban") + (commit version))) + (file-name (git-file-name name version)) + (sha256 + (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db")) + (modules '((guix build utils))) + (snippet + '(begin + ;; get rid of absolute paths + (substitute* "setup.py" + (("/etc/fail2ban") "etc/fail2ban") + (("/var/lib/fail2ban") "var/lib/fail2ban") + (("\"/usr/bin/\"") "\"usr/bin/\"") + (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"") + (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'")) + ;; disable tests performing unacceptable side-effects + (substitute* "fail2ban/tests/utils.py" + (("tests.addTest.unittest.makeSuite.actiontestcase.CommandActionTest..") "") + (("tests.addTest.unittest.makeSuite.misctestcase.SetupTest..") "") + (("tests.addTest.unittest.makeSuite.filtertestcase.DNSUtilsNetworkTests..") "") + (("tests.addTest.unittest.makeSuite.filtertestcase.IgnoreIPDNS..") "") + (("tests.addTest.unittest.makeSuite.filtertestcase.GetFailures..") "") + (("tests.addTest.unittest.makeSuite.fail2banclienttestcase.Fail2banServerTest..") "") + (("tests.addTest.unittest.makeSuite.servertestcase.ServerConfigReaderTests..") "")))) + (patches + (search-patches + "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch" + "fail2ban-python310-server-action.patch" + "fail2ban-python310-server-actions.patch" + "fail2ban-python310-server-jails.patch" + "fail2ban-0.11.2_fix-test-suite.patch" + "fail2ban-0.11.2_CVE-2021-32749.patch" + "fail2ban-paths-guix-conf.patch")))) + (build-system python-build-system) + (arguments + '(#:phases (modify-phases %standard-phases + (add-before 'build 'invoke-2to3 + (lambda _ + (invoke "./fail2ban-2to3"))) + (add-before 'install 'set-action-dependencies + (lambda* (#:key inputs #:allow-other-keys) + ;; deleting things that are not feasible to fix + ;; or won't be used any way + (for-each delete-file + '("config/paths-arch.conf" + "config/paths-debian.conf" + "config/paths-fedora.conf" + "config/paths-freebsd.conf" + "config/paths-opensuse.conf" + "config/paths-osx.conf" + "config/action.d/apf.conf" + "config/action.d/bsd-ipfw.conf" + "config/action.d/dshield.conf" + "config/action.d/ipfilter.conf" + "config/action.d/ipfw.conf" + "config/action.d/firewallcmd-allports.conf" + "config/action.d/firewallcmd-common.conf" + "config/action.d/firewallcmd-ipset.conf" + "config/action.d/firewallcmd-multiport.conf" + "config/action.d/firewallcmd-new.conf" + "config/action.d/firewallcmd-rich-logging.conf" + "config/action.d/firewallcmd-rich-rules.conf" + "config/action.d/osx-afctl.conf" + "config/action.d/osx-ipfw.conf" + "config/action.d/pf.conf" + "config/action.d/nginx-block-map.conf" + "config/action.d/npf.conf" + "config/action.d/shorewall.conf" + "config/action.d/shorewall-ipset-proto6.conf" + "config/action.d/ufw.conf")) + (let* ((awk (search-input-file inputs "/bin/awk")) + (cat (search-input-file inputs "/bin/cat")) + (curl (search-input-file inputs "/bin/curl")) + (cut (search-input-file inputs "/bin/cut")) + (date (search-input-file inputs "/bin/date")) + (dig (search-input-file inputs "/bin/dig")) + (echo (search-input-file inputs "/bin/echo")) + (grep (search-input-file inputs "/bin/grep")) + (head (search-input-file inputs "/bin/head")) + (id (search-input-file inputs "/bin/id")) + (ip (search-input-file inputs "/sbin/ip")) + (ipset (search-input-file inputs "/sbin/ipset")) + (ip6tables (search-input-file inputs "/sbin/ip6tables")) + (iptables (search-input-file inputs "/sbin/iptables")) + (jq (search-input-file inputs "/bin/jq")) + (nft (search-input-file inputs "/sbin/nft")) + (nsupdate (search-input-file inputs "/bin/nsupdate")) + (perl (search-input-file inputs "/bin/perl")) + (printf (search-input-file inputs "/bin/printf")) + (rm (search-input-file inputs "/bin/rm")) + (sed (search-input-file inputs "/bin/sed")) + (sendmail (search-input-file inputs "/sbin/sendmail")) + (tail (search-input-file inputs "/bin/tail")) + (test (search-input-file inputs "/bin/test")) + (touch (search-input-file inputs "/bin/touch")) + (tr (search-input-file inputs "/bin/tr")) + (truncate (search-input-file inputs "/bin/truncate")) + (wc (search-input-file inputs "/bin/wc")) + (whois (search-input-file inputs "/bin/whois"))) + (for-each + (lambda (f) + (substitute* f + ;; TODO: deal with geoiplookup .. + (("awk") awk) + (("cat ") (string-append cat " ")) + (("curl") curl) + (("cut -d") (string-append cut " -d")) + ((" date ") (string-append " " date " ")) + (("`date`") (string-append "`" date "`")) + (("dig") dig) + (("echo ") (string-append echo " ")) + (("grep ") (string-append grep " ")) + (("head ") (string-append head " ")) + (("id -") (string-append id " -")) + (("ip -4 addr") (string-append ip " -4 addr")) + (("ip -6 addr") (string-append ip " -6 addr")) + (("ip route") (string-append ip " route")) + (("ipset ") (string-append ipset " ")) + (("iptables <") (string-append iptables " <")) + (("ip6tables <") (string-append ip6tables " <")) + (("jq") jq) + (("/usr/bin/nsupdate") nsupdate) + (("mail -E") (string-append sendmail " -E")) + (("nftables = nft") (string-append "nftables = " nft)) + (("perl -e") (string-append perl " -e")) + (("printf ") (string-append printf " ")) + ((" rm ") (string-append " " rm " ")) + ((" sed ") (string-append " " sed " ")) + (("/usr/sbin/sendmail") sendmail) + ((" tail ") (string-append " " tail " ")) + (("test -e") (string-append test " -e")) + ((" touch ") (string-append " " touch " ")) + ((" tr ") (string-append " " tr " ")) + (("wc ") (string-append wc " ")) + (("_whois = whois") (string-append "_whois = " whois)))) + (find-files "config/action.d" "\\.conf$"))) + (substitute* "config/jail.conf" + (("before = paths-debian.conf") "before = paths-guix.conf"))))))) + (inputs (list + gawk + coreutils + curl + grep + jq + iproute + ipset + iptables + `(,isc-bind "utils") + nftables + perl + python-pyinotify + sed + sendmail + sqlite + whois)) + (home-page "http://www.fail2ban.org") + (synopsis "Daemon to ban hosts that cause multiple authentication errors") + (description "Fail2Ban scans log files like /var/log/auth.log and bans IP +addresses conducting too many failed login attempts. It does this by updating +system firewall rules to reject new connections from those IP addresses, for +a configurable amount of time. Fail2Ban comes out-of-the-box ready to read +many standard log files, such as those for sshd and Apache, and is easily +configured to read any log file of your choosing, for any error you wish. + +Though Fail2Ban is able to reduce the rate of incorrect authentication +attempts, it cannot eliminate the risk presented by weak authentication. Set +up services to use only two factor, or public/private authentication +mechanisms if you really want to protect services.") + (license license:gpl2))) diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch new file mode 100644 index 0000000000..d3c677918c --- /dev/null +++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch @@ -0,0 +1,155 @@ +From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Mon, 21 Jun 2021 17:12:53 +0200 +Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable + (default tilde) stops consider "~" char after new-line as composing escape + sequence + +--- + config/action.d/complain.conf | 2 +- + config/action.d/dshield.conf | 2 +- + config/action.d/mail-buffered.conf | 8 ++++---- + config/action.d/mail-whois-lines.conf | 2 +- + config/action.d/mail-whois.conf | 6 +++--- + config/action.d/mail.conf | 6 +++--- + 6 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf +index 3a5f882c9f..4d73b05859 100644 +--- a/config/action.d/complain.conf ++++ b/config/action.d/complain.conf +@@ -102,7 +102,7 @@ logpath = /dev/null + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Option: mailargs + # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf +index c128bef348..3d5a7a53a9 100644 +--- a/config/action.d/dshield.conf ++++ b/config/action.d/dshield.conf +@@ -179,7 +179,7 @@ tcpflags = + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Option: mailargs + # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf +index 325f185b2f..79b841049c 100644 +--- a/config/action.d/mail-buffered.conf ++++ b/config/action.d/mail-buffered.conf +@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n + The jail has been started successfully.\n + Output will be buffered until lines are available.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : started on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -28,13 +28,13 @@ actionstop = if [ -f ]; then + These hosts have been banned by Fail2Ban.\n + `cat ` + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : Summary from " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary from " + rm + fi + printf %%b "Hi,\n + The jail has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: ( failures)\n" >> + These hosts have been banned by Fail2Ban.\n + `cat ` + \nRegards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : Summary" ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary" + rm + fi + +diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf +index 3a3e56b2c7..d2818cb9b9 100644 +--- a/config/action.d/mail-whois-lines.conf ++++ b/config/action.d/mail-whois-lines.conf +@@ -72,7 +72,7 @@ actionunban = + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Default name of the chain + # +diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf +index 7fea34c40d..ab33b616dc 100644 +--- a/config/action.d/mail-whois.conf ++++ b/config/action.d/mail-whois.conf +@@ -20,7 +20,7 @@ norestored = 1 + actionstart = printf %%b "Hi,\n + The jail has been started successfully.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : started on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n + actionstop = printf %%b "Hi,\n + The jail has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n + Here is more information about :\n + `%(_whois_command)s`\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : banned from " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " + + # Option: actionunban + # Notes.: command executed when unbanning an IP. Take care that the +diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf +index 5d8c0e154c..f4838ddcb6 100644 +--- a/config/action.d/mail.conf ++++ b/config/action.d/mail.conf +@@ -16,7 +16,7 @@ norestored = 1 + actionstart = printf %%b "Hi,\n + The jail has been started successfully.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : started on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n + actionstop = printf %%b "Hi,\n + The jail has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n + The IP has just been banned by Fail2Ban after + attempts against .\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : banned from " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " + + # Option: actionunban + # Notes.: command executed when unbanning an IP. Take care that the diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch new file mode 100644 index 0000000000..b0b14364b1 --- /dev/null +++ b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch @@ -0,0 +1,64 @@ +From 5ac303df8a171f748330d4c645ccbf1c2c7f3497 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Sun, 19 Sep 2021 18:49:18 +0200 +Subject: [PATCH] fix gh-3098: build fails with error in fail2ban setup + command: use_2to3 is invalid (setuptools 58+) + +--- + setup.py | 16 +--------------- + 1 file changed, 1 insertion(+), 15 deletions(-) + +diff --git a/setup.py b/setup.py +index f4c2550f6f..98413273c5 100755 +--- a/setup.py ++++ b/setup.py +@@ -48,7 +48,7 @@ + from glob import glob + + from fail2ban.setup import updatePyExec +- ++from fail2ban.version import version + + source_dir = os.path.realpath(os.path.dirname( + # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.): +@@ -112,22 +112,12 @@ def update_scripts(self, dry_run=False): + # Wrapper to specify fail2ban own options: + class install_command_f2b(install): + user_options = install.user_options + [ +- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'), + ('without-tests', None, 'without tests files installation'), + ] + def initialize_options(self): +- self.disable_2to3 = None + self.without_tests = not with_tests + install.initialize_options(self) + def finalize_options(self): +- global _2to3 +- ## in the test cases 2to3 should be already done (fail2ban-2to3): +- if self.disable_2to3: +- _2to3 = False +- if _2to3: +- cmdclass = self.distribution.cmdclass +- cmdclass['build_py'] = build_py_2to3 +- cmdclass['build_scripts'] = build_scripts_2to3 + if self.without_tests: + self.distribution.scripts.remove('bin/fail2ban-testcases') + +@@ -178,7 +168,6 @@ def run(self): + if setuptools: + setup_extra = { + 'test_suite': "fail2ban.tests.utils.gatherTests", +- 'use_2to3': True, + } + else: + setup_extra = {} +@@ -202,9 +191,6 @@ def run(self): + ('/usr/share/doc/fail2ban', doc_files) + ) + +-# Get version number, avoiding importing fail2ban. +-# This is due to tests not functioning for python3 as 2to3 takes place later +-exec(open(join("fail2ban", "version.py")).read()) + + setup( + name = "fail2ban", diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch new file mode 100644 index 0000000000..91d973e72e --- /dev/null +++ b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch @@ -0,0 +1,48 @@ +From 747d4683221b5584f9663695fb48145689b42ceb Mon Sep 17 00:00:00 2001 +From: sebres +Date: Mon, 4 Jan 2021 02:42:38 +0100 +Subject: [PATCH] fixes century selector of %ExY and %Exy in datepattern for + tests, considering interval from 2005 (alternate now) to now; + better + grouping algorithm for resulting century RE + +--- + fail2ban/server/strptime.py | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py +index 1464a96d1f..39fc795865 100644 +--- a/fail2ban/server/strptime.py ++++ b/fail2ban/server/strptime.py +@@ -36,10 +36,30 @@ def _getYearCentRE(cent=(0,3), distance=3, now=(MyTime.now(), MyTime.alternateNo + Thereby respect possible run in the test-cases (alternate date used there) + """ + cent = lambda year, f=cent[0], t=cent[1]: str(year)[f:t] ++ def grp(exprset): ++ c = None ++ if len(exprset) > 1: ++ for i in exprset: ++ if c is None or i[0:-1] == c: ++ c = i[0:-1] ++ else: ++ c = None ++ break ++ if not c: ++ for i in exprset: ++ if c is None or i[0] == c: ++ c = i[0] ++ else: ++ c = None ++ break ++ if c: ++ return "%s%s" % (c, grp([i[len(c):] for i in exprset])) ++ return ("(?:%s)" % "|".join(exprset) if len(exprset[0]) > 1 else "[%s]" % "".join(exprset)) \ ++ if len(exprset) > 1 else "".join(exprset) + exprset = set( cent(now[0].year + i) for i in (-1, distance) ) + if len(now) and now[1]: +- exprset |= set( cent(now[1].year + i) for i in (-1, distance) ) +- return "(?:%s)" % "|".join(exprset) if len(exprset) > 1 else "".join(exprset) ++ exprset |= set( cent(now[1].year + i) for i in xrange(-1, now[0].year-now[1].year+1, distance) ) ++ return grp(sorted(list(exprset))) + + timeRE = TimeRE() + diff --git a/gnu/packages/patches/fail2ban-paths-guix-conf.patch b/gnu/packages/patches/fail2ban-paths-guix-conf.patch new file mode 100644 index 0000000000..8c2a5747ba --- /dev/null +++ b/gnu/packages/patches/fail2ban-paths-guix-conf.patch @@ -0,0 +1,32 @@ +From ef28dcf7a5bdbfd8ba586bb066d5ec53188a6bf9 Mon Sep 17 00:00:00 2001 +From: muradm +Date: Fri, 15 Jul 2022 20:08:14 +0300 +Subject: [PATCH] Add paths-guix.conf file. + +--- + config/paths-guix.conf | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + create mode 100644 config/paths-guix.conf + +diff --git a/config/paths-guix.conf b/config/paths-guix.conf +new file mode 100644 +index 00000000..b4a2e9f5 +--- /dev/null ++++ b/config/paths-guix.conf +@@ -0,0 +1,13 @@ ++# Guix ++ ++[INCLUDES] ++ ++before = paths-common.conf ++after = paths-overrides.local ++ ++ ++[DEFAULT] ++ ++syslog_authpriv = /var/log/secure ++syslog_mail = /var/log/maillog ++syslog_mail_warn = /var/log/maillog +-- +2.36.1 + diff --git a/gnu/packages/patches/fail2ban-python310-server-action.patch b/gnu/packages/patches/fail2ban-python310-server-action.patch new file mode 100644 index 0000000000..723d7f7aa6 --- /dev/null +++ b/gnu/packages/patches/fail2ban-python310-server-action.patch @@ -0,0 +1,27 @@ +From 2b6bb2c1bed8f7009631e8f8c306fa3160324a49 Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Mon, 8 Feb 2021 17:19:24 +0100 +Subject: [PATCH] follow bpo-37324: :ref:`collections-abstract-base-classes` + moved to the :mod:`collections.abc` module + +(since 3.10-alpha.5 `MutableMapping` is missing in collections module) +--- + fail2ban/server/action.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py +index 3bc48fe046..f0f1e6f59a 100644 +--- a/fail2ban/server/action.py ++++ b/fail2ban/server/action.py +@@ -30,7 +30,10 @@ + import threading + import time + from abc import ABCMeta +-from collections import MutableMapping ++try: ++ from collections.abc import MutableMapping ++except ImportError: ++ from collections import MutableMapping + + from .failregex import mapTag2Opt + from .ipdns import DNSUtils diff --git a/gnu/packages/patches/fail2ban-python310-server-actions.patch b/gnu/packages/patches/fail2ban-python310-server-actions.patch new file mode 100644 index 0000000000..e31316d28b --- /dev/null +++ b/gnu/packages/patches/fail2ban-python310-server-actions.patch @@ -0,0 +1,25 @@ +From 42dee38ad2ac5c3f23bdf297d824022923270dd9 Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Mon, 8 Feb 2021 17:25:45 +0100 +Subject: [PATCH] amend for `Mapping` + +--- + fail2ban/server/actions.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py +index b7b95b445a..897d907c1a 100644 +--- a/fail2ban/server/actions.py ++++ b/fail2ban/server/actions.py +@@ -28,7 +28,10 @@ + import os + import sys + import time +-from collections import Mapping ++try: ++ from collections.abc import Mapping ++except ImportError: ++ from collections import Mapping + try: + from collections import OrderedDict + except ImportError: diff --git a/gnu/packages/patches/fail2ban-python310-server-jails.patch b/gnu/packages/patches/fail2ban-python310-server-jails.patch new file mode 100644 index 0000000000..e5873c415e --- /dev/null +++ b/gnu/packages/patches/fail2ban-python310-server-jails.patch @@ -0,0 +1,25 @@ +From 9f1d1f4fbd0804695a976beb191f2c49a2739834 Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Mon, 8 Feb 2021 17:35:59 +0100 +Subject: [PATCH] amend for `Mapping` (jails) + +--- + fail2ban/server/jails.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fail2ban/server/jails.py b/fail2ban/server/jails.py +index 972a8c4bd2..27e12ddf65 100644 +--- a/fail2ban/server/jails.py ++++ b/fail2ban/server/jails.py +@@ -22,7 +22,10 @@ + __license__ = "GPL" + + from threading import Lock +-from collections import Mapping ++try: ++ from collections.abc import Mapping ++except ImportError: ++ from collections import Mapping + + from ..exceptions import DuplicateJailException, UnknownJailException + from .jail import Jail -- 2.36.1