From patchwork Fri Jul 15 18:17:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: muradm X-Patchwork-Id: 40665 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 5E2FA27BBEA; Fri, 15 Jul 2022 19:18:20 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id B429627BBE9 for ; Fri, 15 Jul 2022 19:18:18 +0100 (BST) Received: from localhost ([::1]:54248 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oCPtJ-0003rw-Tx for patchwork@mira.cbaines.net; Fri, 15 Jul 2022 14:18:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58266) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oCPt5-0003pq-2t for guix-patches@gnu.org; Fri, 15 Jul 2022 14:18:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:44348) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oCPt4-00038B-QD for guix-patches@gnu.org; Fri, 15 Jul 2022 14:18:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oCPt4-0002xW-Ki for guix-patches@gnu.org; Fri, 15 Jul 2022 14:18:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#56579] [PATCH] gnu: admin: Add fail2ban 0.11.2. Resent-From: muradm Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 15 Jul 2022 18:18:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 56579 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 56579@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.165790903711313 (code B ref -1); Fri, 15 Jul 2022 18:18:02 +0000 Received: (at submit) by debbugs.gnu.org; 15 Jul 2022 18:17:17 +0000 Received: from localhost ([127.0.0.1]:42107 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oCPsK-0002wO-8j for submit@debbugs.gnu.org; Fri, 15 Jul 2022 14:17:17 -0400 Received: from lists.gnu.org ([209.51.188.17]:41534) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oCPsF-0002wE-RZ for submit@debbugs.gnu.org; Fri, 15 Jul 2022 14:17:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58102) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oCPsF-0003oF-LX for guix-patches@gnu.org; Fri, 15 Jul 2022 14:17:11 -0400 Received: from nomad-cl1.staging.muradm.net ([139.162.159.157]:58900 helo=nomad-cl1.muradm.net) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oCPsB-00030s-QY for guix-patches@gnu.org; Fri, 15 Jul 2022 14:17:11 -0400 Received: from localhost ([127.0.0.1]:54020) by nomad-cl1.muradm.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1oCPs1-0002VY-2F for guix-patches@gnu.org; Fri, 15 Jul 2022 18:16:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=muradm.net; s=mail; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=EL3fKjfDi6pZnnUErFU9T2Cbn/0SDrTvEw/YwcwzG9M=; b=KS2A3jtHJ7jU6JPskL5CrBx6sE P+tbuLk0YOQxQAnC4+fmLau+uyiW318K6ASTqmbA/M6EjFn30wD2MO5QUQLPTlNtDODqJ65bTquQ3 DJzQeY1gaNmKRFrvCGEyDGxjWaULWtLandvUdhVsrx3cv4RO1g7n/SdLDn+g8C/p/RsJzGi3wH0It RPjfnZfFmhsMMKaUvZUwFvPqok3CIwoVptMK+VmTEyJRssOVZoUElzP4lmNtJ1Mfzd+gBNgYvYB6w ZBpqO7PrwA/DWy/0XkemFu85rcYeU3PU5V7BSPb9oarJE7gIC4zLO0On/rEWBGRhbXDqqTolZ+nNm 539V5SFHft4mADYFD+qk8Hdk4MuyV/VUnOz2e1loJJG6gOyptodXpkITNPRU+45MLncgbYMMtJm5O DBEqyHm3qMNWQVcT3wN8rXiO3OC8KC15t9DzNvVkatwEdFVtgqIt4xPQn8SI6AZ7ZU6dVMey6o8Uv 4MUEu06cuhqMjjtzUyG1FXi5; Received: from muradm by localhost with local (Exim 4.96) (envelope-from ) id 1oCPs7-00078K-22 for guix-patches@gnu.org; Fri, 15 Jul 2022 21:17:03 +0300 From: muradm Date: Fri, 15 Jul 2022 21:17:03 +0300 Message-Id: <20220715181703.27416-1-mail@muradm.net> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 Received-SPF: pass client-ip=139.162.159.157; envelope-from=mail@muradm.net; helo=nomad-cl1.muradm.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches * gnu/packages/admin.scm (fail2ban): New variable. --- gnu/packages/admin.scm | 195 ++++++++++++++++++ .../fail2ban-0.11.2_CVE-2021-32749.patch | 155 ++++++++++++++ ...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 ++++++ .../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++ .../patches/fail2ban-paths-guix-conf.patch | 32 +++ .../fail2ban-python310-server-action.patch | 27 +++ .../fail2ban-python310-server-actions.patch | 25 +++ .../fail2ban-python310-server-jails.patch | 25 +++ 8 files changed, 571 insertions(+) create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index 88cb8fded9..1a342728fa 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -100,6 +100,7 @@ (define-module (gnu packages admin) #:use-module (gnu packages cross-base) #:use-module (gnu packages crypto) #:use-module (gnu packages cryptsetup) + #:use-module (gnu packages curl) #:use-module (gnu packages cyrus-sasl) #:use-module (gnu packages dns) #:use-module (gnu packages elf) @@ -134,6 +135,7 @@ (define-module (gnu packages admin) #:use-module (gnu packages mcrypt) #:use-module (gnu packages mpi) #:use-module (gnu packages ncurses) + #:use-module (gnu packages networking) #:use-module (gnu packages openldap) #:use-module (gnu packages patchutils) #:use-module (gnu packages pciutils) @@ -152,6 +154,7 @@ (define-module (gnu packages admin) #:use-module (gnu packages ruby) #:use-module (gnu packages selinux) #:use-module (gnu packages serialization) + #:use-module (gnu packages sqlite) #:use-module (gnu packages ssh) #:use-module (gnu packages sphinx) #:use-module (gnu packages tcl) @@ -5231,3 +5234,195 @@ (define-public seatd mediate access to shared devices, such as graphics and input, for applications that require it.") (license license:expat))) + +(define-public fail2ban + (package + (name "fail2ban") + (version "0.11.2") + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/fail2ban/fail2ban") + (commit version))) + (file-name (git-file-name name version)) + (sha256 + (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db")) + (modules '((guix build utils))) + (snippet + '(begin + ;; get rid of absolute paths + (substitute* "setup.py" + (("/etc/fail2ban") "etc/fail2ban") + (("/var/lib/fail2ban") "var/lib/fail2ban") + (("\"/usr/bin/\"") "\"usr/bin/\"") + (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"") + (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'")) + ;; disable tests performing unacceptable side-effects + (substitute* "fail2ban/tests/utils.py" + (("tests.addTest.unittest.makeSuite.actiontestcase.CommandActionTest..") "") + (("tests.addTest.unittest.makeSuite.misctestcase.SetupTest..") "") + (("tests.addTest.unittest.makeSuite.filtertestcase.DNSUtilsNetworkTests..") "") + (("tests.addTest.unittest.makeSuite.filtertestcase.IgnoreIPDNS..") "") + (("tests.addTest.unittest.makeSuite.filtertestcase.GetFailures..") "") + (("tests.addTest.unittest.makeSuite.fail2banclienttestcase.Fail2banServerTest..") "") + (("tests.addTest.unittest.makeSuite.servertestcase.ServerConfigReaderTests..") "")))) + (patches + (search-patches + "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch" + "fail2ban-python310-server-action.patch" + "fail2ban-python310-server-actions.patch" + "fail2ban-python310-server-jails.patch" + "fail2ban-0.11.2_fix-test-suite.patch" + "fail2ban-0.11.2_CVE-2021-32749.patch" + "fail2ban-paths-guix-conf.patch")))) + (build-system python-build-system) + (arguments + '(#:phases (modify-phases %standard-phases + (add-before 'build 'invoke-2to3 + (lambda _ + (invoke "./fail2ban-2to3"))) + (add-before 'install 'set-action-dependencies + (lambda* (#:key inputs #:allow-other-keys) + ;; deleting things that are not feasible to fix + ;; or won't be used any way + (for-each delete-file + '("config/paths-arch.conf" + "config/paths-debian.conf" + "config/paths-fedora.conf" + "config/paths-freebsd.conf" + "config/paths-opensuse.conf" + "config/paths-osx.conf" + "config/action.d/apf.conf" + "config/action.d/bsd-ipfw.conf" + "config/action.d/dshield.conf" + "config/action.d/ipfilter.conf" + "config/action.d/ipfw.conf" + "config/action.d/firewallcmd-allports.conf" + "config/action.d/firewallcmd-common.conf" + "config/action.d/firewallcmd-ipset.conf" + "config/action.d/firewallcmd-multiport.conf" + "config/action.d/firewallcmd-new.conf" + "config/action.d/firewallcmd-rich-logging.conf" + "config/action.d/firewallcmd-rich-rules.conf" + "config/action.d/osx-afctl.conf" + "config/action.d/osx-ipfw.conf" + "config/action.d/pf.conf" + "config/action.d/nginx-block-map.conf" + "config/action.d/npf.conf" + "config/action.d/shorewall.conf" + "config/action.d/shorewall-ipset-proto6.conf" + "config/action.d/ufw.conf")) + (let* ((awk (assoc-ref inputs "gawk")) + (awk (string-append awk "/bin/awk")) + (bind-utils (assoc-ref inputs "bind")) + (dig (string-append bind-utils "/bin/dig")) + (nsupdate (string-append bind-utils "/bin/nsupdate")) + (coreutils (assoc-ref inputs "coreutils")) + (cat (string-append coreutils "/bin/cat")) + (cut (string-append coreutils "/bin/cut")) + (date (string-append coreutils "/bin/date")) + (echo (string-append coreutils "/bin/echo")) + (head (string-append coreutils "/bin/head")) + (id (string-append coreutils "/bin/id")) + (printf (string-append coreutils "/bin/printf")) + (rm (string-append coreutils "/bin/rm")) + (tail (string-append coreutils "/bin/tail")) + (test (string-append coreutils "/bin/test")) + (touch (string-append coreutils "/bin/touch")) + (tr (string-append coreutils "/bin/tr")) + (truncate (string-append coreutils "/bin/truncate")) + (wc (string-append coreutils "/bin/wc")) + (curl (assoc-ref inputs "curl")) + (curl (string-append curl "/bin/curl")) + (grep (assoc-ref inputs "grep")) + (grep (string-append grep "/bin/grep")) + (jq (assoc-ref inputs "jq")) + (jq (string-append jq "/bin/jq")) + (iproute2 (assoc-ref inputs "iproute2")) + (ip (string-append iproute2 "/bin/ip")) + (ipset (assoc-ref inputs "ipset")) + (ipset (string-append ipset "/sbin/ipset")) + (iptables (assoc-ref inputs "iptables")) + (ip6tables (string-append iptables "/sbin/ip6tables")) + (iptables (string-append iptables "/sbin/iptables")) + (nft (assoc-ref inputs "nftables")) + (nft (string-append nft "/sbin/nft")) + (perl (assoc-ref inputs "perl")) + (perl (string-append nft "/bin/perl")) + (sed (assoc-ref inputs "sed")) + (sed (string-append sed "/bin/sed")) + (sendmail (assoc-ref inputs "sendmail")) + (sendmail (string-append sed "/sbin/sendmail")) + (whois (assoc-ref inputs "whois")) + (whois (string-append whois "/bin/whois"))) + (for-each + (lambda (f) + (substitute* f + ;; TODO: deal with mailcmd = mail ... + ;; TODO: deal with geoiplookup .. + (("awk") awk) + (("cat ") (string-append cat " ")) + (("curl") curl) + (("cut -d") (string-append cut " -d")) + ((" date ") (string-append " " date " ")) + (("`date`") (string-append "`" date "`")) + (("dig") dig) + (("echo ") (string-append echo " ")) + (("grep ") (string-append grep " ")) + (("head ") (string-append head " ")) + (("id -") (string-append id " -")) + (("ip -4 addr") (string-append ip " -4 addr")) + (("ip -6 addr") (string-append ip " -6 addr")) + (("ip route") (string-append ip " route")) + (("ipset ") (string-append ipset " ")) + (("iptables <") (string-append iptables " <")) + (("ip6tables <") (string-append ip6tables " <")) + (("jq") jq) + (("/usr/bin/nsupdate") nsupdate) + (("nftables = nft") (string-append "nftables = " nft)) + (("perl -e") (string-append perl " -e")) + (("printf ") (string-append printf " ")) + ((" rm ") (string-append " " rm " ")) + ((" sed ") (string-append " " sed " ")) + (("/usr/sbin/sendmail") sendmail) + ((" tail ") (string-append " " tail " ")) + (("test -e") (string-append test " -e")) + ((" touch ") (string-append " " touch " ")) + ((" tr ") (string-append " " tr " ")) + (("wc ") (string-append wc " ")) + (("_whois = whois") (string-append "_whois = " whois)))) + (find-files "config/action.d" "\\.conf$"))) + (substitute* "config/jail.conf" + (("before = paths-debian.conf") "before = paths-guix.conf"))))))) + (inputs (list + gawk + coreutils + curl + grep + jq + iproute + ipset + iptables + `(,isc-bind "utils") + nftables + perl + python-pyinotify + sed + sendmail + sqlite + whois)) + (home-page "http://www.fail2ban.org") + (synopsis "Daemon to ban hosts that cause multiple authentication errors") + (description "Fail2Ban scans log files like /var/log/auth.log and bans IP +addresses conducting too many failed login attempts. It does this by updating +system firewall rules to reject new connections from those IP addresses, for +a configurable amount of time. Fail2Ban comes out-of-the-box ready to read +many standard log files, such as those for sshd and Apache, and is easily +configured to read any log file of your choosing, for any error you wish. + +Though Fail2Ban is able to reduce the rate of incorrect authentication +attempts, it cannot eliminate the risk presented by weak authentication. Set +up services to use only two factor, or public/private authentication +mechanisms if you really want to protect services.") + (license license:gpl2))) diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch new file mode 100644 index 0000000000..d3c677918c --- /dev/null +++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch @@ -0,0 +1,155 @@ +From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Mon, 21 Jun 2021 17:12:53 +0200 +Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable + (default tilde) stops consider "~" char after new-line as composing escape + sequence + +--- + config/action.d/complain.conf | 2 +- + config/action.d/dshield.conf | 2 +- + config/action.d/mail-buffered.conf | 8 ++++---- + config/action.d/mail-whois-lines.conf | 2 +- + config/action.d/mail-whois.conf | 6 +++--- + config/action.d/mail.conf | 6 +++--- + 6 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf +index 3a5f882c9f..4d73b05859 100644 +--- a/config/action.d/complain.conf ++++ b/config/action.d/complain.conf +@@ -102,7 +102,7 @@ logpath = /dev/null + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Option: mailargs + # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf +index c128bef348..3d5a7a53a9 100644 +--- a/config/action.d/dshield.conf ++++ b/config/action.d/dshield.conf +@@ -179,7 +179,7 @@ tcpflags = + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Option: mailargs + # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf +index 325f185b2f..79b841049c 100644 +--- a/config/action.d/mail-buffered.conf ++++ b/config/action.d/mail-buffered.conf +@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n + The jail has been started successfully.\n + Output will be buffered until lines are available.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : started on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -28,13 +28,13 @@ actionstop = if [ -f ]; then + These hosts have been banned by Fail2Ban.\n + `cat ` + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : Summary from " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary from " + rm + fi + printf %%b "Hi,\n + The jail has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: ( failures)\n" >> + These hosts have been banned by Fail2Ban.\n + `cat ` + \nRegards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : Summary" ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary" + rm + fi + +diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf +index 3a3e56b2c7..d2818cb9b9 100644 +--- a/config/action.d/mail-whois-lines.conf ++++ b/config/action.d/mail-whois-lines.conf +@@ -72,7 +72,7 @@ actionunban = + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Default name of the chain + # +diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf +index 7fea34c40d..ab33b616dc 100644 +--- a/config/action.d/mail-whois.conf ++++ b/config/action.d/mail-whois.conf +@@ -20,7 +20,7 @@ norestored = 1 + actionstart = printf %%b "Hi,\n + The jail has been started successfully.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : started on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n + actionstop = printf %%b "Hi,\n + The jail has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n + Here is more information about :\n + `%(_whois_command)s`\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : banned from " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " + + # Option: actionunban + # Notes.: command executed when unbanning an IP. Take care that the +diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf +index 5d8c0e154c..f4838ddcb6 100644 +--- a/config/action.d/mail.conf ++++ b/config/action.d/mail.conf +@@ -16,7 +16,7 @@ norestored = 1 + actionstart = printf %%b "Hi,\n + The jail has been started successfully.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : started on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n + actionstop = printf %%b "Hi,\n + The jail has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n + The IP has just been banned by Fail2Ban after + attempts against .\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : banned from " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " + + # Option: actionunban + # Notes.: command executed when unbanning an IP. Take care that the diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch new file mode 100644 index 0000000000..b0b14364b1 --- /dev/null +++ b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch @@ -0,0 +1,64 @@ +From 5ac303df8a171f748330d4c645ccbf1c2c7f3497 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Sun, 19 Sep 2021 18:49:18 +0200 +Subject: [PATCH] fix gh-3098: build fails with error in fail2ban setup + command: use_2to3 is invalid (setuptools 58+) + +--- + setup.py | 16 +--------------- + 1 file changed, 1 insertion(+), 15 deletions(-) + +diff --git a/setup.py b/setup.py +index f4c2550f6f..98413273c5 100755 +--- a/setup.py ++++ b/setup.py +@@ -48,7 +48,7 @@ + from glob import glob + + from fail2ban.setup import updatePyExec +- ++from fail2ban.version import version + + source_dir = os.path.realpath(os.path.dirname( + # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.): +@@ -112,22 +112,12 @@ def update_scripts(self, dry_run=False): + # Wrapper to specify fail2ban own options: + class install_command_f2b(install): + user_options = install.user_options + [ +- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'), + ('without-tests', None, 'without tests files installation'), + ] + def initialize_options(self): +- self.disable_2to3 = None + self.without_tests = not with_tests + install.initialize_options(self) + def finalize_options(self): +- global _2to3 +- ## in the test cases 2to3 should be already done (fail2ban-2to3): +- if self.disable_2to3: +- _2to3 = False +- if _2to3: +- cmdclass = self.distribution.cmdclass +- cmdclass['build_py'] = build_py_2to3 +- cmdclass['build_scripts'] = build_scripts_2to3 + if self.without_tests: + self.distribution.scripts.remove('bin/fail2ban-testcases') + +@@ -178,7 +168,6 @@ def run(self): + if setuptools: + setup_extra = { + 'test_suite': "fail2ban.tests.utils.gatherTests", +- 'use_2to3': True, + } + else: + setup_extra = {} +@@ -202,9 +191,6 @@ def run(self): + ('/usr/share/doc/fail2ban', doc_files) + ) + +-# Get version number, avoiding importing fail2ban. +-# This is due to tests not functioning for python3 as 2to3 takes place later +-exec(open(join("fail2ban", "version.py")).read()) + + setup( + name = "fail2ban", diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch new file mode 100644 index 0000000000..91d973e72e --- /dev/null +++ b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch @@ -0,0 +1,48 @@ +From 747d4683221b5584f9663695fb48145689b42ceb Mon Sep 17 00:00:00 2001 +From: sebres +Date: Mon, 4 Jan 2021 02:42:38 +0100 +Subject: [PATCH] fixes century selector of %ExY and %Exy in datepattern for + tests, considering interval from 2005 (alternate now) to now; + better + grouping algorithm for resulting century RE + +--- + fail2ban/server/strptime.py | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py +index 1464a96d1f..39fc795865 100644 +--- a/fail2ban/server/strptime.py ++++ b/fail2ban/server/strptime.py +@@ -36,10 +36,30 @@ def _getYearCentRE(cent=(0,3), distance=3, now=(MyTime.now(), MyTime.alternateNo + Thereby respect possible run in the test-cases (alternate date used there) + """ + cent = lambda year, f=cent[0], t=cent[1]: str(year)[f:t] ++ def grp(exprset): ++ c = None ++ if len(exprset) > 1: ++ for i in exprset: ++ if c is None or i[0:-1] == c: ++ c = i[0:-1] ++ else: ++ c = None ++ break ++ if not c: ++ for i in exprset: ++ if c is None or i[0] == c: ++ c = i[0] ++ else: ++ c = None ++ break ++ if c: ++ return "%s%s" % (c, grp([i[len(c):] for i in exprset])) ++ return ("(?:%s)" % "|".join(exprset) if len(exprset[0]) > 1 else "[%s]" % "".join(exprset)) \ ++ if len(exprset) > 1 else "".join(exprset) + exprset = set( cent(now[0].year + i) for i in (-1, distance) ) + if len(now) and now[1]: +- exprset |= set( cent(now[1].year + i) for i in (-1, distance) ) +- return "(?:%s)" % "|".join(exprset) if len(exprset) > 1 else "".join(exprset) ++ exprset |= set( cent(now[1].year + i) for i in xrange(-1, now[0].year-now[1].year+1, distance) ) ++ return grp(sorted(list(exprset))) + + timeRE = TimeRE() + diff --git a/gnu/packages/patches/fail2ban-paths-guix-conf.patch b/gnu/packages/patches/fail2ban-paths-guix-conf.patch new file mode 100644 index 0000000000..8c2a5747ba --- /dev/null +++ b/gnu/packages/patches/fail2ban-paths-guix-conf.patch @@ -0,0 +1,32 @@ +From ef28dcf7a5bdbfd8ba586bb066d5ec53188a6bf9 Mon Sep 17 00:00:00 2001 +From: muradm +Date: Fri, 15 Jul 2022 20:08:14 +0300 +Subject: [PATCH] Add paths-guix.conf file. + +--- + config/paths-guix.conf | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + create mode 100644 config/paths-guix.conf + +diff --git a/config/paths-guix.conf b/config/paths-guix.conf +new file mode 100644 +index 00000000..b4a2e9f5 +--- /dev/null ++++ b/config/paths-guix.conf +@@ -0,0 +1,13 @@ ++# Guix ++ ++[INCLUDES] ++ ++before = paths-common.conf ++after = paths-overrides.local ++ ++ ++[DEFAULT] ++ ++syslog_authpriv = /var/log/secure ++syslog_mail = /var/log/maillog ++syslog_mail_warn = /var/log/maillog +-- +2.36.1 + diff --git a/gnu/packages/patches/fail2ban-python310-server-action.patch b/gnu/packages/patches/fail2ban-python310-server-action.patch new file mode 100644 index 0000000000..723d7f7aa6 --- /dev/null +++ b/gnu/packages/patches/fail2ban-python310-server-action.patch @@ -0,0 +1,27 @@ +From 2b6bb2c1bed8f7009631e8f8c306fa3160324a49 Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Mon, 8 Feb 2021 17:19:24 +0100 +Subject: [PATCH] follow bpo-37324: :ref:`collections-abstract-base-classes` + moved to the :mod:`collections.abc` module + +(since 3.10-alpha.5 `MutableMapping` is missing in collections module) +--- + fail2ban/server/action.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py +index 3bc48fe046..f0f1e6f59a 100644 +--- a/fail2ban/server/action.py ++++ b/fail2ban/server/action.py +@@ -30,7 +30,10 @@ + import threading + import time + from abc import ABCMeta +-from collections import MutableMapping ++try: ++ from collections.abc import MutableMapping ++except ImportError: ++ from collections import MutableMapping + + from .failregex import mapTag2Opt + from .ipdns import DNSUtils diff --git a/gnu/packages/patches/fail2ban-python310-server-actions.patch b/gnu/packages/patches/fail2ban-python310-server-actions.patch new file mode 100644 index 0000000000..e31316d28b --- /dev/null +++ b/gnu/packages/patches/fail2ban-python310-server-actions.patch @@ -0,0 +1,25 @@ +From 42dee38ad2ac5c3f23bdf297d824022923270dd9 Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Mon, 8 Feb 2021 17:25:45 +0100 +Subject: [PATCH] amend for `Mapping` + +--- + fail2ban/server/actions.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py +index b7b95b445a..897d907c1a 100644 +--- a/fail2ban/server/actions.py ++++ b/fail2ban/server/actions.py +@@ -28,7 +28,10 @@ + import os + import sys + import time +-from collections import Mapping ++try: ++ from collections.abc import Mapping ++except ImportError: ++ from collections import Mapping + try: + from collections import OrderedDict + except ImportError: diff --git a/gnu/packages/patches/fail2ban-python310-server-jails.patch b/gnu/packages/patches/fail2ban-python310-server-jails.patch new file mode 100644 index 0000000000..e5873c415e --- /dev/null +++ b/gnu/packages/patches/fail2ban-python310-server-jails.patch @@ -0,0 +1,25 @@ +From 9f1d1f4fbd0804695a976beb191f2c49a2739834 Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Mon, 8 Feb 2021 17:35:59 +0100 +Subject: [PATCH] amend for `Mapping` (jails) + +--- + fail2ban/server/jails.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fail2ban/server/jails.py b/fail2ban/server/jails.py +index 972a8c4bd2..27e12ddf65 100644 +--- a/fail2ban/server/jails.py ++++ b/fail2ban/server/jails.py +@@ -22,7 +22,10 @@ + __license__ = "GPL" + + from threading import Lock +-from collections import Mapping ++try: ++ from collections.abc import Mapping ++except ImportError: ++ from collections import Mapping + + from ..exceptions import DuplicateJailException, UnknownJailException + from .jail import Jail