security/py-fail2ban: Add upstream patch to fix possible RCE vulnerability
* Switch to DISTVERSION
* Pet portclippy
* Reformat Makefile with portfmt
PR: 259297
Approved by: maintainer
Obtained from: 410a6ce5c8
MFH: 2021Q4
Security: CVE-2021-32749
Security: https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm
Differential Revision: https://reviews.freebsd.org/D32576
This commit is contained in:
parent
653d4d258c
commit
644e5b65b9
@ -1,6 +1,6 @@
|
||||
PORTNAME= fail2ban
|
||||
PORTVERSION= 0.11.2
|
||||
PORTREVISION= 2
|
||||
DISTVERSION= 0.11.2
|
||||
PORTREVISION= 3
|
||||
CATEGORIES= security python
|
||||
PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}
|
||||
|
||||
@ -15,24 +15,22 @@ RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:databases/py-sqlite3@${PY_FLAVOR}
|
||||
USES= cpe python:3.6+,patch shebangfix
|
||||
USE_GITHUB= yes
|
||||
USE_PYTHON= autoplist distutils
|
||||
PYDISTUTILS_BUILDARGS+= --without-tests
|
||||
PYDISTUTILS_INSTALLARGS+= --install-data=${ETCDIR}
|
||||
USE_RC_SUBR= fail2ban
|
||||
|
||||
NO_ARCH= yes
|
||||
|
||||
SHEBANG_FILES= config/filter.d/ignorecommands/apache-fakegooglebot
|
||||
SHEBANG_LANG= fail2ban-python
|
||||
|
||||
NO_ARCH= yes
|
||||
SUB_LIST+= PYTHON_CMD=${PYTHON_CMD}
|
||||
|
||||
PYDISTUTILS_BUILDARGS+= --without-tests
|
||||
PYDISTUTILS_INSTALLARGS+= --install-data=${ETCDIR}
|
||||
PORTDOCS= DEVELOP README.md
|
||||
|
||||
PORTDOCS= README.md DEVELOP
|
||||
OPTIONS_DEFINE= DOCS INOTIFY
|
||||
OPTIONS_DEFAULT= INOTIFY
|
||||
|
||||
OPTIONS_DEFINE= DOCS INOTIFY
|
||||
OPTIONS_DEFAULT=INOTIFY
|
||||
|
||||
INOTIFY_DESC= Support for (lib)inotify to monitor filesystem changes
|
||||
INOTIFY_DESC= Support for (lib)inotify to monitor filesystem changes
|
||||
|
||||
INOTIFY_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}pyinotify>=0.8.3:devel/py-pyinotify@${PY_FLAVOR}
|
||||
|
||||
@ -41,13 +39,11 @@ FILES= ${WRKSRC}/bin/fail2ban-client \
|
||||
${WRKSRC}/fail2ban/client/fail2bancmdline.py \
|
||||
${WRKSRC}/fail2ban/client/fail2banregex.py \
|
||||
${WRKSRC}/man/fail2ban-client.1 \
|
||||
${WRKSRC}/man/fail2ban-client.h2m \
|
||||
${WRKSRC}/setup.py
|
||||
${WRKSRC}/man/fail2ban-client.h2m ${WRKSRC}/setup.py
|
||||
|
||||
MAN_FILES= ${WRKSRC}/man/fail2ban-client.1 \
|
||||
${WRKSRC}/man/fail2ban-client.h2m \
|
||||
${WRKSRC}/man/fail2ban-regex.1 \
|
||||
${WRKSRC}/man/fail2ban-server.1 \
|
||||
${WRKSRC}/man/fail2ban-regex.1 ${WRKSRC}/man/fail2ban-server.1 \
|
||||
${WRKSRC}/man/fail2ban.1
|
||||
|
||||
FAIL2BAN_DBDIR= /var/db/${PORTNAME}
|
||||
|
158
security/py-fail2ban/files/patch-CVE-2021-32749
Normal file
158
security/py-fail2ban/files/patch-CVE-2021-32749
Normal file
@ -0,0 +1,158 @@
|
||||
From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
|
||||
From: sebres <serg.brester@sebres.de>
|
||||
Date: Mon, 21 Jun 2021 17:12:53 +0200
|
||||
Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
|
||||
(default tilde) stops consider "~" char after new-line as composing escape
|
||||
sequence
|
||||
|
||||
---
|
||||
config/action.d/complain.conf | 2 +-
|
||||
config/action.d/dshield.conf | 2 +-
|
||||
config/action.d/mail-buffered.conf | 8 ++++----
|
||||
config/action.d/mail-whois-lines.conf | 2 +-
|
||||
config/action.d/mail-whois.conf | 6 +++---
|
||||
config/action.d/mail.conf | 6 +++---
|
||||
6 files changed, 13 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git config/action.d/complain.conf config/action.d/complain.conf
|
||||
index 3a5f882c..4d73b058 100644
|
||||
--- config/action.d/complain.conf
|
||||
+++ config/action.d/complain.conf
|
||||
@@ -102,7 +102,7 @@ logpath = /dev/null
|
||||
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
|
||||
# Values: CMD
|
||||
#
|
||||
-mailcmd = mail -s
|
||||
+mailcmd = mail -E 'set escape' -s
|
||||
|
||||
# Option: mailargs
|
||||
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
|
||||
diff --git config/action.d/dshield.conf config/action.d/dshield.conf
|
||||
index c128bef3..3d5a7a53 100644
|
||||
--- config/action.d/dshield.conf
|
||||
+++ config/action.d/dshield.conf
|
||||
@@ -179,7 +179,7 @@ tcpflags =
|
||||
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
|
||||
# Values: CMD
|
||||
#
|
||||
-mailcmd = mail -s
|
||||
+mailcmd = mail -E 'set escape' -s
|
||||
|
||||
# Option: mailargs
|
||||
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
|
||||
diff --git config/action.d/mail-buffered.conf config/action.d/mail-buffered.conf
|
||||
index 325f185b..79b84104 100644
|
||||
--- config/action.d/mail-buffered.conf
|
||||
+++ config/action.d/mail-buffered.conf
|
||||
@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
|
||||
The jail <name> has been started successfully.\n
|
||||
Output will be buffered until <lines> lines are available.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
|
||||
@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
|
||||
These hosts have been banned by Fail2Ban.\n
|
||||
`cat <tmpfile>`
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
|
||||
rm <tmpfile>
|
||||
fi
|
||||
printf %%b "Hi,\n
|
||||
The jail <name> has been stopped.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
|
||||
|
||||
# Option: actioncheck
|
||||
# Notes.: command executed once before each actionban command
|
||||
@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
|
||||
These hosts have been banned by Fail2Ban.\n
|
||||
`cat <tmpfile>`
|
||||
\nRegards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
|
||||
rm <tmpfile>
|
||||
fi
|
||||
|
||||
diff --git config/action.d/mail-whois-lines.conf config/action.d/mail-whois-lines.conf
|
||||
index 3a3e56b2..d2818cb9 100644
|
||||
--- config/action.d/mail-whois-lines.conf
|
||||
+++ config/action.d/mail-whois-lines.conf
|
||||
@@ -72,7 +72,7 @@ actionunban =
|
||||
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
|
||||
# Values: CMD
|
||||
#
|
||||
-mailcmd = mail -s
|
||||
+mailcmd = mail -E 'set escape' -s
|
||||
|
||||
# Default name of the chain
|
||||
#
|
||||
diff --git config/action.d/mail-whois.conf config/action.d/mail-whois.conf
|
||||
index 7fea34c4..ab33b616 100644
|
||||
--- config/action.d/mail-whois.conf
|
||||
+++ config/action.d/mail-whois.conf
|
||||
@@ -20,7 +20,7 @@ norestored = 1
|
||||
actionstart = printf %%b "Hi,\n
|
||||
The jail <name> has been started successfully.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
|
||||
@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
|
||||
actionstop = printf %%b "Hi,\n
|
||||
The jail <name> has been stopped.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
|
||||
|
||||
# Option: actioncheck
|
||||
# Notes.: command executed once before each actionban command
|
||||
@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
|
||||
Here is more information about <ip> :\n
|
||||
`%(_whois_command)s`\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
|
||||
|
||||
# Option: actionunban
|
||||
# Notes.: command executed when unbanning an IP. Take care that the
|
||||
diff --git config/action.d/mail.conf config/action.d/mail.conf
|
||||
index 5d8c0e15..f4838ddc 100644
|
||||
--- config/action.d/mail.conf
|
||||
+++ config/action.d/mail.conf
|
||||
@@ -16,7 +16,7 @@ norestored = 1
|
||||
actionstart = printf %%b "Hi,\n
|
||||
The jail <name> has been started successfully.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
|
||||
@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
|
||||
actionstop = printf %%b "Hi,\n
|
||||
The jail <name> has been stopped.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
|
||||
|
||||
# Option: actioncheck
|
||||
# Notes.: command executed once before each actionban command
|
||||
@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
|
||||
The IP <ip> has just been banned by Fail2Ban after
|
||||
<failures> attempts against <name>.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
|
||||
|
||||
# Option: actionunban
|
||||
# Notes.: command executed when unbanning an IP. Take care that the
|
||||
--
|
||||
2.33.1
|
||||
|
Loading…
Reference in New Issue
Block a user