aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJ0WI <J0WI@users.noreply.github.com>2021-09-16 22:50:35 +0200
committerKevin Daudt <kdaudt@alpinelinux.org>2022-01-23 13:37:02 +0000
commitf6a6a3540e70accbbeec4c4d6788f56684bb8d48 (patch)
tree29216699dc70260eb50c187268244f6714a6a17e
parenta5cfe01bd9a2d2e2dffcf51951db6ebc91df29ff (diff)
downloadaports-f6a6a3540e70accbbeec4c4d6788f56684bb8d48.tar.gz
aports-f6a6a3540e70accbbeec4c4d6788f56684bb8d48.tar.bz2
aports-f6a6a3540e70accbbeec4c4d6788f56684bb8d48.tar.xz
main/fail2ban: patch CVE-2021-32749
-rw-r--r--main/fail2ban/APKBUILD25
-rw-r--r--main/fail2ban/CVE-2021-32749.patch155
2 files changed, 171 insertions, 9 deletions
diff --git a/main/fail2ban/APKBUILD b/main/fail2ban/APKBUILD
index f91d8fc63d..e8938079c3 100644
--- a/main/fail2ban/APKBUILD
+++ b/main/fail2ban/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=fail2ban
pkgver=0.11.2
-pkgrel=1
+pkgrel=2
pkgdesc="Scans log files for login failures then updates iptables to reject originating ip address"
url="https://www.fail2ban.org/"
arch="noarch"
@@ -12,18 +12,24 @@ depends="python3 iptables ip6tables logrotate"
makedepends="python3-dev py3-setuptools bash"
subpackages="$pkgname-tests $pkgname-doc $pkgname-openrc"
source="$pkgname-$pkgver.tar.gz::https://github.com/fail2ban/fail2ban/archive/$pkgver.tar.gz
- $pkgname-747d468-fix-tests.patch::https://github.com/fail2ban/fail2ban/commit/747d4683221b5584f9663695fb48145689b42ceb.patch
- python-3.10.patch
- fail2ban.confd
- fail2ban.logrotate
- alpine-ssh.jaild
- alpine-sshd.filterd
- alpine-sshd-ddos.filterd
- "
+ $pkgname-747d468-fix-tests.patch::https://github.com/fail2ban/fail2ban/commit/747d4683221b5584f9663695fb48145689b42ceb.patch
+ CVE-2021-32749.patch
+ python-3.10.patch
+
+ fail2ban.confd
+ fail2ban.logrotate
+ alpine-ssh.jaild
+ alpine-sshd.filterd
+ alpine-sshd-ddos.filterd
+ "
case "$CARCH" in
s390x|mips64|armhf) options="!check";;
esac
+# secfixes:
+# 0.11.2-r2:
+# - CVE-2021-32749
+
build() {
sh fail2ban-2to3
python3 setup.py build
@@ -70,6 +76,7 @@ tests() {
sha512sums="
46b27abd947b00ea64106dbac563ef8afef38eec86684024d47d9a0e8c1969ff864ad6df7f4f8de2aa3eb1af6d769fb6796592d9f0e35521d5f95f17b8cade97 fail2ban-0.11.2.tar.gz
5c0748c048031d88bc8fd2519bf99a35437b78a08fa942dbccdd2c0e4e9125560a847a8f1dc4414691c922dff558acff988492250be6a1f443a139b0e3762898 fail2ban-747d468-fix-tests.patch
+994de8a4fdd4535607cd1b21553266de015b57bdb7f84f931973cb4b3cadd93fb2fda2d402a4ecccf505dffabf146cd9eae2cd0b635c3cb3dfa2d312539d41be CVE-2021-32749.patch
acd8f1f97233ed02012b166c62e8dc67b89729b82f0fcd81c871d0e425633f617404390b8301e6b22ef3ddf137f604a47aae7880a9f4ba6601b8d0ffe52b4f85 python-3.10.patch
1e7581dd04e7777d6fd5c40cc842a7ec5f4e6a0374673d020d89dd61bf4093d48934844bee89bcac9084f9ae44f3beb66e714cf3c2763d79c3e8feb790c5e43b fail2ban.confd
ee1c229db970239ebc707cd484a650fcf2347c70b411728ee2a4a35a72f4118cfccecf2a221275603320e0332efcc16e4979201933cec1aef1c5d5a082fc4940 fail2ban.logrotate
diff --git a/main/fail2ban/CVE-2021-32749.patch b/main/fail2ban/CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/main/fail2ban/CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the