diff options
| author | J0WI <J0WI@users.noreply.github.com> | 2021-09-16 22:50:35 +0200 |
|---|---|---|
| committer | Kevin Daudt <kdaudt@alpinelinux.org> | 2022-01-23 13:37:02 +0000 |
| commit | f6a6a3540e70accbbeec4c4d6788f56684bb8d48 (patch) | |
| tree | 29216699dc70260eb50c187268244f6714a6a17e | |
| parent | a5cfe01bd9a2d2e2dffcf51951db6ebc91df29ff (diff) | |
| download | aports-f6a6a3540e70accbbeec4c4d6788f56684bb8d48.tar.gz aports-f6a6a3540e70accbbeec4c4d6788f56684bb8d48.tar.bz2 aports-f6a6a3540e70accbbeec4c4d6788f56684bb8d48.tar.xz | |
main/fail2ban: patch CVE-2021-32749
| -rw-r--r-- | main/fail2ban/APKBUILD | 25 | ||||
| -rw-r--r-- | main/fail2ban/CVE-2021-32749.patch | 155 |
2 files changed, 171 insertions, 9 deletions
diff --git a/main/fail2ban/APKBUILD b/main/fail2ban/APKBUILD index f91d8fc63d..e8938079c3 100644 --- a/main/fail2ban/APKBUILD +++ b/main/fail2ban/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=fail2ban pkgver=0.11.2 -pkgrel=1 +pkgrel=2 pkgdesc="Scans log files for login failures then updates iptables to reject originating ip address" url="https://www.fail2ban.org/" arch="noarch" @@ -12,18 +12,24 @@ depends="python3 iptables ip6tables logrotate" makedepends="python3-dev py3-setuptools bash" subpackages="$pkgname-tests $pkgname-doc $pkgname-openrc" source="$pkgname-$pkgver.tar.gz::https://github.com/fail2ban/fail2ban/archive/$pkgver.tar.gz - $pkgname-747d468-fix-tests.patch::https://github.com/fail2ban/fail2ban/commit/747d4683221b5584f9663695fb48145689b42ceb.patch - python-3.10.patch - fail2ban.confd - fail2ban.logrotate - alpine-ssh.jaild - alpine-sshd.filterd - alpine-sshd-ddos.filterd - " + $pkgname-747d468-fix-tests.patch::https://github.com/fail2ban/fail2ban/commit/747d4683221b5584f9663695fb48145689b42ceb.patch + CVE-2021-32749.patch + python-3.10.patch + + fail2ban.confd + fail2ban.logrotate + alpine-ssh.jaild + alpine-sshd.filterd + alpine-sshd-ddos.filterd + " case "$CARCH" in s390x|mips64|armhf) options="!check";; esac +# secfixes: +# 0.11.2-r2: +# - CVE-2021-32749 + build() { sh fail2ban-2to3 python3 setup.py build @@ -70,6 +76,7 @@ tests() { sha512sums=" 46b27abd947b00ea64106dbac563ef8afef38eec86684024d47d9a0e8c1969ff864ad6df7f4f8de2aa3eb1af6d769fb6796592d9f0e35521d5f95f17b8cade97 fail2ban-0.11.2.tar.gz 5c0748c048031d88bc8fd2519bf99a35437b78a08fa942dbccdd2c0e4e9125560a847a8f1dc4414691c922dff558acff988492250be6a1f443a139b0e3762898 fail2ban-747d468-fix-tests.patch +994de8a4fdd4535607cd1b21553266de015b57bdb7f84f931973cb4b3cadd93fb2fda2d402a4ecccf505dffabf146cd9eae2cd0b635c3cb3dfa2d312539d41be CVE-2021-32749.patch acd8f1f97233ed02012b166c62e8dc67b89729b82f0fcd81c871d0e425633f617404390b8301e6b22ef3ddf137f604a47aae7880a9f4ba6601b8d0ffe52b4f85 python-3.10.patch 1e7581dd04e7777d6fd5c40cc842a7ec5f4e6a0374673d020d89dd61bf4093d48934844bee89bcac9084f9ae44f3beb66e714cf3c2763d79c3e8feb790c5e43b fail2ban.confd ee1c229db970239ebc707cd484a650fcf2347c70b411728ee2a4a35a72f4118cfccecf2a221275603320e0332efcc16e4979201933cec1aef1c5d5a082fc4940 fail2ban.logrotate diff --git a/main/fail2ban/CVE-2021-32749.patch b/main/fail2ban/CVE-2021-32749.patch new file mode 100644 index 0000000000..d3c677918c --- /dev/null +++ b/main/fail2ban/CVE-2021-32749.patch @@ -0,0 +1,155 @@ +From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001 +From: sebres <serg.brester@sebres.de> +Date: Mon, 21 Jun 2021 17:12:53 +0200 +Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable + (default tilde) stops consider "~" char after new-line as composing escape + sequence + +--- + config/action.d/complain.conf | 2 +- + config/action.d/dshield.conf | 2 +- + config/action.d/mail-buffered.conf | 8 ++++---- + config/action.d/mail-whois-lines.conf | 2 +- + config/action.d/mail-whois.conf | 6 +++--- + config/action.d/mail.conf | 6 +++--- + 6 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf +index 3a5f882c9f..4d73b05859 100644 +--- a/config/action.d/complain.conf ++++ b/config/action.d/complain.conf +@@ -102,7 +102,7 @@ logpath = /dev/null + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Option: mailargs + # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf +index c128bef348..3d5a7a53a9 100644 +--- a/config/action.d/dshield.conf ++++ b/config/action.d/dshield.conf +@@ -179,7 +179,7 @@ tcpflags = + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Option: mailargs + # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf +index 325f185b2f..79b841049c 100644 +--- a/config/action.d/mail-buffered.conf ++++ b/config/action.d/mail-buffered.conf +@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n + The jail <name> has been started successfully.\n + Output will be buffered until <lines> lines are available.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then + These hosts have been banned by Fail2Ban.\n + `cat <tmpfile>` + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest> + rm <tmpfile> + fi + printf %%b "Hi,\n + The jail <name> has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile> + These hosts have been banned by Fail2Ban.\n + `cat <tmpfile>` + \nRegards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest> + rm <tmpfile> + fi + +diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf +index 3a3e56b2c7..d2818cb9b9 100644 +--- a/config/action.d/mail-whois-lines.conf ++++ b/config/action.d/mail-whois-lines.conf +@@ -72,7 +72,7 @@ actionunban = + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Default name of the chain + # +diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf +index 7fea34c40d..ab33b616dc 100644 +--- a/config/action.d/mail-whois.conf ++++ b/config/action.d/mail-whois.conf +@@ -20,7 +20,7 @@ norestored = 1 + actionstart = printf %%b "Hi,\n + The jail <name> has been started successfully.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n + actionstop = printf %%b "Hi,\n + The jail <name> has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n + Here is more information about <ip> :\n + `%(_whois_command)s`\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> + + # Option: actionunban + # Notes.: command executed when unbanning an IP. Take care that the +diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf +index 5d8c0e154c..f4838ddcb6 100644 +--- a/config/action.d/mail.conf ++++ b/config/action.d/mail.conf +@@ -16,7 +16,7 @@ norestored = 1 + actionstart = printf %%b "Hi,\n + The jail <name> has been started successfully.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n + actionstop = printf %%b "Hi,\n + The jail <name> has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n + The IP <ip> has just been banned by Fail2Ban after + <failures> attempts against <name>.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> + + # Option: actionunban + # Notes.: command executed when unbanning an IP. Take care that the |