diff --git a/debian/changelog b/debian/changelog index 3baaea4a..95aedda1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,25 @@ +fail2ban (1.0.2-3) unstable; urgency=medium + + * Add banaction = nftables in the defaults-debian.conf default + see https://github.com/fail2ban/fail2ban/discussions/3575#discussioncomment-7045315 + * Move python3-systemd as depend (Closes: #770171, #1037437) + * Add backend = systemd to jail.d/defaults-debian.conf + + -- Sylvestre Ledru Tue, 19 Sep 2023 13:55:20 +0200 + +fail2ban (1.0.2-2) unstable; urgency=medium + + * Team upload. + + [ Pirate Praveen ] + * Use systemd for correct /lib/systemd/system path (Closes: #1034230) + + [ Jochen Sprickerhof ] + * Drop dependency on lsb-base. It is a transitional package to + sysvinit-utils which is essential. + + -- Jochen Sprickerhof Fri, 21 Apr 2023 21:54:48 +0200 + fail2ban (1.0.2-1~upstream1) unstable; urgency=medium [ Sergey Brester ] @@ -5,6 +27,12 @@ fail2ban (1.0.2-1~upstream1) unstable; urgency=medium -- Sergey G. Brester Thu, 09 Nov 2022 17:23:50 +0200 +fail2ban (1.0.2-1) unstable; urgency=medium + + * New upstream release + + -- Sylvestre Ledru Wed, 09 Nov 2022 17:42:47 +0100 + fail2ban (1.0.1-1~upstream1) unstable; urgency=medium [ Sergey Brester ] @@ -12,6 +40,82 @@ fail2ban (1.0.1-1~upstream1) unstable; urgency=medium -- Sergey G. Brester Thu, 27 Sep 2022 19:07:41 +0200 +fail2ban (1.0.1-1~exp1) experimental; urgency=medium + + [ Bastian Germann ] + [ Gioele Barabucci ] + * d/post{inst,rm},preinst: Remove code for ancient versions + + [ Debian Janitor ] + * debian/watch: Use GitHub /tags rather than /releases page. + * Update standards version to 4.6.1, no changes needed. + + [ Sylvestre Ledru ] + * New upstream release + * Fix debian/watch + * Remove a bunch of patches (merged upstream) + + -- Sylvestre Ledru Wed, 28 Sep 2022 07:16:20 -1000 + +fail2ban (0.11.2-6) unstable; urgency=medium + + * Cherry-pick upstream fix to fix a startup issue with Python 3.10 + (LP: #1958505) + * Cherry-pick upstream fix for courier-auth (Closes: #1004466) + * ignore false positive + fail2ban: read-in-maintainer-script [postinst:41 + + -- Sylvestre Ledru Thu, 10 Mar 2022 22:52:59 +0100 + +fail2ban (0.11.2-5) unstable; urgency=medium + + * Revert the CVE-2021-32749 fix (Closes: #991449) + Debian bookworm has the mailutils version with the proper fix + + -- Sylvestre Ledru Thu, 20 Jan 2022 23:21:44 +0100 + +fail2ban (0.11.2-4) unstable; urgency=medium + + * Cherry pick 5ac303df8a171f748330d4c645ccbf1c2c7f3497 + to address the 2to3 issue. + Thanks to Paul Wise for digging + (Closes: #997601) + + -- Sylvestre Ledru Tue, 11 Jan 2022 09:12:57 +0100 + +fail2ban (0.11.2-3) unstable; urgency=medium + + [ Debian Janitor ] + * Remove constraints unnecessary since stretch: + + Build-Depends: Drop versioned constraint on debhelper. + * Bump debhelper from old 12 to 13. + * Update standards version to 4.5.1, no changes needed. + * Remove constraints unnecessary since buster: + + fail2ban: Drop versioned constraint on lsb-base in Depends. + + [ Sylvestre Ledru ] + * Fix the watch file + * Fix systemd-service-in-odd-location + lib/systemd/system/fail2ban.service => /usr/lib/systemd/system/fail2ban.service + * Fix the roundcube debian custom path (Closes: #988323) + Thanks to Kurt Fitzner for the patch + * Do not fail the postinst if chown/chmod are failing (Closes: #926237) + Thanks to Kim-Alexander Brodowski for the patch + * Adjust the systemd path from /var/run => /run + (Closes: #902413) + Thanks to Gabriel Filion for the patch + * Add support for scanlogd (taken from upstream) + (Closes: #983399) + * Standards-Version => 4.6.0 + + -- Sylvestre Ledru Sat, 23 Oct 2021 16:09:47 +0200 + +fail2ban (0.11.2-2) unstable; urgency=high + + * Fix a problem with mail + + -- Sylvestre Ledru Mon, 12 Jul 2021 06:52:40 +0200 + fail2ban (0.11.2-1~upstream1) unstable; urgency=medium [ Sergey Brester ] @@ -19,12 +123,40 @@ fail2ban (0.11.2-1~upstream1) unstable; urgency=medium -- Sergey G. Brester Mon, 23 Nov 2020 21:54:36 +0100 +fail2ban (0.11.2-1) unstable; urgency=medium + + * New upstream release + Remove python-3.9.patch (merged upstream) + + -- Sylvestre Ledru Thu, 26 Nov 2020 13:47:53 +0100 + +fail2ban (0.11.1-4) unstable; urgency=medium + + * Fix the copyright file (Closes: #975644) + * https for the Website field in Debian control + + -- Sylvestre Ledru Tue, 24 Nov 2020 17:13:04 +0100 + fail2ban (0.11.1-3) unstable; urgency=medium + [ Ondřej Nový ] + * Use debhelper-compat instead of debian/compat. + * d/control: Update Maintainer field with new Debian Python Team + contact address. + * d/control: Update Vcs-* fields with new Debian Python Team Salsa + layout. + * d/watch: Use https protocol. + + [ Sylvestre Ledru ] + * Fix the python 3.9 support (Closes: #975565) * remove deprecated package dh-systemd from the build deps (Closes: #958625) + * Fix day-of-week for changelog entry 0.5.4-2. + * Update watch file format version to 4. + * Bump debhelper from deprecated 9 to 12. + * Update standards version to 4.5.0, no changes needed. - -- + -- Sylvestre Ledru Mon, 23 Nov 2020 21:45:34 +0100 fail2ban (0.11.1-2) unstable; urgency=medium @@ -1111,7 +1243,7 @@ fail2ban (0.6.1-3) unstable; urgency=low fail2ban (0.6.1-2) unstable; urgency=low * Assigned maxreinits to 1000 to be reasonable since otherwise logfile grows - indefinetly if there is a real problem on the system (closes: #359218) + indefinitely if there is a real problem on the system (closes: #359218) * Adjusted debian/{copyright,watch} * New version of init.d script (Thanks to Aaron Isotton) (closes: #364278) @@ -1165,7 +1297,7 @@ fail2ban (0.6.0-4) unstable; urgency=low of "ChallengeResponseAuthentication no" and "PasswordAuthentication yes" * Fixed Apache timeregex and timepattern to confirm - the fomat of time stamp used in Debian's access.log (error.log uses + the format of time stamp used in Debian's access.log (error.log uses RFC 2822 format) * Added section ApacheAttacks to specify some common patterns of attacks on a webserver (awstats.pl as a try). This section stays split from Apache @@ -1317,7 +1449,7 @@ fail2ban (0.5.4-2) unstable; urgency=low * Added a keyword
in parsing of the subject and the body of an email sent out by fail2ban (closes: #330311) - -- Yaroslav Halchenko Wed, 27 Sep 2005 08:09:06 -0400 + -- Yaroslav Halchenko Tue, 27 Sep 2005 08:09:06 -0400 fail2ban (0.5.4-1) unstable; urgency=low diff --git a/debian/control b/debian/control index 589901fd..f60f33b1 100644 --- a/debian/control +++ b/debian/control @@ -11,16 +11,17 @@ Build-Depends: , python3-pyinotify , sqlite3 , 2to3 -Homepage: http://www.fail2ban.org + , pkg-config + , systemd +Homepage: https://www.fail2ban.org Vcs-Git: https://github.com/fail2ban/fail2ban.git Vcs-Browser: https://github.com/fail2ban/fail2ban -Standards-Version: 4.4.1 - +Standards-Version: 4.6.1 Package: fail2ban Architecture: all -Depends: ${python3:Depends}, ${misc:Depends}, lsb-base (>=2.0-7) -Recommends: nftables | iptables, whois, python3-pyinotify, python3-systemd +Depends: ${python3:Depends}, ${misc:Depends}, python3-systemd +Recommends: nftables | iptables, whois, python3-pyinotify Suggests: mailx, system-log-daemon, monit, sqlite3 Description: ban hosts that cause multiple authentication errors Fail2ban monitors log files (e.g. /var/log/auth.log, @@ -31,7 +32,7 @@ Description: ban hosts that cause multiple authentication errors email. . By default, it comes with filter expressions for various services - (sshd, apache, proftpd, sasl, etc.) but configuration can be + (sshd, Apache, proftpd, sasl, etc.) but configuration can be easily extended for monitoring any other text file. All filters and actions are given in the config files, thus fail2ban can be adopted to be used with a variety of files and firewalls. Following recommends diff --git a/debian/copyright b/debian/copyright index 99d64846..3380fb94 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,12 +1,13 @@ This package was originally debianized by Yaroslav Halchenko on Mon Jul 4 14:41:34 HST 2005 -It was downloaded from http://www.sourceforge.net/projects/fail2ban +It was downloaded from https://www.fail2ban.org -Author: Cyril Jaquier: - http://fail2ban.sourceforge.net +Original author: Cyril Jaquier: + https://www.fail2ban.org Copyright: 2004-2009 Cyril Jaquier + many others since then This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -26,6 +27,5 @@ MA 02110-1301, USA. On Debian systems, the complete text of the GNU General Public License, version 2, can be found in /usr/share/common-licenses/GPL-2. -The Debian packaging is (C) 2006-2011, Yaroslav Halchenko +The Debian packaging is (C) 2006-2018, Yaroslav Halchenko and is licensed under the GPL, see above. - diff --git a/debian/debian-files/jail.d_defaults-debian.conf b/debian/debian-files/jail.d_defaults-debian.conf index 9eb356c8..d0d52ae8 100644 --- a/debian/debian-files/jail.d_defaults-debian.conf +++ b/debian/debian-files/jail.d_defaults-debian.conf @@ -1,2 +1,7 @@ +[DEFAULT] +banaction = nftables +banaction_allports = nftables[type=allports] +backend = systemd + [sshd] enabled = true diff --git a/debian/patches/deb_manpages_reportbug b/debian/patches/deb_manpages_reportbug index a5abc480..9461dafc 100644 --- a/debian/patches/deb_manpages_reportbug +++ b/debian/patches/deb_manpages_reportbug @@ -6,7 +6,7 @@ Index: fail2ban/man/fail2ban-client.1 =================================================================== --- fail2ban.orig/man/fail2ban-client.1 +++ fail2ban/man/fail2ban-client.1 -@@ -470,7 +470,7 @@ the action for +@@ -489,7 +489,7 @@ the action for .SH FILES \fI/etc/fail2ban/*\fR .SH "REPORTING BUGS" @@ -19,7 +19,7 @@ Index: fail2ban/man/fail2ban-server.1 =================================================================== --- fail2ban.orig/man/fail2ban-server.1 +++ fail2ban/man/fail2ban-server.1 -@@ -69,7 +69,7 @@ display this help message +@@ -72,7 +72,7 @@ display this help message \fB\-V\fR, \fB\-\-version\fR print the version (\fB\-V\fR returns machine\-readable short format) .SH "REPORTING BUGS" diff --git a/debian/patches/no-python-user.diff b/debian/patches/no-python-user.diff index 69abe794..22a0eed6 100644 --- a/debian/patches/no-python-user.diff +++ b/debian/patches/no-python-user.diff @@ -2,7 +2,7 @@ Index: fail2ban/files/fail2ban.service.in =================================================================== --- fail2ban.orig/files/fail2ban.service.in +++ fail2ban/files/fail2ban.service.in -@@ -15,6 +15,7 @@ ExecReload=@BINDIR@/fail2ban-client relo +@@ -16,6 +16,7 @@ ExecReload=@BINDIR@/fail2ban-client relo PIDFile=/run/fail2ban/fail2ban.pid Restart=on-failure RestartPreventExitStatus=0 255 diff --git a/debian/patches/python3-test-suite.diff b/debian/patches/python3-test-suite.diff deleted file mode 100644 index 7740939e..00000000 --- a/debian/patches/python3-test-suite.diff +++ /dev/null @@ -1,10 +0,0 @@ -Index: fail2ban/bin/fail2ban-testcases -=================================================================== ---- fail2ban.orig/bin/fail2ban-testcases -+++ fail2ban/bin/fail2ban-testcases -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- - # vi: set ft=python sts=4 ts=4 sw=4 noet : - """Script to run Fail2Ban tests battery diff --git a/debian/patches/series b/debian/patches/series index a5a028d5..5901f22b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,5 +3,6 @@ deb_init_paths deb_manpages_reportbug 0002-ENH-verify-that-use_stock_cfg-was-not-provided-while.patch deb_no_iptables_service -python3-test-suite.diff no-python-user.diff +roundcude-update.diff +systemd-run.diff diff --git a/debian/patches/systemd-run.diff b/debian/patches/systemd-run.diff new file mode 100644 index 00000000..061b4bf6 --- /dev/null +++ b/debian/patches/systemd-run.diff @@ -0,0 +1,49 @@ + +Index: fail2ban/files/fail2ban.service.in +=================================================================== +--- fail2ban.orig/files/fail2ban.service.in ++++ fail2ban/files/fail2ban.service.in +@@ -7,12 +7,12 @@ PartOf=firewalld.service + [Service] + Type=simple + Environment="PYTHONNOUSERSITE=1" +-ExecStartPre=/bin/mkdir -p /run/fail2ban + ExecStart=@BINDIR@/fail2ban-server -xf start + # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local + # ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start + ExecStop=@BINDIR@/fail2ban-client stop + ExecReload=@BINDIR@/fail2ban-client reload ++RuntimeDirectory=fail2ban + PIDFile=/run/fail2ban/fail2ban.pid + Restart=on-failure + RestartPreventExitStatus=0 255 +Index: fail2ban/files/debian-initd +=================================================================== +--- fail2ban.orig/files/debian-initd ++++ fail2ban/files/debian-initd +@@ -34,7 +34,7 @@ SCRIPTNAME="/etc/init.d/$NAME" + # Ad-hoc way to parse out socket file name + SOCKFILE="$(grep -h '^[^#]*socket *=' "/etc/$NAME/$NAME.conf" "/etc/$NAME/$NAME.local" 2>/dev/null \ + | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g')" +-[ -z "$SOCKFILE" ] && SOCKFILE="/var/run/fail2ban.sock" ++[ -z "$SOCKFILE" ] && SOCKFILE="/run/fail2ban.sock" + + # Exit if the package is not installed + [ -x "$DAEMON" ] || exit 0 +@@ -110,13 +110,13 @@ do_start() + DAEMON_ARGS="$DAEMON_ARGS -x" + fi + +- # Assure that /var/run/fail2ban exists +- [ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban ++ # Assure that /run/fail2ban exists ++ [ -d /run/fail2ban ] || mkdir -p /run/fail2ban + + if [ "$FAIL2BAN_USER" != root ]; then + # Make the socket directory, IP lists and fail2ban log + # files writable by fail2ban +- chown "$FAIL2BAN_USER" /var/run/fail2ban ++ chown "$FAIL2BAN_USER" /run/fail2ban + # Create the logfile if it doesn't exist + touch /var/log/fail2ban.log + chown "$FAIL2BAN_USER" /var/log/fail2ban.log diff --git a/debian/postinst b/debian/postinst index a5c411ec..fdf7b230 100755 --- a/debian/postinst +++ b/debian/postinst @@ -16,7 +16,6 @@ set -e # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package # -preversion=$2 case "$1" in configure) @@ -25,50 +24,9 @@ case "$1" in LOG=/var/log/fail2ban.log touch $LOG - chown root:adm ${LOG}* - chmod 640 ${LOG}* - - # Note regarding changed configuration file - # Note regarding changed configuration file - if [ ! -z $preversion ]; then - if dpkg --compare-versions $preversion lt 0.7.1-1; then - cat </dev/null; then - dpkg-maintscript-helper mv_conffile /etc/fail2ban/action.d/firewall-cmd-direct-new.conf /etc/fail2ban/action.d/firewallcmd-new.conf 0.8.13-1~ -- "$@" - dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/lighttpd-fastcgi.conf /etc/fail2ban/filter.d/suhosin.conf 0.8.13-1~ -- "$@" - dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf 0.8.13-1~ -- "$@" - dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/couriersmtp.conf /etc/fail2ban/filter.d/courier-smtp.conf 0.9.0-1~ -- "$@" - dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/courierlogin.conf /etc/fail2ban/filter.d/courier-auth.conf 0.9.0-1~ -- "$@" -fi - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - #DEBHELPER# exit 0 - - diff --git a/debian/postrm b/debian/postrm index 5ff30129..543c6862 100755 --- a/debian/postrm +++ b/debian/postrm @@ -36,14 +36,6 @@ case "$1" in ;; esac -if dpkg-maintscript-helper supports mv_conffile 2>/dev/null; then - dpkg-maintscript-helper mv_conffile /etc/fail2ban/action.d/firewall-cmd-direct-new.conf /etc/fail2ban/action.d/firewallcmd-new.conf 0.8.13-1~ -- "$@" - dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/lighttpd-fastcgi.conf /etc/fail2ban/filter.d/suhosin.conf 0.8.13-1~ -- "$@" - dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf 0.8.13-1~ -- "$@" - dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/couriersmtp.conf /etc/fail2ban/filter.d/courier-smtp.conf 0.9.0-1~ -- "$@" - dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/courierlogin.conf /etc/fail2ban/filter.d/courier-auth.conf 0.9.0-1~ -- "$@" -fi - # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. diff --git a/debian/preinst b/debian/preinst deleted file mode 100755 index dc6f46ca..00000000 --- a/debian/preinst +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh - -set -e - -if dpkg-maintscript-helper supports mv_conffile 2>/dev/null; then - dpkg-maintscript-helper mv_conffile /etc/fail2ban/action.d/firewall-cmd-direct-new.conf /etc/fail2ban/action.d/firewallcmd-new.conf 0.8.13-1~ -- "$@" - dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/lighttpd-fastcgi.conf /etc/fail2ban/filter.d/suhosin.conf 0.8.13-1~ -- "$@" - dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf 0.8.13-1~ -- "$@" - dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/couriersmtp.conf /etc/fail2ban/filter.d/courier-smtp.conf 0.9.0-1~ -- "$@" - dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/courierlogin.conf /etc/fail2ban/filter.d/courier-auth.conf 0.9.0-1~ -- "$@" -fi - -#DEBHELPER# - -exit 0 diff --git a/debian/rules b/debian/rules index 3ea95443..2a3c52ef 100755 --- a/debian/rules +++ b/debian/rules @@ -17,11 +17,11 @@ export PYBUILD_INSTALL_ARGS=--without-tests endif %: - dh $@ --with python3,systemd --buildsystem pybuild + dh $@ --with python3 --buildsystem pybuild DESTDIR=$(CURDIR)/debian/fail2ban PYVERSION=$(shell py3versions -dv) - +SYSTEMD_SYSTEM_UNIT_DIR = $(shell pkg-config --variable=systemdsystemunitdir systemd) override_dh_clean: -rm -rf fail2ban.egg-info -rm -f debian/fail2ban.init @@ -58,11 +58,11 @@ override_dh_install: install -d $(DESTDIR)/usr/share/bash-completion/completions install -m 644 files/bash-completion $(DESTDIR)/usr/share/bash-completion/completions/fail2ban : # Install systemd files - install -d $(DESTDIR)/lib/systemd/system + install -d $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR) install -d $(DESTDIR)/usr/lib/tmpfiles.d - install -m 644 build/fail2ban.service $(DESTDIR)/lib/systemd/system + install -m 644 build/fail2ban.service $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR) install -m 644 files/fail2ban-tmpfiles.conf $(DESTDIR)/usr/lib/tmpfiles.d - install -d $(DESTDIR)/lib/systemd/system + install -d $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR) : # Install default jail enabler install -m 644 debian/debian-files/jail.d_defaults-debian.conf $(DESTDIR)/etc/fail2ban/jail.d/defaults-debian.conf dh_install diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 00000000..574adb38 --- /dev/null +++ b/debian/source/lintian-overrides @@ -0,0 +1,2 @@ +fail2ban: national-encoding *usr/lib/python3/dist-packages/fail2ban/tests/files/testcase-wrong-char.log* +fail2ban: national-encoding *usr/lib/python3/dist-packages/fail2ban/tests/files/testcase01.log* diff --git a/debian/watch b/debian/watch index 07fe1217..8c128f0a 100644 --- a/debian/watch +++ b/debian/watch @@ -1,6 +1,3 @@ -# watch control file for uscan -# Run the "uscan" command to check for upstream updates and more. -# Site Directory Pattern Version Script -version=3 -opts="filenamemangle=s/.*\/(.*)/fail2ban-$1\.tar\.gz/" \ - https://github.com/fail2ban/fail2ban/tags .*archive/(\d[\d\.]+).tar.gz +version=4 +opts=filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/fail2ban-$1\.tar\.gz/ \ + https://github.com/fail2ban/fail2ban/tags .*/v?(\d\S+)\.tar\.gz