Merge remote-tracking branch 'salsa.debian/master' into debian

(conflicts resolved)
debian
sebres 2024-04-26 00:08:17 +02:00
commit e0e228ae91
15 changed files with 220 additions and 121 deletions

140
debian/changelog vendored
View File

@ -1,3 +1,25 @@
fail2ban (1.0.2-3) unstable; urgency=medium
* Add banaction = nftables in the defaults-debian.conf default
see https://github.com/fail2ban/fail2ban/discussions/3575#discussioncomment-7045315
* Move python3-systemd as depend (Closes: #770171, #1037437)
* Add backend = systemd to jail.d/defaults-debian.conf
-- Sylvestre Ledru <sylvestre@debian.org> Tue, 19 Sep 2023 13:55:20 +0200
fail2ban (1.0.2-2) unstable; urgency=medium
* Team upload.
[ Pirate Praveen ]
* Use systemd for correct /lib/systemd/system path (Closes: #1034230)
[ Jochen Sprickerhof ]
* Drop dependency on lsb-base. It is a transitional package to
sysvinit-utils which is essential.
-- Jochen Sprickerhof <jspricke@debian.org> Fri, 21 Apr 2023 21:54:48 +0200
fail2ban (1.0.2-1~upstream1) unstable; urgency=medium
[ Sergey Brester ]
@ -5,6 +27,12 @@ fail2ban (1.0.2-1~upstream1) unstable; urgency=medium
-- Sergey G. Brester <serg.brester@sebres.de> Thu, 09 Nov 2022 17:23:50 +0200
fail2ban (1.0.2-1) unstable; urgency=medium
* New upstream release
-- Sylvestre Ledru <sylvestre@debian.org> Wed, 09 Nov 2022 17:42:47 +0100
fail2ban (1.0.1-1~upstream1) unstable; urgency=medium
[ Sergey Brester ]
@ -12,6 +40,82 @@ fail2ban (1.0.1-1~upstream1) unstable; urgency=medium
-- Sergey G. Brester <serg.brester@sebres.de> Thu, 27 Sep 2022 19:07:41 +0200
fail2ban (1.0.1-1~exp1) experimental; urgency=medium
[ Bastian Germann ]
[ Gioele Barabucci ]
* d/post{inst,rm},preinst: Remove code for ancient versions
[ Debian Janitor ]
* debian/watch: Use GitHub /tags rather than /releases page.
* Update standards version to 4.6.1, no changes needed.
[ Sylvestre Ledru ]
* New upstream release
* Fix debian/watch
* Remove a bunch of patches (merged upstream)
-- Sylvestre Ledru <sylvestre@debian.org> Wed, 28 Sep 2022 07:16:20 -1000
fail2ban (0.11.2-6) unstable; urgency=medium
* Cherry-pick upstream fix to fix a startup issue with Python 3.10
(LP: #1958505)
* Cherry-pick upstream fix for courier-auth (Closes: #1004466)
* ignore false positive
fail2ban: read-in-maintainer-script [postinst:41
-- Sylvestre Ledru <sylvestre@debian.org> Thu, 10 Mar 2022 22:52:59 +0100
fail2ban (0.11.2-5) unstable; urgency=medium
* Revert the CVE-2021-32749 fix (Closes: #991449)
Debian bookworm has the mailutils version with the proper fix
-- Sylvestre Ledru <sylvestre@debian.org> Thu, 20 Jan 2022 23:21:44 +0100
fail2ban (0.11.2-4) unstable; urgency=medium
* Cherry pick 5ac303df8a171f748330d4c645ccbf1c2c7f3497
to address the 2to3 issue.
Thanks to Paul Wise for digging
(Closes: #997601)
-- Sylvestre Ledru <sylvestre@debian.org> Tue, 11 Jan 2022 09:12:57 +0100
fail2ban (0.11.2-3) unstable; urgency=medium
[ Debian Janitor ]
* Remove constraints unnecessary since stretch:
+ Build-Depends: Drop versioned constraint on debhelper.
* Bump debhelper from old 12 to 13.
* Update standards version to 4.5.1, no changes needed.
* Remove constraints unnecessary since buster:
+ fail2ban: Drop versioned constraint on lsb-base in Depends.
[ Sylvestre Ledru ]
* Fix the watch file
* Fix systemd-service-in-odd-location
lib/systemd/system/fail2ban.service => /usr/lib/systemd/system/fail2ban.service
* Fix the roundcube debian custom path (Closes: #988323)
Thanks to Kurt Fitzner for the patch
* Do not fail the postinst if chown/chmod are failing (Closes: #926237)
Thanks to Kim-Alexander Brodowski for the patch
* Adjust the systemd path from /var/run => /run
(Closes: #902413)
Thanks to Gabriel Filion for the patch
* Add support for scanlogd (taken from upstream)
(Closes: #983399)
* Standards-Version => 4.6.0
-- Sylvestre Ledru <sylvestre@debian.org> Sat, 23 Oct 2021 16:09:47 +0200
fail2ban (0.11.2-2) unstable; urgency=high
* Fix a problem with mail
-- Sylvestre Ledru <sylvestre@debian.org> Mon, 12 Jul 2021 06:52:40 +0200
fail2ban (0.11.2-1~upstream1) unstable; urgency=medium
[ Sergey Brester ]
@ -19,12 +123,40 @@ fail2ban (0.11.2-1~upstream1) unstable; urgency=medium
-- Sergey G. Brester <serg.brester@sebres.de> Mon, 23 Nov 2020 21:54:36 +0100
fail2ban (0.11.2-1) unstable; urgency=medium
* New upstream release
Remove python-3.9.patch (merged upstream)
-- Sylvestre Ledru <sylvestre@debian.org> Thu, 26 Nov 2020 13:47:53 +0100
fail2ban (0.11.1-4) unstable; urgency=medium
* Fix the copyright file (Closes: #975644)
* https for the Website field in Debian control
-- Sylvestre Ledru <sylvestre@debian.org> Tue, 24 Nov 2020 17:13:04 +0100
fail2ban (0.11.1-3) unstable; urgency=medium
[ Ondřej Nový ]
* Use debhelper-compat instead of debian/compat.
* d/control: Update Maintainer field with new Debian Python Team
contact address.
* d/control: Update Vcs-* fields with new Debian Python Team Salsa
layout.
* d/watch: Use https protocol.
[ Sylvestre Ledru ]
* Fix the python 3.9 support (Closes: #975565)
* remove deprecated package dh-systemd from the build deps
(Closes: #958625)
* Fix day-of-week for changelog entry 0.5.4-2.
* Update watch file format version to 4.
* Bump debhelper from deprecated 9 to 12.
* Update standards version to 4.5.0, no changes needed.
--
-- Sylvestre Ledru <sylvestre@debian.org> Mon, 23 Nov 2020 21:45:34 +0100
fail2ban (0.11.1-2) unstable; urgency=medium
@ -1111,7 +1243,7 @@ fail2ban (0.6.1-3) unstable; urgency=low
fail2ban (0.6.1-2) unstable; urgency=low
* Assigned maxreinits to 1000 to be reasonable since otherwise logfile grows
indefinetly if there is a real problem on the system (closes: #359218)
indefinitely if there is a real problem on the system (closes: #359218)
* Adjusted debian/{copyright,watch}
* New version of init.d script (Thanks to Aaron Isotton) (closes: #364278)
@ -1165,7 +1297,7 @@ fail2ban (0.6.0-4) unstable; urgency=low
of "ChallengeResponseAuthentication no" and "PasswordAuthentication
yes"
* Fixed Apache timeregex and timepattern to confirm
the fomat of time stamp used in Debian's access.log (error.log uses
the format of time stamp used in Debian's access.log (error.log uses
RFC 2822 format)
* Added section ApacheAttacks to specify some common patterns of attacks on
a webserver (awstats.pl as a try). This section stays split from Apache
@ -1317,7 +1449,7 @@ fail2ban (0.5.4-2) unstable; urgency=low
* Added a keyword <section> in parsing of the subject and the body of an
email sent out by fail2ban (closes: #330311)
-- Yaroslav Halchenko <debian@onerussian.com> Wed, 27 Sep 2005 08:09:06 -0400
-- Yaroslav Halchenko <debian@onerussian.com> Tue, 27 Sep 2005 08:09:06 -0400
fail2ban (0.5.4-1) unstable; urgency=low

13
debian/control vendored
View File

@ -11,16 +11,17 @@ Build-Depends:
, python3-pyinotify
, sqlite3
, 2to3
Homepage: http://www.fail2ban.org
, pkg-config
, systemd
Homepage: https://www.fail2ban.org
Vcs-Git: https://github.com/fail2ban/fail2ban.git
Vcs-Browser: https://github.com/fail2ban/fail2ban
Standards-Version: 4.4.1
Standards-Version: 4.6.1
Package: fail2ban
Architecture: all
Depends: ${python3:Depends}, ${misc:Depends}, lsb-base (>=2.0-7)
Recommends: nftables | iptables, whois, python3-pyinotify, python3-systemd
Depends: ${python3:Depends}, ${misc:Depends}, python3-systemd
Recommends: nftables | iptables, whois, python3-pyinotify
Suggests: mailx, system-log-daemon, monit, sqlite3
Description: ban hosts that cause multiple authentication errors
Fail2ban monitors log files (e.g. /var/log/auth.log,
@ -31,7 +32,7 @@ Description: ban hosts that cause multiple authentication errors
email.
.
By default, it comes with filter expressions for various services
(sshd, apache, proftpd, sasl, etc.) but configuration can be
(sshd, Apache, proftpd, sasl, etc.) but configuration can be
easily extended for monitoring any other text file. All filters and
actions are given in the config files, thus fail2ban can be adopted
to be used with a variety of files and firewalls. Following recommends

10
debian/copyright vendored
View File

@ -1,12 +1,13 @@
This package was originally debianized by Yaroslav Halchenko
<debian@onerussian.com> on Mon Jul 4 14:41:34 HST 2005
It was downloaded from http://www.sourceforge.net/projects/fail2ban
It was downloaded from https://www.fail2ban.org
Author: Cyril Jaquier: <cyril.jaquier@fail2ban.org>
http://fail2ban.sourceforge.net
Original author: Cyril Jaquier: <cyril.jaquier@fail2ban.org>
https://www.fail2ban.org
Copyright: 2004-2009 Cyril Jaquier
many others since then
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -26,6 +27,5 @@ MA 02110-1301, USA.
On Debian systems, the complete text of the GNU General Public
License, version 2, can be found in /usr/share/common-licenses/GPL-2.
The Debian packaging is (C) 2006-2011, Yaroslav Halchenko <debian@onerussian.com>
The Debian packaging is (C) 2006-2018, Yaroslav Halchenko <debian@onerussian.com>
and is licensed under the GPL, see above.

View File

@ -1,2 +1,7 @@
[DEFAULT]
banaction = nftables
banaction_allports = nftables[type=allports]
backend = systemd
[sshd]
enabled = true

View File

@ -6,7 +6,7 @@ Index: fail2ban/man/fail2ban-client.1
===================================================================
--- fail2ban.orig/man/fail2ban-client.1
+++ fail2ban/man/fail2ban-client.1
@@ -470,7 +470,7 @@ the action <ACT> for <JAIL>
@@ -489,7 +489,7 @@ the action <ACT> for <JAIL>
.SH FILES
\fI/etc/fail2ban/*\fR
.SH "REPORTING BUGS"
@ -19,7 +19,7 @@ Index: fail2ban/man/fail2ban-server.1
===================================================================
--- fail2ban.orig/man/fail2ban-server.1
+++ fail2ban/man/fail2ban-server.1
@@ -69,7 +69,7 @@ display this help message
@@ -72,7 +72,7 @@ display this help message
\fB\-V\fR, \fB\-\-version\fR
print the version (\fB\-V\fR returns machine\-readable short format)
.SH "REPORTING BUGS"

View File

@ -2,7 +2,7 @@ Index: fail2ban/files/fail2ban.service.in
===================================================================
--- fail2ban.orig/files/fail2ban.service.in
+++ fail2ban/files/fail2ban.service.in
@@ -15,6 +15,7 @@ ExecReload=@BINDIR@/fail2ban-client relo
@@ -16,6 +16,7 @@ ExecReload=@BINDIR@/fail2ban-client relo
PIDFile=/run/fail2ban/fail2ban.pid
Restart=on-failure
RestartPreventExitStatus=0 255

View File

@ -1,10 +0,0 @@
Index: fail2ban/bin/fail2ban-testcases
===================================================================
--- fail2ban.orig/bin/fail2ban-testcases
+++ fail2ban/bin/fail2ban-testcases
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
# vi: set ft=python sts=4 ts=4 sw=4 noet :
"""Script to run Fail2Ban tests battery

View File

@ -3,5 +3,6 @@ deb_init_paths
deb_manpages_reportbug
0002-ENH-verify-that-use_stock_cfg-was-not-provided-while.patch
deb_no_iptables_service
python3-test-suite.diff
no-python-user.diff
roundcude-update.diff
systemd-run.diff

49
debian/patches/systemd-run.diff vendored Normal file
View File

@ -0,0 +1,49 @@
Index: fail2ban/files/fail2ban.service.in
===================================================================
--- fail2ban.orig/files/fail2ban.service.in
+++ fail2ban/files/fail2ban.service.in
@@ -7,12 +7,12 @@ PartOf=firewalld.service
[Service]
Type=simple
Environment="PYTHONNOUSERSITE=1"
-ExecStartPre=/bin/mkdir -p /run/fail2ban
ExecStart=@BINDIR@/fail2ban-server -xf start
# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start
ExecStop=@BINDIR@/fail2ban-client stop
ExecReload=@BINDIR@/fail2ban-client reload
+RuntimeDirectory=fail2ban
PIDFile=/run/fail2ban/fail2ban.pid
Restart=on-failure
RestartPreventExitStatus=0 255
Index: fail2ban/files/debian-initd
===================================================================
--- fail2ban.orig/files/debian-initd
+++ fail2ban/files/debian-initd
@@ -34,7 +34,7 @@ SCRIPTNAME="/etc/init.d/$NAME"
# Ad-hoc way to parse out socket file name
SOCKFILE="$(grep -h '^[^#]*socket *=' "/etc/$NAME/$NAME.conf" "/etc/$NAME/$NAME.local" 2>/dev/null \
| tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g')"
-[ -z "$SOCKFILE" ] && SOCKFILE="/var/run/fail2ban.sock"
+[ -z "$SOCKFILE" ] && SOCKFILE="/run/fail2ban.sock"
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
@@ -110,13 +110,13 @@ do_start()
DAEMON_ARGS="$DAEMON_ARGS -x"
fi
- # Assure that /var/run/fail2ban exists
- [ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban
+ # Assure that /run/fail2ban exists
+ [ -d /run/fail2ban ] || mkdir -p /run/fail2ban
if [ "$FAIL2BAN_USER" != root ]; then
# Make the socket directory, IP lists and fail2ban log
# files writable by fail2ban
- chown "$FAIL2BAN_USER" /var/run/fail2ban
+ chown "$FAIL2BAN_USER" /run/fail2ban
# Create the logfile if it doesn't exist
touch /var/log/fail2ban.log
chown "$FAIL2BAN_USER" /var/log/fail2ban.log

59
debian/postinst vendored
View File

@ -16,7 +16,6 @@ set -e
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
#
preversion=$2
case "$1" in
configure)
@ -25,49 +24,8 @@ case "$1" in
LOG=/var/log/fail2ban.log
touch $LOG
chown root:adm ${LOG}*
chmod 640 ${LOG}*
# Note regarding changed configuration file
# Note regarding changed configuration file
if [ ! -z $preversion ]; then
if dpkg --compare-versions $preversion lt 0.7.1-1; then
cat <<EOF
WARNING!
Fail2ban 0.7 is a complete rewrite of the 0.6 version, and if you
customized any of provided configuration or startup files
(/etc/default/fail2ban, /etc/fail2ban.conf, /etc/init.d/fail2ban), please
read relevant entry in /usr/share/doc/fail2ban/NEWS.Debian.gz.
EOF
fi
if dpkg --compare-versions $preversion lt 0.5.4-5.14; then
cat <<EOF
WARNING!
Configuration file /etc/fail2ban.conf, failregex configuration
parameter specifically, were changed in 0.5.4-5 to close reported
security breach, and in 0.5.4-5.14 to close few other bugs.
updating from <0.5.4-5
Unless configuration file (or corresponding failregex'es) gets updated,
security breach is not closed and corresponding warning will be reported
by the fail2ban (in the log files).
updating from <0.5.4-5.14
Bugs #329163, #331695 dealing with changed iptables rules
outside of fail2ban were fixed in 0.5.4-5.14, and require upgrade of the
configuration file (fwcheck option was introduced) to take full
advantage of the problem solution (otherwise some problems might
persist)
Please review the configuration file and make appropriate changes.
ENJOY!
EOF
fi
fi
chown root:adm ${LOG}* || true
chmod 640 ${LOG}* || true
;;
abort-upgrade|abort-remove|abort-deconfigure)
@ -80,19 +38,6 @@ EOF
;;
esac
if dpkg-maintscript-helper supports mv_conffile 2>/dev/null; then
dpkg-maintscript-helper mv_conffile /etc/fail2ban/action.d/firewall-cmd-direct-new.conf /etc/fail2ban/action.d/firewallcmd-new.conf 0.8.13-1~ -- "$@"
dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/lighttpd-fastcgi.conf /etc/fail2ban/filter.d/suhosin.conf 0.8.13-1~ -- "$@"
dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf 0.8.13-1~ -- "$@"
dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/couriersmtp.conf /etc/fail2ban/filter.d/courier-smtp.conf 0.9.0-1~ -- "$@"
dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/courierlogin.conf /etc/fail2ban/filter.d/courier-auth.conf 0.9.0-1~ -- "$@"
fi
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0

8
debian/postrm vendored
View File

@ -36,14 +36,6 @@ case "$1" in
;;
esac
if dpkg-maintscript-helper supports mv_conffile 2>/dev/null; then
dpkg-maintscript-helper mv_conffile /etc/fail2ban/action.d/firewall-cmd-direct-new.conf /etc/fail2ban/action.d/firewallcmd-new.conf 0.8.13-1~ -- "$@"
dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/lighttpd-fastcgi.conf /etc/fail2ban/filter.d/suhosin.conf 0.8.13-1~ -- "$@"
dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf 0.8.13-1~ -- "$@"
dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/couriersmtp.conf /etc/fail2ban/filter.d/courier-smtp.conf 0.9.0-1~ -- "$@"
dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/courierlogin.conf /etc/fail2ban/filter.d/courier-auth.conf 0.9.0-1~ -- "$@"
fi
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

15
debian/preinst vendored
View File

@ -1,15 +0,0 @@
#!/bin/sh
set -e
if dpkg-maintscript-helper supports mv_conffile 2>/dev/null; then
dpkg-maintscript-helper mv_conffile /etc/fail2ban/action.d/firewall-cmd-direct-new.conf /etc/fail2ban/action.d/firewallcmd-new.conf 0.8.13-1~ -- "$@"
dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/lighttpd-fastcgi.conf /etc/fail2ban/filter.d/suhosin.conf 0.8.13-1~ -- "$@"
dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf 0.8.13-1~ -- "$@"
dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/couriersmtp.conf /etc/fail2ban/filter.d/courier-smtp.conf 0.9.0-1~ -- "$@"
dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/courierlogin.conf /etc/fail2ban/filter.d/courier-auth.conf 0.9.0-1~ -- "$@"
fi
#DEBHELPER#
exit 0

10
debian/rules vendored
View File

@ -17,11 +17,11 @@ export PYBUILD_INSTALL_ARGS=--without-tests
endif
%:
dh $@ --with python3,systemd --buildsystem pybuild
dh $@ --with python3 --buildsystem pybuild
DESTDIR=$(CURDIR)/debian/fail2ban
PYVERSION=$(shell py3versions -dv)
SYSTEMD_SYSTEM_UNIT_DIR = $(shell pkg-config --variable=systemdsystemunitdir systemd)
override_dh_clean:
-rm -rf fail2ban.egg-info
-rm -f debian/fail2ban.init
@ -58,11 +58,11 @@ override_dh_install:
install -d $(DESTDIR)/usr/share/bash-completion/completions
install -m 644 files/bash-completion $(DESTDIR)/usr/share/bash-completion/completions/fail2ban
: # Install systemd files
install -d $(DESTDIR)/lib/systemd/system
install -d $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
install -d $(DESTDIR)/usr/lib/tmpfiles.d
install -m 644 build/fail2ban.service $(DESTDIR)/lib/systemd/system
install -m 644 build/fail2ban.service $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
install -m 644 files/fail2ban-tmpfiles.conf $(DESTDIR)/usr/lib/tmpfiles.d
install -d $(DESTDIR)/lib/systemd/system
install -d $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
: # Install default jail enabler
install -m 644 debian/debian-files/jail.d_defaults-debian.conf $(DESTDIR)/etc/fail2ban/jail.d/defaults-debian.conf
dh_install

2
debian/source/lintian-overrides vendored Normal file
View File

@ -0,0 +1,2 @@
fail2ban: national-encoding *usr/lib/python3/dist-packages/fail2ban/tests/files/testcase-wrong-char.log*
fail2ban: national-encoding *usr/lib/python3/dist-packages/fail2ban/tests/files/testcase01.log*

9
debian/watch vendored
View File

@ -1,6 +1,3 @@
# watch control file for uscan
# Run the "uscan" command to check for upstream updates and more.
# Site Directory Pattern Version Script
version=3
opts="filenamemangle=s/.*\/(.*)/fail2ban-$1\.tar\.gz/" \
https://github.com/fail2ban/fail2ban/tags .*archive/(\d[\d\.]+).tar.gz
version=4
opts=filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/fail2ban-$1\.tar\.gz/ \
https://github.com/fail2ban/fail2ban/tags .*/v?(\d\S+)\.tar\.gz