Merge pull request #420 from yarikoptic/enh/release-0.8.11

DOC: release 0.8.11 - ChangeLog tidy
pull/425/head
Daniel Black 2013-11-06 12:48:09 -08:00
commit e91d40ee34
1 changed files with 27 additions and 30 deletions

View File

@ -4,39 +4,36 @@
|_| \__,_|_|_/___|_.__/\__,_|_||_|
================================================================================
Fail2Ban (version 0.8.11.pre1) 2013/10/30
Fail2Ban (version 0.8.11.pre1) 2013/10/30
================================================================================
ver. 0.8.11 (2013/11/XXX) - loves-unittests and tight, DoS free, filter regexes
ver. 0.8.11 (2013/11/XXX) - loves-unittests-and-tight-DoS-free-filter-regexes
-----------
In light of CVE-2013-2178 that triggered our last release we have put a
significant effort into tightening all of the regexs of our filters to avoid
another similar vulnerability. All filters have been updated and some to
include more failure regexs supporting previously unbanned failures and
support for newer application versions too. There are test cases for most log
In light of CVE-2013-2178 that triggered our last release we have put
a significant effort into tightening all of the regexs of our filters
to avoid another similar vulnerability. All filters have been updated
and some to catch more login/authentication failures and to support
for newer application versions. There are test cases for most log
cases of failures now.
As usual if you have other examples that demonstrate that a filter is
insufficient please give us an example log line on the github issue tracker
http://github.com/fail2ban/fail2ban/issues and NOT on a random blog in some
obscure corner of the Internet.
As usual, if you have other examples that demonstrate that a filter is
insufficient, or if we have inadvertently introduced a regression,
please provide us with example log lines on the github issue tracker
http://github.com/fail2ban/fail2ban/issues and NOT on a random blog in
some obscure corner of the Internet.
During the tightening of the regexs to avoid DoS vulnerabilities there is the
possibility that we have inadvertently, despite our best intentions,
incorrectly allowed a failure to continue. We will fix this as quickly as
humanly possible.
IMPORTANT incompatible changes:
Filter name changes:
* 'lighttpd-fastcgi' filter has been renamed to 'suhosin'
* 'sasl' has been renamed to 'postfix-sasl'
These will require changing in jail.{conf,local} if using these filters.
Exim filter has been split into an spam and a relay/auth filter.
- IMPORTANT incompatible changes:
Filter name changes:
* 'lighttpd-fastcgi' filter has been renamed to 'suhosin'
* 'sasl' has been renamed to 'postfix-sasl'
* 'exim' spam catching failregexes was split out into 'exim-spam'
These changes will require changing jail.{conf,local} if any of
those filters were used.
- Fixes:
Daniel Black & Marcel Dopita
* filter.d/apache-auth -- fixed and apache auth samples provide. closes #286
* filter.d/apache-auth -- fixed and apache auth samples provide. Closes gh-286
Yaroslav Halchenko
* filter.d/common.conf -- make colon after [daemon] optional. Closes gh-267
* filter.d/apache-common.conf -- support apache 2.4 more detailed error
@ -62,8 +59,8 @@ IMPORTANT incompatible changes:
* filter.d/asterisk -- more regexes
Daniel Black
* action.d/hostsdeny -- NOTE: new dependancy 'ed'. Switched to use 'ed' across
all platforms to ensure permissions are the same before and after a ban -
closes gh-266. hostsdeny supports daemon_list now too.
all platforms to ensure permissions are the same before and after a ban.
Closes gh-266. hostsdeny supports daemon_list now too.
* action.d/bsd-ipfw - action option unsed. Change blocktype to port unreach
instead of deny for consistancy.
* filter.d/dovecot - added to support different dovecot failure
@ -89,7 +86,7 @@ IMPORTANT incompatible changes:
https://bugzilla.redhat.com/show_bug.cgi?id=998020
John Doe (ache)
* action.d/bsd-ipfw.conf - invert actionstop logic to make exist status 0.
closes gh-343.
Closes gh-343.
JP Espinosa (Reviewed by O.Poplawski)
* files/redhat-initd - rewritten to use stock init.d functions thus
avoiding problems with getpid. Also $network and iptables moved
@ -110,7 +107,7 @@ IMPORTANT incompatible changes:
Daniel Black & ykimon
* filter.d/3proxy.conf -- filter added
* fail2ban-regex - now generates http://www.debuggex.com urls for debugging
regular expressions with the -D parameter.
regular expressions with the -D parameter.
Daniel Black
* filter.d/exim-spam.conf -- a splitout of exim's spam regexes
with additions for greater control over filtering spam.
@ -131,8 +128,8 @@ IMPORTANT incompatible changes:
* reorder parsing of jail.conf, jail.d/*.conf, jail.local, jail.d/*.local
and likewise for fail2ban.{conf|local|d/*.conf|d/*.local}. Closes gh-392
* jail.conf now has asterisk jail - no need for asterisk-tcp and
asterisk-udp. Users should replace existing jails with asterisk to
reduce duplicate parsing of the asterisk log file.
asterisk-udp. Users should replace existing jails with asterisk to
reduce duplicate parsing of the asterisk log file.
* filter.d/{suhosin,pam-generic,gssftpd,sogo-auth,webmin}- regex anchor at
start
* filter.d/vsftpd - anchored regex at start. disable old pam format regex
@ -163,7 +160,7 @@ IMPORTANT incompatible changes:
* filter.d/{courier{login,smtp},proftpd,sieve,wuftpd,xinetd} - General
regex impovements
Zurd
* filter.d/postfix - add filter for VRFY failures. closes gh-322.
* filter.d/postfix - add filter for VRFY failures. Closes gh-322.
Orion Poplawski
* fail2ban.d/ and jail.d/ directories are added to etc/fail2ban to facilitate
their use