initial buildroot for linux 5.15
This commit is contained in:
@@ -0,0 +1,158 @@
|
||||
From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
|
||||
From: sebres <serg.brester@sebres.de>
|
||||
Date: Mon, 21 Jun 2021 17:12:53 +0200
|
||||
Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
|
||||
(default tilde) stops consider "~" char after new-line as composing escape
|
||||
sequence
|
||||
|
||||
[Retrieved from:
|
||||
https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844]
|
||||
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||||
---
|
||||
config/action.d/complain.conf | 2 +-
|
||||
config/action.d/dshield.conf | 2 +-
|
||||
config/action.d/mail-buffered.conf | 8 ++++----
|
||||
config/action.d/mail-whois-lines.conf | 2 +-
|
||||
config/action.d/mail-whois.conf | 6 +++---
|
||||
config/action.d/mail.conf | 6 +++---
|
||||
6 files changed, 13 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
|
||||
index 3a5f882c9f..4d73b05859 100644
|
||||
--- a/config/action.d/complain.conf
|
||||
+++ b/config/action.d/complain.conf
|
||||
@@ -102,7 +102,7 @@ logpath = /dev/null
|
||||
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
|
||||
# Values: CMD
|
||||
#
|
||||
-mailcmd = mail -s
|
||||
+mailcmd = mail -E 'set escape' -s
|
||||
|
||||
# Option: mailargs
|
||||
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
|
||||
diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
|
||||
index c128bef348..3d5a7a53a9 100644
|
||||
--- a/config/action.d/dshield.conf
|
||||
+++ b/config/action.d/dshield.conf
|
||||
@@ -179,7 +179,7 @@ tcpflags =
|
||||
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
|
||||
# Values: CMD
|
||||
#
|
||||
-mailcmd = mail -s
|
||||
+mailcmd = mail -E 'set escape' -s
|
||||
|
||||
# Option: mailargs
|
||||
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
|
||||
diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
|
||||
index 325f185b2f..79b841049c 100644
|
||||
--- a/config/action.d/mail-buffered.conf
|
||||
+++ b/config/action.d/mail-buffered.conf
|
||||
@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
|
||||
The jail <name> has been started successfully.\n
|
||||
Output will be buffered until <lines> lines are available.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
|
||||
@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
|
||||
These hosts have been banned by Fail2Ban.\n
|
||||
`cat <tmpfile>`
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
|
||||
rm <tmpfile>
|
||||
fi
|
||||
printf %%b "Hi,\n
|
||||
The jail <name> has been stopped.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
|
||||
|
||||
# Option: actioncheck
|
||||
# Notes.: command executed once before each actionban command
|
||||
@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
|
||||
These hosts have been banned by Fail2Ban.\n
|
||||
`cat <tmpfile>`
|
||||
\nRegards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
|
||||
rm <tmpfile>
|
||||
fi
|
||||
|
||||
diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
|
||||
index 3a3e56b2c7..d2818cb9b9 100644
|
||||
--- a/config/action.d/mail-whois-lines.conf
|
||||
+++ b/config/action.d/mail-whois-lines.conf
|
||||
@@ -72,7 +72,7 @@ actionunban =
|
||||
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
|
||||
# Values: CMD
|
||||
#
|
||||
-mailcmd = mail -s
|
||||
+mailcmd = mail -E 'set escape' -s
|
||||
|
||||
# Default name of the chain
|
||||
#
|
||||
diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
|
||||
index 7fea34c40d..ab33b616dc 100644
|
||||
--- a/config/action.d/mail-whois.conf
|
||||
+++ b/config/action.d/mail-whois.conf
|
||||
@@ -20,7 +20,7 @@ norestored = 1
|
||||
actionstart = printf %%b "Hi,\n
|
||||
The jail <name> has been started successfully.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
|
||||
@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
|
||||
actionstop = printf %%b "Hi,\n
|
||||
The jail <name> has been stopped.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
|
||||
|
||||
# Option: actioncheck
|
||||
# Notes.: command executed once before each actionban command
|
||||
@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
|
||||
Here is more information about <ip> :\n
|
||||
`%(_whois_command)s`\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
|
||||
|
||||
# Option: actionunban
|
||||
# Notes.: command executed when unbanning an IP. Take care that the
|
||||
diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
|
||||
index 5d8c0e154c..f4838ddcb6 100644
|
||||
--- a/config/action.d/mail.conf
|
||||
+++ b/config/action.d/mail.conf
|
||||
@@ -16,7 +16,7 @@ norestored = 1
|
||||
actionstart = printf %%b "Hi,\n
|
||||
The jail <name> has been started successfully.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
|
||||
@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
|
||||
actionstop = printf %%b "Hi,\n
|
||||
The jail <name> has been stopped.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
|
||||
|
||||
# Option: actioncheck
|
||||
# Notes.: command executed once before each actionban command
|
||||
@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
|
||||
The IP <ip> has just been banned by Fail2Ban after
|
||||
<failures> attempts against <name>.\n
|
||||
Regards,\n
|
||||
- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
|
||||
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
|
||||
|
||||
# Option: actionunban
|
||||
# Notes.: command executed when unbanning an IP. Take care that the
|
||||
@@ -0,0 +1,16 @@
|
||||
config BR2_PACKAGE_FAIL2BAN
|
||||
bool "fail2ban"
|
||||
depends on BR2_PACKAGE_PYTHON || BR2_PACKAGE_PYTHON3
|
||||
select BR2_PACKAGE_PYTHON_SYSTEMD if BR2_PACKAGE_SYSTEMD
|
||||
help
|
||||
Fail2ban scans log files (e.g. /var/log/apache/error_log) and
|
||||
bans IPs that show the malicious signs -- too many password
|
||||
failures, seeking for exploits, etc. Out of the box Fail2Ban
|
||||
comes with filters for various services (apache, courier,
|
||||
ssh, etc).
|
||||
|
||||
Fail2Ban is able to reduce the rate of incorrect
|
||||
authentications attempts however it cannot eliminate the risk
|
||||
that weak authentication presents.
|
||||
|
||||
https://www.fail2ban.org
|
||||
@@ -0,0 +1,23 @@
|
||||
#!/bin/sh
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
printf "Starting fail2ban: "
|
||||
start-stop-daemon -S -q -m -p /var/run/fail2ban.pid \
|
||||
-b -x fail2ban-server -- -xf start
|
||||
[ $? = 0 ] && echo "OK" || echo "FAIL"
|
||||
;;
|
||||
stop)
|
||||
printf "Stopping fail2ban: "
|
||||
start-stop-daemon -K -q -p /var/run/fail2ban.pid
|
||||
[ $? = 0 ] && echo "OK" || echo "FAIL"
|
||||
;;
|
||||
restart)
|
||||
"$0" stop
|
||||
sleep 1
|
||||
"$0" start
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart}"
|
||||
;;
|
||||
esac
|
||||
@@ -0,0 +1,3 @@
|
||||
# sha256 locally computed
|
||||
sha256 383108e5f8644cefb288537950923b7520f642e7e114efb843f6e7ea9268b1e0 fail2ban-0.11.2.tar.gz
|
||||
sha256 a75fec0260742fe6275d63ff6a5d97b924b28766558306b3fa4069763096929b COPYING
|
||||
@@ -0,0 +1,54 @@
|
||||
################################################################################
|
||||
#
|
||||
# fail2ban
|
||||
#
|
||||
################################################################################
|
||||
|
||||
FAIL2BAN_VERSION = 0.11.2
|
||||
FAIL2BAN_SITE = $(call github,fail2ban,fail2ban,$(FAIL2BAN_VERSION))
|
||||
FAIL2BAN_LICENSE = GPL-2.0+
|
||||
FAIL2BAN_LICENSE_FILES = COPYING
|
||||
FAIL2BAN_CPE_ID_VENDOR = fail2ban
|
||||
FAIL2BAN_SELINUX_MODULES = fail2ban
|
||||
FAIL2BAN_SETUP_TYPE = distutils
|
||||
|
||||
# 0001-fixed-possible-RCE-vulnerability-unset-escape-variable.patch
|
||||
FAIL2BAN_IGNORE_CVES += CVE-2021-32749
|
||||
|
||||
ifeq ($(BR2_PACKAGE_PYTHON3),y)
|
||||
define FAIL2BAN_PYTHON_2TO3
|
||||
$(HOST_DIR)/bin/2to3 --write --nobackups --no-diffs $(@D)/bin/* $(@D)/fail2ban
|
||||
endef
|
||||
FAIL2BAN_DEPENDENCIES += host-python3
|
||||
# We can't use _POST_PATCH_HOOKS because dependencies are not guaranteed
|
||||
# to build and install before _POST_PATCH_HOOKS run.
|
||||
FAIL2BAN_PRE_CONFIGURE_HOOKS += FAIL2BAN_PYTHON_2TO3
|
||||
endif
|
||||
|
||||
define FAIL2BAN_FIX_DEFAULT_CONFIG
|
||||
$(SED) '/^socket/c\socket = /run/fail2ban.sock' $(TARGET_DIR)/etc/fail2ban/fail2ban.conf
|
||||
$(SED) '/^pidfile/c\pidfile = /run/fail2ban.pid' $(TARGET_DIR)/etc/fail2ban/fail2ban.conf
|
||||
$(SED) '/^dbfile/c\dbfile = None' $(TARGET_DIR)/etc/fail2ban/fail2ban.conf
|
||||
endef
|
||||
FAIL2BAN_POST_INSTALL_TARGET_HOOKS += FAIL2BAN_FIX_DEFAULT_CONFIG
|
||||
|
||||
# fail2ban-python points to host python
|
||||
define FAIL2BAN_FIX_FAIL2BAN_PYTHON_SYMLINK
|
||||
ln -snf $(if $(BR2_PACKAGE_PYTHON),python,python3) \
|
||||
$(TARGET_DIR)/usr/bin/fail2ban-python
|
||||
endef
|
||||
FAIL2BAN_POST_INSTALL_TARGET_HOOKS += FAIL2BAN_FIX_FAIL2BAN_PYTHON_SYMLINK
|
||||
|
||||
define FAIL2BAN_INSTALL_INIT_SYSV
|
||||
$(INSTALL) -D -m 755 package/fail2ban/S60fail2ban \
|
||||
$(TARGET_DIR)/etc/init.d/S60fail2ban
|
||||
endef
|
||||
|
||||
define FAIL2BAN_INSTALL_INIT_SYSTEMD
|
||||
$(INSTALL) -D -m 0644 $(@D)/files/fail2ban.service.in \
|
||||
$(TARGET_DIR)/usr/lib/systemd/system/fail2ban.service
|
||||
$(SED) 's,@BINDIR@,/usr/bin,g' $(TARGET_DIR)/usr/lib/systemd/system/fail2ban.service
|
||||
$(SED) '/^PIDFile/c\PIDFile=/run/fail2ban.pid' $(TARGET_DIR)/usr/lib/systemd/system/fail2ban.service
|
||||
endef
|
||||
|
||||
$(eval $(python-package))
|
||||
Reference in New Issue
Block a user