Summary: The upstream DenyHosts project which is referenced in security/denyhosts is no longer maintained on SourceForge and the old code contains some security flaws. An extension/fork of the project with most of the original maintainers is available here: https://github.com/denyhosts/denyhosts I believe the FreeBSD port should be updated to use the fresher upstream source code, which is now at DenyHosts version 2.10 (the existing port uses 2.6).
Thanks for notification. I'll update this port ASAP.
Any activity for this to be updated to use the new upstream?
Created attachment 170896 [details] Patch to change upstream and update to latest version This patch switches the upstream source to the new DenyHosts project where active development and bug fixes are being applied. This patch also cleans up the port, removing patches that have been applied upstream.
Comment on attachment 170896 [details] Patch to change upstream and update to latest version @jsmith, two issues of your patch 1. why disable rc subr? -USE_RC_SUBR= denyhosts +# USE_RC_SUBR= denyhosts 2. forgot new dependency of devel/py-ipaddr.
@sunpoet: could you check last patch? If not, I am willing to give it a spin on my poudrieres.
ping!
Is this still relevant?
There is an issue of "Will the real denyhost[s] please stand up?" here. The URL you changed pkg-descr to says it is an obsolete fork of denyhosts which was merged back into the main denyhosts distribution (which doesn't seem to have happened, but that's a different issue). There also another version around which has a description of "A friendly fork of denyhosts" but I don't have the URL handy. IMHO, we need to figure out which one of the 3 or more denyhost[s] is going to resume active development (preferably with built-in Python 3 support, which the patch in this PR doesn't seem to address) and go with that one. I am following all of the denyhosts PRs to see if there's any activity by other users here. If anyone has any experience with any of the 3 denyhost[s] working with Python 3, that would be good to know, and possibly point us toward which one we're going to have in ports. [Doing my bit to drag the ports tree into Python 3 compatibility 8-]
There are indeed three projects called DenyHosts (or DenyHost) and I believe I can help sort out who is who. 1. The original DenyHosts (denyhosts.sf.net) has been dead for about 10 years. There is no active development there at all. 2. A fork called DenyHost (denyhost.sf.net) was set up to fix bugs and maintain the Python 2 code base, get the sync server up and running. This project later merged with #3... 3. The DenyHosts project at GitHub (https://github.com/denyhosts/denyhosts). This is the only active fork of DenyHosts and a continuation/merge of #2. This one should be considered the upstream source for DenyHosts as it is the only one actively maintained and it has been ported to Python 3.
(In reply to jsmith from comment #9) There is at least one other one, but I can't find it now. In any event, the patch in this PR seems to be using the version you are referring to, but the patch fails to apply cleanly to a current ports tree and when that is (I think) fixed up, the port still has a dependency on Python 2.7 even if the upstream works with Python 3. Can you re-generate the patch against a current ports tree and make sure the port then builds cleanly with either Python 2.7 or 3.6, and also address the issues in comment #4? If you don't have the time right now, let me know and I'll take a shot at it. Thanks!
I don't think I'm the right person to rework the patch. I submitted this four years ago when I was working on porting DenyHosts to Python 3, but I haven't been involved with the upstream project since that work completed.
Please try the WIP patch. https://people.FreeBSD.org/~sunpoet/patch/security-denyhosts.txt
(In reply to Sunpoet Po-Chuan Hsieh from comment #12) There still seems to be something wrong with this patch, or I'm being dense. Doing a "make install" puts a denyhosts.conf.sample in /usr/local/etc which does not seem to have all of the changes needed for FreeBSD applied. In particular, the sample file does not have the "hosts.deniedssh" change (and probably others). Looking in work-py36/denyhosts-3.1 I don't see any .orig files which I would expect to see based on the patches in the files directory. But I do get "Applying FreeBSD patches for denyhosts-py36-3.1" when building. Can you take a look at the port after this patch is applied and see if there is a problem applying the port patches, and also do a "make install" and see if the problem I'm reporting with denyhosts.conf also shows up for you?
(In reply to Terry Kennedy from comment #13) Also, all of the other versioned/flavored ports that I use install as py36-foo, while this port installs as denyhosts-py36. Is the prefix / suffix interchange intentional?
(In reply to Terry Kennedy from comment #13) It's a WIP patch based on jsmith's one. denyhosts.conf patch added in https://people.FreeBSD.org/~sunpoet/patch/security-denyhosts-v2.txt (In reply to Terry Kennedy from comment #14) It's intentional. I use suffix here because it's not a python library. - pyXX- prefix for python libraries. - -pyXX suffix for applications.
(In reply to Sunpoet Po-Chuan Hsieh from comment #15) After applying your v2 patch, I had to manually remove files/patch-denyhosts.cfg-dist as it was "left over" and does not apply to denyhosts 3 (grumble about gratuitous upstream renaming 8-). This version then builds, installs and starts. I have it running in test on one system and will add it to more if things look good over the next few days. Regarding prefix / suffix, I just wanted to check as it looked unusual. Thanks!
(In reply to Terry Kennedy from comment #16) So, not so good. There is at least one un-subst'd %%PREFIX%% in the installed package - in /var/log/denyhosts I see: 2019-08-29 23:31:16,943 - prefs : INFO WORK_DIR: [/var/log/%%PREFIX%%/share/denyhosts/data] 2019-08-29 23:31:16,945 - AllowedHosts: WARNING Couldn't load warned hosts from /var/log/%%PREFIX%%/share/denyhosts/data/allowed-warned-hosts This seems to be coming from /usr/local/etc/denyhosts.conf - #WORK_DIR = /var/lib/denyhosts WORK_DIR = %%PREFIX%%/share/denyhosts/data I have changed %%PREFIX%% to /usr/local, cleaned up the logfile and work_dir data, and have restarted denyhosts. I will continue to monitor.
(In reply to Terry Kennedy from comment #17) Ugh. The port installs an /etc/denyhosts.conf as well as /usr/local/etc/denyhosts.conf. It appears that the one in /usr/local/etc is the one that is used, I think.
With the above few changes, this seems to be working here (tested on 2 systems). Syncing downloads new hosts from the sync server hourly, etc. So, count this as a "looks good to me" vote.
@Terry, Thanks for your testing. Please try the new one [1]. I've prepended the "svn status" result in the beginning of the patch. [1] https://people.FreeBSD.org/~sunpoet/patch/security-denyhosts-v3.txt
A commit references this bug: Author: sunpoet Date: Tue Oct 1 19:17:01 UTC 2019 New revision: 513524 URL: https://svnweb.freebsd.org/changeset/ports/513524 Log: Update to 3.1 - Change MASTER_SITES from SF to GitHub - Add LICENSE_FILE - Relax USES=python - Update CPE - Update WWW Changes: https://github.com/denyhosts/denyhosts/releases PR: 200837 (based on) Submitted by: Jesse Smith <jsmith@resonatingmedia.com> Changes: head/security/denyhosts/Makefile head/security/denyhosts/distinfo head/security/denyhosts/files/patch-DenyHosts__regex.py head/security/denyhosts/files/patch-daemon-control-dist head/security/denyhosts/files/patch-denyhosts.cfg-dist head/security/denyhosts/files/patch-denyhosts.conf head/security/denyhosts/files/patch-scripts__restricted_from_passwd.py head/security/denyhosts/files/patch-setup.py head/security/denyhosts/pkg-descr head/security/denyhosts/pkg-plist
Committed. Thanks!