From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001

From: sebres <serg.brester@sebres.de>

Date: Mon, 21 Jun 2021 17:12:53 +0200

Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable

 (default tilde) stops consider "~" char after new-line as composing escape

 sequence

---

 config/action.d/complain.conf         | 2 +-

 config/action.d/dshield.conf          | 2 +-

 config/action.d/mail-buffered.conf    | 8 ++++----

 config/action.d/mail-whois-lines.conf | 2 +-

 config/action.d/mail-whois.conf       | 6 +++---

 config/action.d/mail.conf             | 6 +++---

 6 files changed, 13 insertions(+), 13 deletions(-)

diff --git config/action.d/complain.conf config/action.d/complain.conf

index 3a5f882c..4d73b058 100644

--- config/action.d/complain.conf

+++ config/action.d/complain.conf

@@ -102,7 +102,7 @@ logpath = /dev/null

 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient

 # Values:  CMD

 #

-mailcmd = mail -s

+mailcmd = mail -E 'set escape' -s

 # Option:  mailargs

 # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:

diff --git config/action.d/dshield.conf config/action.d/dshield.conf

index c128bef3..3d5a7a53 100644

--- config/action.d/dshield.conf

+++ config/action.d/dshield.conf

@@ -179,7 +179,7 @@ tcpflags =

 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient

 # Values:  CMD

 #

-mailcmd = mail -s

+mailcmd = mail -E 'set escape' -s

 # Option:  mailargs

 # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:

diff --git config/action.d/mail-buffered.conf config/action.d/mail-buffered.conf

index 325f185b..79b84104 100644

--- config/action.d/mail-buffered.conf

+++ config/action.d/mail-buffered.conf

@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n

               The jail <name> has been started successfully.\n

               Output will be buffered until <lines> lines are available.\n

               Regards,\n

-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>

+              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>

 # Option:  actionstop

 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)

@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then

                  These hosts have been banned by Fail2Ban.\n

                  `cat <tmpfile>`

                  Regards,\n

-                 Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>

+                 Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>

                  rm <tmpfile>

              fi

              printf %%b "Hi,\n

              The jail <name> has been stopped.\n

              Regards,\n

-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>

+             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>

 # Option:  actioncheck

 # Notes.:  command executed once before each actionban command

@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>

                 These hosts have been banned by Fail2Ban.\n

                 `cat <tmpfile>`

                 \nRegards,\n

-                Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>

+                Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>

                 rm <tmpfile>

             fi

diff --git config/action.d/mail-whois-lines.conf config/action.d/mail-whois-lines.conf

index 3a3e56b2..d2818cb9 100644

--- config/action.d/mail-whois-lines.conf

+++ config/action.d/mail-whois-lines.conf

@@ -72,7 +72,7 @@ actionunban =

 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient

 # Values:  CMD

 #

-mailcmd = mail -s

+mailcmd = mail -E 'set escape' -s

 # Default name of the chain

 #

diff --git config/action.d/mail-whois.conf config/action.d/mail-whois.conf

index 7fea34c4..ab33b616 100644

--- config/action.d/mail-whois.conf

+++ config/action.d/mail-whois.conf

@@ -20,7 +20,7 @@ norestored = 1

 actionstart = printf %%b "Hi,\n

               The jail <name> has been started successfully.\n

               Regards,\n

-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>

+              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>

 # Option:  actionstop

 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)

@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n

 actionstop = printf %%b "Hi,\n

              The jail <name> has been stopped.\n

              Regards,\n

-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>

+             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>

 # Option:  actioncheck

 # Notes.:  command executed once before each actionban command

@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n

             Here is more information about <ip> :\n

             `%(_whois_command)s`\n

             Regards,\n

-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>

+            Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>

 # Option:  actionunban

 # Notes.:  command executed when unbanning an IP. Take care that the

diff --git config/action.d/mail.conf config/action.d/mail.conf

index 5d8c0e15..f4838ddc 100644

--- config/action.d/mail.conf

+++ config/action.d/mail.conf

@@ -16,7 +16,7 @@ norestored = 1

 actionstart = printf %%b "Hi,\n

               The jail <name> has been started successfully.\n

               Regards,\n

-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started  on <fq-hostname>" <dest>

+              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started  on <fq-hostname>" <dest>

 # Option:  actionstop

 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)

@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n

 actionstop = printf %%b "Hi,\n

              The jail <name> has been stopped.\n

              Regards,\n

-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>

+             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>

 # Option:  actioncheck

 # Notes.:  command executed once before each actionban command

@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n

             The IP <ip> has just been banned by Fail2Ban after

             <failures> attempts against <name>.\n

             Regards,\n

-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>

+            Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>

 # Option:  actionunban

 # Notes.:  command executed when unbanning an IP. Take care that the

-- 

2.33.1

--- config/filter.d/bsd-sendmail.conf.orig	2015-11-03 04:11:30 UTC

+++ config/filter.d/bsd-sendmail.conf

@@ -0,0 +1,35 @@

+# Fail2Ban configuration file

+#

+# Source: http://www.the-art-of-web.com/system/fail2ban-sendmail

+# Contributors: Gutza, the SASL regex

+#

+# $Revision$

+

+[INCLUDES]

+

+# Read common prefixes. If any customizations available -- read them from

+# common.local

+before = common.conf

+

+[Definition]

+

+# Option:  failregex

+# Notes.:  regex to match the password failures messages in the logfile. 

+#          The host must be matched by a group named "host". 

+#          The tag "<HOST>" can be used for standard IP/hostname matching

+#          and is only an alias for (':::f{4,6}:)?(?P<host>\S+)

+# Values:  TEXT

+

+failregex = \[<HOST>\] .*to MTA

+#           \[<HOST>\] \(may be forged\)

+            \[<HOST>\], reject.*\.\.\. Relaying denied

+            (User unknown)\n* \[<HOST>\]

+            badlogin: .* \[<HOST>\] plaintext .* SASL

+            \[<HOST>\]: possible SMTP attack:

+

+# Option:  ignoreregex

+# Notes.:  regex to ignore. If this regex matces, the line is ignored.

+# Values:  TEXT

+

+ignoreregex = 

+

--- config/filter.d/bsd-sshd.conf.orig	2020-03-27 11:15:56 UTC

+++ config/filter.d/bsd-sshd.conf

@@ -0,0 +1,41 @@

+# Fail2Ban configuration file

+#

+# Author: Cyril Jaquier

+#

+# $Revision: 663 $

+#

+

+[INCLUDES]

+

+# Read common prefixes. If any customizations available -- read them from

+# common.local

+before = common.conf

+

+

+[Definition]

+

+_daemon = sshd

+

+# Option:  failregex

+# Notes.:  regex to match the password failures messages in the logfile. The

+#          host must be matched by a group named "host". The tag "<HOST>" can

+#          be used for standard IP/hostname matching and is only an alias for

+#          (?:::f{4,6}:)?(?P<host>\S+)

+# Values:  TEXT

+#

+failregex = ^%(__prefix_line)s(?:error: PAM: )?[A|a]uthentication (?:failure|error) for .* from <HOST>\s*$

+            ^%(__prefix_line)sDid not receive identification string from <HOST>$

+            ^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$

+            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$

+            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$

+            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST> port \d*$

+            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$

+            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$

+            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$

+            ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\] .* POSSIBLE BREAK-IN ATTEMPT!$

+

+# Option:  ignoreregex

+# Notes.:  regex to ignore. If this regex matches, the line is ignored.

+# Values:  TEXT

+#

+ignoreregex = 

From 2b6bb2c1bed8f7009631e8f8c306fa3160324a49 Mon Sep 17 00:00:00 2001

From: "Sergey G. Brester" <serg.brester@sebres.de>

Date: Mon, 8 Feb 2021 17:19:24 +0100

Subject: [PATCH] follow bpo-37324: :ref:`collections-abstract-base-classes`

 moved to the :mod:`collections.abc` module

(since 3.10-alpha.5 `MutableMapping` is missing in collections module)

---

 fail2ban/server/action.py | 5 ++++-

 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git fail2ban/server/action.py fail2ban/server/action.py

index 3bc48fe0..f0f1e6f5 100644

--- fail2ban/server/action.py

+++ fail2ban/server/action.py

@@ -30,7 +30,10 @@ import tempfile

 import threading

 import time

 from abc import ABCMeta

-from collections import MutableMapping

+try:

+	from collections.abc import MutableMapping

+except ImportError:

+	from collections import MutableMapping

 from .failregex import mapTag2Opt

 from .ipdns import DNSUtils

-- 

2.32.0

From 42dee38ad2ac5c3f23bdf297d824022923270dd9 Mon Sep 17 00:00:00 2001

From: "Sergey G. Brester" <serg.brester@sebres.de>

Date: Mon, 8 Feb 2021 17:25:45 +0100

Subject: [PATCH] amend for `Mapping`

---

 fail2ban/server/actions.py | 5 ++++-

 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git fail2ban/server/actions.py fail2ban/server/actions.py

index b7b95b44..897d907c 100644

--- fail2ban/server/actions.py

+++ fail2ban/server/actions.py

@@ -28,7 +28,10 @@ import logging

 import os

 import sys

 import time

-from collections import Mapping

+try:

+	from collections.abc import Mapping

+except ImportError:

+	from collections import Mapping

 try:

 	from collections import OrderedDict

 except ImportError:

-- 

2.32.0

From 9f1d1f4fbd0804695a976beb191f2c49a2739834 Mon Sep 17 00:00:00 2001

From: "Sergey G. Brester" <serg.brester@sebres.de>

Date: Mon, 8 Feb 2021 17:35:59 +0100

Subject: [PATCH] amend for `Mapping` (jails)

---

 fail2ban/server/jails.py | 5 ++++-

 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git fail2ban/server/jails.py fail2ban/server/jails.py

index 972a8c4b..27e12ddf 100644

--- fail2ban/server/jails.py

+++ fail2ban/server/jails.py

@@ -22,7 +22,10 @@ __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2013- Yaroslav Halchenko"

 __license__ = "GPL"

 from threading import Lock

-from collections import Mapping

+try:

+	from collections.abc import Mapping

+except ImportError:

+	from collections import Mapping

 from ..exceptions import DuplicateJailException, UnknownJailException

 from .jail import Jail

-- 

2.32.0

--- setup.py.orig	2020-11-23 20:43:03 UTC

+++ setup.py

@@ -39,14 +39,7 @@ from distutils.command.build_scripts import build_scri

 if setuptools is None:

 	from distutils.command.install import install

 	from distutils.command.install_scripts import install_scripts

-try:

-	# python 3.x

-	from distutils.command.build_py import build_py_2to3

-	from distutils.command.build_scripts import build_scripts_2to3

-	_2to3 = True

-except ImportError:

-	# python 2.x

-	_2to3 = False

+_2to3 = False

 import os

 from os.path import isfile, join, isdir, realpath

@@ -186,7 +179,6 @@ commands.'''

 if setuptools:

 	setup_extra = {

 		'test_suite': "fail2ban.tests.utils.gatherTests",

-		'use_2to3': True,

 	}

 else:

 	setup_extra = {}

-