Bug 259297 - security/py-fail2ban: Add upstream patch to fix possible RCE vulnerability
Summary: security/py-fail2ban: Add upstream patch to fix possible RCE vulnerability
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL: https://github.com/fail2ban/fail2ban/...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-20 09:53 UTC by Yasuhiro Kimura
Modified: 2021-10-27 16:09 UTC (History)
1 user (show)

See Also:
theis: maintainer-feedback+
yasu: merge-quarterly+


Attachments
Patch file (9.89 KB, patch)
2021-10-20 09:53 UTC, Yasuhiro Kimura
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro Kimura freebsd_committer 2021-10-20 09:53:08 UTC
Created attachment 228865 [details]
Patch file

* Add upstream patch to fix possible RCE vulnerability
* Switch to DISTVERSION
* Pet portclippy
* Reformat Makefile with portfmt

Obtained from: https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844
Security: CVE-2021-32749
Security: https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm
Comment 1 theis 2021-10-20 10:16:42 UTC
Thanks!

About time, upstream releases 0.11.3 or 1.0 :)
Comment 2 theis 2021-10-20 10:45:27 UTC
This is a vulnerability, so please don't wait to merge it quarterly. If that is what the merge-quarterly flag means ...
Comment 3 Yasuhiro Kimura freebsd_committer 2021-10-20 11:19:45 UTC
(In reply to theis from comment #2)

I intended to set merge-quarterly flag to "+". Sorry for doing something confusing.
Comment 4 commit-hook freebsd_committer 2021-10-27 15:49:10 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=644e5b65b9503bed420885c9fefc8b3941dd009d

commit 644e5b65b9503bed420885c9fefc8b3941dd009d
Author:     Yasuhiro Kimura <yasu@FreeBSD.org>
AuthorDate: 2021-10-20 09:42:38 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2021-10-27 15:48:14 +0000

    security/py-fail2ban: Add upstream patch to fix possible RCE vulnerability

    * Switch to DISTVERSION
    * Pet portclippy
    * Reformat Makefile with portfmt

    PR:             259297
    Approved by:    maintainer
    Obtained from:  https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844
    MFH:            2021Q4
    Security:       CVE-2021-32749
    Security:       https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm
    Differential Revision:  https://reviews.freebsd.org/D32576

 security/py-fail2ban/Makefile                      |  26 ++--
 .../py-fail2ban/files/patch-CVE-2021-32749 (new)   | 158 +++++++++++++++++++++
 2 files changed, 169 insertions(+), 15 deletions(-)
Comment 5 commit-hook freebsd_committer 2021-10-27 15:51:12 UTC
A commit in branch 2021Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=69221920c9faeff24c581ac1ee6d89ca4f1bbf11

commit 69221920c9faeff24c581ac1ee6d89ca4f1bbf11
Author:     Yasuhiro Kimura <yasu@FreeBSD.org>
AuthorDate: 2021-10-20 09:42:38 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2021-10-27 15:49:50 +0000

    security/py-fail2ban: Add upstream patch to fix possible RCE vulnerability

    * Switch to DISTVERSION
    * Pet portclippy
    * Reformat Makefile with portfmt

    PR:             259297
    Approved by:    maintainer
    Obtained from:  https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844
    MFH:            2021Q4
    Security:       CVE-2021-32749
    Security:       https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm
    Differential Revision:  https://reviews.freebsd.org/D32576

    (cherry picked from commit 644e5b65b9503bed420885c9fefc8b3941dd009d)

 security/py-fail2ban/Makefile                      |  26 ++--
 .../py-fail2ban/files/patch-CVE-2021-32749 (new)   | 158 +++++++++++++++++++++
 2 files changed, 169 insertions(+), 15 deletions(-)