SUSE 5147 Published by

A fail2ban security update has been released for openSUSE Leap 15.2, SUSE Linux Enterprise 15 SP1, SUSE Linux Enterprise 15 SP2, and SUSE Linux Enterprise 15 SP3.



openSUSE-SU-2021:1274-1: important: Security update for fail2ban


openSUSE Security Update: Security update for fail2ban
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:1274-1
Rating: important
References: #1145181 #1146856 #1180738 #1188610
Cross-References: CVE-2021-32749
CVSS scores:
CVE-2021-32749 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Leap 15.2
openSUSE Backports SLE-15-SP3
openSUSE Backports SLE-15-SP2
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that solves one vulnerability and has three fixes
is now available.

Description:

This update for fail2ban fixes the following issues:

- CVE-2021-32749: prevent a command injection via mail command
(boo#1188610)

- Integrate change to resolve boo#1146856 and boo#1180738

Update to 0.11.2

- increased stability, filter and action updates

New Features and Enhancements

* fail2ban-regex:
- speedup formatted output (bypass unneeded stats creation)
- extended with prefregex statistic
- more informative output for `datepattern` (e. g. set from filter) -
pattern : description
* parsing of action in jail-configs considers space between action-names
as separator also (previously only new-line was allowed), for example
`action = a b` would specify 2 actions `a` and `b`
* new filter and jail for GitLab recognizing failed application logins
(gh#fail2ban/fail2ban#2689)
* new filter and jail for Grafana recognizing failed application logins
(gh#fail2ban/fail2ban#2855)
* new filter and jail for SoftEtherVPN recognizing failed application
logins (gh#fail2ban/fail2ban#2723)
* `filter.d/guacamole.conf` extended with `logging` parameter to follow
webapp-logging if it's configured (gh#fail2ban/fail2ban#2631)
* `filter.d/bitwarden.conf` enhanced to support syslog
(gh#fail2ban/fail2ban#2778)
* introduced new prefix `{UNB}` for `datepattern` to disable word
boundaries in regex;
* datetemplate: improved anchor detection for capturing groups `(^...)`;
* datepattern: improved handling with wrong recognized timestamps
(timezones, no datepattern, etc) as well as some warnings signaling user
about invalid pattern or zone (gh#fail2ban/fail2ban#2814):
- filter gets mode in-operation, which gets activated if filter starts
processing of new messages; in this mode a timestamp read from
log-line that appeared recently (not an old line), deviating too much
from now (up too 24h), will be considered as now (assuming a timezone
issue), so could avoid unexpected bypass of failure (previously
exceeding `findtime`);
- better interaction with non-matching optional datepattern or invalid
timestamps;
- implements special datepattern `{NONE}` - allow to find failures
totally without date-time in log messages, whereas filter will use now
as timestamp (gh#fail2ban/fail2ban#2802)
* performance optimization of `datepattern` (better search algorithm in
datedetector, especially for single template);
* fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or
hostname (DNS), gh#fail2ban/fail2ban#2791;
* extended capturing of alternate tags in filter, allowing combine of
multiple groups to single tuple token with new tag prefix `