Package: guix-patches;
Reported by: muradm <mail <at> muradm.net>
Date: Fri, 15 Jul 2022 18:18:02 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 56579 in the body.
You can then email your comments to 56579 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#56579; Package guix-patches.
(Fri, 15 Jul 2022 18:18:02 GMT) Full text and rfc822 format available.muradm <mail <at> muradm.net>:guix-patches <at> gnu.org.
(Fri, 15 Jul 2022 18:18:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: muradm <mail <at> muradm.net> To: guix-patches <at> gnu.org Subject: [PATCH] gnu: admin: Add fail2ban 0.11.2. Date: Fri, 15 Jul 2022 21:17:03 +0300
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 195 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 ++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 ++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
.../patches/fail2ban-paths-guix-conf.patch | 32 +++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 571 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..1a342728fa 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,195 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (substitute* "fail2ban/tests/utils.py"
+ (("tests.addTest.unittest.makeSuite.actiontestcase.CommandActionTest..") "")
+ (("tests.addTest.unittest.makeSuite.misctestcase.SetupTest..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.DNSUtilsNetworkTests..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.IgnoreIPDNS..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.GetFailures..") "")
+ (("tests.addTest.unittest.makeSuite.fail2banclienttestcase.Fail2banServerTest..") "")
+ (("tests.addTest.unittest.makeSuite.servertestcase.ServerConfigReaderTests..") ""))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (for-each delete-file
+ '("config/paths-arch.conf"
+ "config/paths-debian.conf"
+ "config/paths-fedora.conf"
+ "config/paths-freebsd.conf"
+ "config/paths-opensuse.conf"
+ "config/paths-osx.conf"
+ "config/action.d/apf.conf"
+ "config/action.d/bsd-ipfw.conf"
+ "config/action.d/dshield.conf"
+ "config/action.d/ipfilter.conf"
+ "config/action.d/ipfw.conf"
+ "config/action.d/firewallcmd-allports.conf"
+ "config/action.d/firewallcmd-common.conf"
+ "config/action.d/firewallcmd-ipset.conf"
+ "config/action.d/firewallcmd-multiport.conf"
+ "config/action.d/firewallcmd-new.conf"
+ "config/action.d/firewallcmd-rich-logging.conf"
+ "config/action.d/firewallcmd-rich-rules.conf"
+ "config/action.d/osx-afctl.conf"
+ "config/action.d/osx-ipfw.conf"
+ "config/action.d/pf.conf"
+ "config/action.d/nginx-block-map.conf"
+ "config/action.d/npf.conf"
+ "config/action.d/shorewall.conf"
+ "config/action.d/shorewall-ipset-proto6.conf"
+ "config/action.d/ufw.conf"))
+ (let* ((awk (assoc-ref inputs "gawk"))
+ (awk (string-append awk "/bin/awk"))
+ (bind-utils (assoc-ref inputs "bind"))
+ (dig (string-append bind-utils "/bin/dig"))
+ (nsupdate (string-append bind-utils "/bin/nsupdate"))
+ (coreutils (assoc-ref inputs "coreutils"))
+ (cat (string-append coreutils "/bin/cat"))
+ (cut (string-append coreutils "/bin/cut"))
+ (date (string-append coreutils "/bin/date"))
+ (echo (string-append coreutils "/bin/echo"))
+ (head (string-append coreutils "/bin/head"))
+ (id (string-append coreutils "/bin/id"))
+ (printf (string-append coreutils "/bin/printf"))
+ (rm (string-append coreutils "/bin/rm"))
+ (tail (string-append coreutils "/bin/tail"))
+ (test (string-append coreutils "/bin/test"))
+ (touch (string-append coreutils "/bin/touch"))
+ (tr (string-append coreutils "/bin/tr"))
+ (truncate (string-append coreutils "/bin/truncate"))
+ (wc (string-append coreutils "/bin/wc"))
+ (curl (assoc-ref inputs "curl"))
+ (curl (string-append curl "/bin/curl"))
+ (grep (assoc-ref inputs "grep"))
+ (grep (string-append grep "/bin/grep"))
+ (jq (assoc-ref inputs "jq"))
+ (jq (string-append jq "/bin/jq"))
+ (iproute2 (assoc-ref inputs "iproute2"))
+ (ip (string-append iproute2 "/bin/ip"))
+ (ipset (assoc-ref inputs "ipset"))
+ (ipset (string-append ipset "/sbin/ipset"))
+ (iptables (assoc-ref inputs "iptables"))
+ (ip6tables (string-append iptables "/sbin/ip6tables"))
+ (iptables (string-append iptables "/sbin/iptables"))
+ (nft (assoc-ref inputs "nftables"))
+ (nft (string-append nft "/sbin/nft"))
+ (perl (assoc-ref inputs "perl"))
+ (perl (string-append nft "/bin/perl"))
+ (sed (assoc-ref inputs "sed"))
+ (sed (string-append sed "/bin/sed"))
+ (sendmail (assoc-ref inputs "sendmail"))
+ (sendmail (string-append sed "/sbin/sendmail"))
+ (whois (assoc-ref inputs "whois"))
+ (whois (string-append whois "/bin/whois")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with mailcmd = mail ...
+ ;; TODO: deal with geoiplookup ..
+ (("awk") awk)
+ (("cat ") (string-append cat " "))
+ (("curl") curl)
+ (("cut -d") (string-append cut " -d"))
+ ((" date ") (string-append " " date " "))
+ (("`date`") (string-append "`" date "`"))
+ (("dig") dig)
+ (("echo ") (string-append echo " "))
+ (("grep ") (string-append grep " "))
+ (("head ") (string-append head " "))
+ (("id -") (string-append id " -"))
+ (("ip -4 addr") (string-append ip " -4 addr"))
+ (("ip -6 addr") (string-append ip " -6 addr"))
+ (("ip route") (string-append ip " route"))
+ (("ipset ") (string-append ipset " "))
+ (("iptables <") (string-append iptables " <"))
+ (("ip6tables <") (string-append ip6tables " <"))
+ (("jq") jq)
+ (("/usr/bin/nsupdate") nsupdate)
+ (("nftables = nft") (string-append "nftables = " nft))
+ (("perl -e") (string-append perl " -e"))
+ (("printf ") (string-append printf " "))
+ ((" rm ") (string-append " " rm " "))
+ ((" sed ") (string-append " " sed " "))
+ (("/usr/sbin/sendmail") sendmail)
+ ((" tail ") (string-append " " tail " "))
+ (("test -e") (string-append test " -e"))
+ ((" touch ") (string-append " " touch " "))
+ ((" tr ") (string-append " " tr " "))
+ (("wc ") (string-append wc " "))
+ (("_whois = whois") (string-append "_whois = " whois))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf")))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester <at> sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
new file mode 100644
index 0000000000..b0b14364b1
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
@@ -0,0 +1,64 @@
+From 5ac303df8a171f748330d4c645ccbf1c2c7f3497 Mon Sep 17 00:00:00 2001
+From: sebres <info <at> sebres.de>
+Date: Sun, 19 Sep 2021 18:49:18 +0200
+Subject: [PATCH] fix gh-3098: build fails with error in fail2ban setup
+ command: use_2to3 is invalid (setuptools 58+)
+
+---
+ setup.py | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index f4c2550f6f..98413273c5 100755
+--- a/setup.py
++++ b/setup.py
+@@ -48,7 +48,7 @@
+ from glob import glob
+
+ from fail2ban.setup import updatePyExec
+-
++from fail2ban.version import version
+
+ source_dir = os.path.realpath(os.path.dirname(
+ # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.):
+@@ -112,22 +112,12 @@ def update_scripts(self, dry_run=False):
+ # Wrapper to specify fail2ban own options:
+ class install_command_f2b(install):
+ user_options = install.user_options + [
+- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'),
+ ('without-tests', None, 'without tests files installation'),
+ ]
+ def initialize_options(self):
+- self.disable_2to3 = None
+ self.without_tests = not with_tests
+ install.initialize_options(self)
+ def finalize_options(self):
+- global _2to3
+- ## in the test cases 2to3 should be already done (fail2ban-2to3):
+- if self.disable_2to3:
+- _2to3 = False
+- if _2to3:
+- cmdclass = self.distribution.cmdclass
+- cmdclass['build_py'] = build_py_2to3
+- cmdclass['build_scripts'] = build_scripts_2to3
+ if self.without_tests:
+ self.distribution.scripts.remove('bin/fail2ban-testcases')
+
+@@ -178,7 +168,6 @@ def run(self):
+ if setuptools:
+ setup_extra = {
+ 'test_suite': "fail2ban.tests.utils.gatherTests",
+- 'use_2to3': True,
+ }
+ else:
+ setup_extra = {}
+@@ -202,9 +191,6 @@ def run(self):
+ ('/usr/share/doc/fail2ban', doc_files)
+ )
+
+-# Get version number, avoiding importing fail2ban.
+-# This is due to tests not functioning for python3 as 2to3 takes place later
+-exec(open(join("fail2ban", "version.py")).read())
+
+ setup(
+ name = "fail2ban",
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
new file mode 100644
index 0000000000..91d973e72e
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
@@ -0,0 +1,48 @@
+From 747d4683221b5584f9663695fb48145689b42ceb Mon Sep 17 00:00:00 2001
+From: sebres <info <at> sebres.de>
+Date: Mon, 4 Jan 2021 02:42:38 +0100
+Subject: [PATCH] fixes century selector of %ExY and %Exy in datepattern for
+ tests, considering interval from 2005 (alternate now) to now; + better
+ grouping algorithm for resulting century RE
+
+---
+ fail2ban/server/strptime.py | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py
+index 1464a96d1f..39fc795865 100644
+--- a/fail2ban/server/strptime.py
++++ b/fail2ban/server/strptime.py
+@@ -36,10 +36,30 @@ def _getYearCentRE(cent=(0,3), distance=3, now=(MyTime.now(), MyTime.alternateNo
+ Thereby respect possible run in the test-cases (alternate date used there)
+ """
+ cent = lambda year, f=cent[0], t=cent[1]: str(year)[f:t]
++ def grp(exprset):
++ c = None
++ if len(exprset) > 1:
++ for i in exprset:
++ if c is None or i[0:-1] == c:
++ c = i[0:-1]
++ else:
++ c = None
++ break
++ if not c:
++ for i in exprset:
++ if c is None or i[0] == c:
++ c = i[0]
++ else:
++ c = None
++ break
++ if c:
++ return "%s%s" % (c, grp([i[len(c):] for i in exprset]))
++ return ("(?:%s)" % "|".join(exprset) if len(exprset[0]) > 1 else "[%s]" % "".join(exprset)) \
++ if len(exprset) > 1 else "".join(exprset)
+ exprset = set( cent(now[0].year + i) for i in (-1, distance) )
+ if len(now) and now[1]:
+- exprset |= set( cent(now[1].year + i) for i in (-1, distance) )
+- return "(?:%s)" % "|".join(exprset) if len(exprset) > 1 else "".join(exprset)
++ exprset |= set( cent(now[1].year + i) for i in xrange(-1, now[0].year-now[1].year+1, distance) )
++ return grp(sorted(list(exprset)))
+
+ timeRE = TimeRE()
+
diff --git a/gnu/packages/patches/fail2ban-paths-guix-conf.patch b/gnu/packages/patches/fail2ban-paths-guix-conf.patch
new file mode 100644
index 0000000000..8c2a5747ba
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-paths-guix-conf.patch
@@ -0,0 +1,32 @@
+From ef28dcf7a5bdbfd8ba586bb066d5ec53188a6bf9 Mon Sep 17 00:00:00 2001
+From: muradm <mail <at> muradm.net>
+Date: Fri, 15 Jul 2022 20:08:14 +0300
+Subject: [PATCH] Add paths-guix.conf file.
+
+---
+ config/paths-guix.conf | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+ create mode 100644 config/paths-guix.conf
+
+diff --git a/config/paths-guix.conf b/config/paths-guix.conf
+new file mode 100644
+index 00000000..b4a2e9f5
+--- /dev/null
++++ b/config/paths-guix.conf
+@@ -0,0 +1,13 @@
++# Guix
++
++[INCLUDES]
++
++before = paths-common.conf
++after = paths-overrides.local
++
++
++[DEFAULT]
++
++syslog_authpriv = /var/log/secure
++syslog_mail = /var/log/maillog
++syslog_mail_warn = /var/log/maillog
+--
+2.36.1
+
diff --git a/gnu/packages/patches/fail2ban-python310-server-action.patch b/gnu/packages/patches/fail2ban-python310-server-action.patch
new file mode 100644
index 0000000000..723d7f7aa6
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-action.patch
@@ -0,0 +1,27 @@
+From 2b6bb2c1bed8f7009631e8f8c306fa3160324a49 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:19:24 +0100
+Subject: [PATCH] follow bpo-37324: :ref:`collections-abstract-base-classes`
+ moved to the :mod:`collections.abc` module
+
+(since 3.10-alpha.5 `MutableMapping` is missing in collections module)
+---
+ fail2ban/server/action.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py
+index 3bc48fe046..f0f1e6f59a 100644
+--- a/fail2ban/server/action.py
++++ b/fail2ban/server/action.py
+@@ -30,7 +30,10 @@
+ import threading
+ import time
+ from abc import ABCMeta
+-from collections import MutableMapping
++try:
++ from collections.abc import MutableMapping
++except ImportError:
++ from collections import MutableMapping
+
+ from .failregex import mapTag2Opt
+ from .ipdns import DNSUtils
diff --git a/gnu/packages/patches/fail2ban-python310-server-actions.patch b/gnu/packages/patches/fail2ban-python310-server-actions.patch
new file mode 100644
index 0000000000..e31316d28b
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-actions.patch
@@ -0,0 +1,25 @@
+From 42dee38ad2ac5c3f23bdf297d824022923270dd9 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:25:45 +0100
+Subject: [PATCH] amend for `Mapping`
+
+---
+ fail2ban/server/actions.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py
+index b7b95b445a..897d907c1a 100644
+--- a/fail2ban/server/actions.py
++++ b/fail2ban/server/actions.py
+@@ -28,7 +28,10 @@
+ import os
+ import sys
+ import time
+-from collections import Mapping
++try:
++ from collections.abc import Mapping
++except ImportError:
++ from collections import Mapping
+ try:
+ from collections import OrderedDict
+ except ImportError:
diff --git a/gnu/packages/patches/fail2ban-python310-server-jails.patch b/gnu/packages/patches/fail2ban-python310-server-jails.patch
new file mode 100644
index 0000000000..e5873c415e
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-jails.patch
@@ -0,0 +1,25 @@
+From 9f1d1f4fbd0804695a976beb191f2c49a2739834 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:35:59 +0100
+Subject: [PATCH] amend for `Mapping` (jails)
+
+---
+ fail2ban/server/jails.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/jails.py b/fail2ban/server/jails.py
+index 972a8c4bd2..27e12ddf65 100644
+--- a/fail2ban/server/jails.py
++++ b/fail2ban/server/jails.py
+@@ -22,7 +22,10 @@
+ __license__ = "GPL"
+
+ from threading import Lock
+-from collections import Mapping
++try:
++ from collections.abc import Mapping
++except ImportError:
++ from collections import Mapping
+
+ from ..exceptions import DuplicateJailException, UnknownJailException
+ from .jail import Jail
--
2.36.1
guix-patches <at> gnu.org:bug#56579; Package guix-patches.
(Fri, 15 Jul 2022 19:03:01 GMT) Full text and rfc822 format available.Message #8 received at 56579 <at> debbugs.gnu.org (full text, mbox):
From: muradm <mail <at> muradm.net> To: 56579 <at> debbugs.gnu.org Subject: [PATCH v2] gnu: admin: Add fail2ban 0.11.2. Date: Fri, 15 Jul 2022 22:02:46 +0300
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 181 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 +++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 +++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
.../patches/fail2ban-paths-guix-conf.patch | 32 ++++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 557 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..183d0a0cb5 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,181 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (substitute* "fail2ban/tests/utils.py"
+ (("tests.addTest.unittest.makeSuite.actiontestcase.CommandActionTest..") "")
+ (("tests.addTest.unittest.makeSuite.misctestcase.SetupTest..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.DNSUtilsNetworkTests..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.IgnoreIPDNS..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.GetFailures..") "")
+ (("tests.addTest.unittest.makeSuite.fail2banclienttestcase.Fail2banServerTest..") "")
+ (("tests.addTest.unittest.makeSuite.servertestcase.ServerConfigReaderTests..") ""))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (for-each delete-file
+ '("config/paths-arch.conf"
+ "config/paths-debian.conf"
+ "config/paths-fedora.conf"
+ "config/paths-freebsd.conf"
+ "config/paths-opensuse.conf"
+ "config/paths-osx.conf"
+ "config/action.d/apf.conf"
+ "config/action.d/bsd-ipfw.conf"
+ "config/action.d/dshield.conf"
+ "config/action.d/ipfilter.conf"
+ "config/action.d/ipfw.conf"
+ "config/action.d/firewallcmd-allports.conf"
+ "config/action.d/firewallcmd-common.conf"
+ "config/action.d/firewallcmd-ipset.conf"
+ "config/action.d/firewallcmd-multiport.conf"
+ "config/action.d/firewallcmd-new.conf"
+ "config/action.d/firewallcmd-rich-logging.conf"
+ "config/action.d/firewallcmd-rich-rules.conf"
+ "config/action.d/osx-afctl.conf"
+ "config/action.d/osx-ipfw.conf"
+ "config/action.d/pf.conf"
+ "config/action.d/nginx-block-map.conf"
+ "config/action.d/npf.conf"
+ "config/action.d/shorewall.conf"
+ "config/action.d/shorewall-ipset-proto6.conf"
+ "config/action.d/ufw.conf"))
+ (let* ((awk (search-input-file inputs "/bin/awk"))
+ (cat (search-input-file inputs "/bin/cat"))
+ (curl (search-input-file inputs "/bin/curl"))
+ (cut (search-input-file inputs "/bin/cut"))
+ (date (search-input-file inputs "/bin/date"))
+ (dig (search-input-file inputs "/bin/dig"))
+ (echo (search-input-file inputs "/bin/echo"))
+ (grep (search-input-file inputs "/bin/grep"))
+ (head (search-input-file inputs "/bin/head"))
+ (id (search-input-file inputs "/bin/id"))
+ (ip (search-input-file inputs "/sbin/ip"))
+ (ipset (search-input-file inputs "/sbin/ipset"))
+ (ip6tables (search-input-file inputs "/sbin/ip6tables"))
+ (iptables (search-input-file inputs "/sbin/iptables"))
+ (jq (search-input-file inputs "/bin/jq"))
+ (nft (search-input-file inputs "/sbin/nft"))
+ (nsupdate (search-input-file inputs "/bin/nsupdate"))
+ (perl (search-input-file inputs "/bin/perl"))
+ (printf (search-input-file inputs "/bin/printf"))
+ (rm (search-input-file inputs "/bin/rm"))
+ (sed (search-input-file inputs "/bin/sed"))
+ (sendmail (search-input-file inputs "/sbin/sendmail"))
+ (tail (search-input-file inputs "/bin/tail"))
+ (test (search-input-file inputs "/bin/test"))
+ (touch (search-input-file inputs "/bin/touch"))
+ (tr (search-input-file inputs "/bin/tr"))
+ (truncate (search-input-file inputs "/bin/truncate"))
+ (wc (search-input-file inputs "/bin/wc"))
+ (whois (search-input-file inputs "/bin/whois")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with geoiplookup ..
+ (("awk") awk)
+ (("cat ") (string-append cat " "))
+ (("curl") curl)
+ (("cut -d") (string-append cut " -d"))
+ ((" date ") (string-append " " date " "))
+ (("`date`") (string-append "`" date "`"))
+ (("dig") dig)
+ (("echo ") (string-append echo " "))
+ (("grep ") (string-append grep " "))
+ (("head ") (string-append head " "))
+ (("id -") (string-append id " -"))
+ (("ip -4 addr") (string-append ip " -4 addr"))
+ (("ip -6 addr") (string-append ip " -6 addr"))
+ (("ip route") (string-append ip " route"))
+ (("ipset ") (string-append ipset " "))
+ (("iptables <") (string-append iptables " <"))
+ (("ip6tables <") (string-append ip6tables " <"))
+ (("jq") jq)
+ (("/usr/bin/nsupdate") nsupdate)
+ (("mail -E") (string-append sendmail " -E"))
+ (("nftables = nft") (string-append "nftables = " nft))
+ (("perl -e") (string-append perl " -e"))
+ (("printf ") (string-append printf " "))
+ ((" rm ") (string-append " " rm " "))
+ ((" sed ") (string-append " " sed " "))
+ (("/usr/sbin/sendmail") sendmail)
+ ((" tail ") (string-append " " tail " "))
+ (("test -e") (string-append test " -e"))
+ ((" touch ") (string-append " " touch " "))
+ ((" tr ") (string-append " " tr " "))
+ (("wc ") (string-append wc " "))
+ (("_whois = whois") (string-append "_whois = " whois))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf")))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester <at> sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
new file mode 100644
index 0000000000..b0b14364b1
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
@@ -0,0 +1,64 @@
+From 5ac303df8a171f748330d4c645ccbf1c2c7f3497 Mon Sep 17 00:00:00 2001
+From: sebres <info <at> sebres.de>
+Date: Sun, 19 Sep 2021 18:49:18 +0200
+Subject: [PATCH] fix gh-3098: build fails with error in fail2ban setup
+ command: use_2to3 is invalid (setuptools 58+)
+
+---
+ setup.py | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index f4c2550f6f..98413273c5 100755
+--- a/setup.py
++++ b/setup.py
+@@ -48,7 +48,7 @@
+ from glob import glob
+
+ from fail2ban.setup import updatePyExec
+-
++from fail2ban.version import version
+
+ source_dir = os.path.realpath(os.path.dirname(
+ # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.):
+@@ -112,22 +112,12 @@ def update_scripts(self, dry_run=False):
+ # Wrapper to specify fail2ban own options:
+ class install_command_f2b(install):
+ user_options = install.user_options + [
+- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'),
+ ('without-tests', None, 'without tests files installation'),
+ ]
+ def initialize_options(self):
+- self.disable_2to3 = None
+ self.without_tests = not with_tests
+ install.initialize_options(self)
+ def finalize_options(self):
+- global _2to3
+- ## in the test cases 2to3 should be already done (fail2ban-2to3):
+- if self.disable_2to3:
+- _2to3 = False
+- if _2to3:
+- cmdclass = self.distribution.cmdclass
+- cmdclass['build_py'] = build_py_2to3
+- cmdclass['build_scripts'] = build_scripts_2to3
+ if self.without_tests:
+ self.distribution.scripts.remove('bin/fail2ban-testcases')
+
+@@ -178,7 +168,6 @@ def run(self):
+ if setuptools:
+ setup_extra = {
+ 'test_suite': "fail2ban.tests.utils.gatherTests",
+- 'use_2to3': True,
+ }
+ else:
+ setup_extra = {}
+@@ -202,9 +191,6 @@ def run(self):
+ ('/usr/share/doc/fail2ban', doc_files)
+ )
+
+-# Get version number, avoiding importing fail2ban.
+-# This is due to tests not functioning for python3 as 2to3 takes place later
+-exec(open(join("fail2ban", "version.py")).read())
+
+ setup(
+ name = "fail2ban",
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
new file mode 100644
index 0000000000..91d973e72e
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
@@ -0,0 +1,48 @@
+From 747d4683221b5584f9663695fb48145689b42ceb Mon Sep 17 00:00:00 2001
+From: sebres <info <at> sebres.de>
+Date: Mon, 4 Jan 2021 02:42:38 +0100
+Subject: [PATCH] fixes century selector of %ExY and %Exy in datepattern for
+ tests, considering interval from 2005 (alternate now) to now; + better
+ grouping algorithm for resulting century RE
+
+---
+ fail2ban/server/strptime.py | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py
+index 1464a96d1f..39fc795865 100644
+--- a/fail2ban/server/strptime.py
++++ b/fail2ban/server/strptime.py
+@@ -36,10 +36,30 @@ def _getYearCentRE(cent=(0,3), distance=3, now=(MyTime.now(), MyTime.alternateNo
+ Thereby respect possible run in the test-cases (alternate date used there)
+ """
+ cent = lambda year, f=cent[0], t=cent[1]: str(year)[f:t]
++ def grp(exprset):
++ c = None
++ if len(exprset) > 1:
++ for i in exprset:
++ if c is None or i[0:-1] == c:
++ c = i[0:-1]
++ else:
++ c = None
++ break
++ if not c:
++ for i in exprset:
++ if c is None or i[0] == c:
++ c = i[0]
++ else:
++ c = None
++ break
++ if c:
++ return "%s%s" % (c, grp([i[len(c):] for i in exprset]))
++ return ("(?:%s)" % "|".join(exprset) if len(exprset[0]) > 1 else "[%s]" % "".join(exprset)) \
++ if len(exprset) > 1 else "".join(exprset)
+ exprset = set( cent(now[0].year + i) for i in (-1, distance) )
+ if len(now) and now[1]:
+- exprset |= set( cent(now[1].year + i) for i in (-1, distance) )
+- return "(?:%s)" % "|".join(exprset) if len(exprset) > 1 else "".join(exprset)
++ exprset |= set( cent(now[1].year + i) for i in xrange(-1, now[0].year-now[1].year+1, distance) )
++ return grp(sorted(list(exprset)))
+
+ timeRE = TimeRE()
+
diff --git a/gnu/packages/patches/fail2ban-paths-guix-conf.patch b/gnu/packages/patches/fail2ban-paths-guix-conf.patch
new file mode 100644
index 0000000000..8c2a5747ba
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-paths-guix-conf.patch
@@ -0,0 +1,32 @@
+From ef28dcf7a5bdbfd8ba586bb066d5ec53188a6bf9 Mon Sep 17 00:00:00 2001
+From: muradm <mail <at> muradm.net>
+Date: Fri, 15 Jul 2022 20:08:14 +0300
+Subject: [PATCH] Add paths-guix.conf file.
+
+---
+ config/paths-guix.conf | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+ create mode 100644 config/paths-guix.conf
+
+diff --git a/config/paths-guix.conf b/config/paths-guix.conf
+new file mode 100644
+index 00000000..b4a2e9f5
+--- /dev/null
++++ b/config/paths-guix.conf
+@@ -0,0 +1,13 @@
++# Guix
++
++[INCLUDES]
++
++before = paths-common.conf
++after = paths-overrides.local
++
++
++[DEFAULT]
++
++syslog_authpriv = /var/log/secure
++syslog_mail = /var/log/maillog
++syslog_mail_warn = /var/log/maillog
+--
+2.36.1
+
diff --git a/gnu/packages/patches/fail2ban-python310-server-action.patch b/gnu/packages/patches/fail2ban-python310-server-action.patch
new file mode 100644
index 0000000000..723d7f7aa6
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-action.patch
@@ -0,0 +1,27 @@
+From 2b6bb2c1bed8f7009631e8f8c306fa3160324a49 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:19:24 +0100
+Subject: [PATCH] follow bpo-37324: :ref:`collections-abstract-base-classes`
+ moved to the :mod:`collections.abc` module
+
+(since 3.10-alpha.5 `MutableMapping` is missing in collections module)
+---
+ fail2ban/server/action.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py
+index 3bc48fe046..f0f1e6f59a 100644
+--- a/fail2ban/server/action.py
++++ b/fail2ban/server/action.py
+@@ -30,7 +30,10 @@
+ import threading
+ import time
+ from abc import ABCMeta
+-from collections import MutableMapping
++try:
++ from collections.abc import MutableMapping
++except ImportError:
++ from collections import MutableMapping
+
+ from .failregex import mapTag2Opt
+ from .ipdns import DNSUtils
diff --git a/gnu/packages/patches/fail2ban-python310-server-actions.patch b/gnu/packages/patches/fail2ban-python310-server-actions.patch
new file mode 100644
index 0000000000..e31316d28b
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-actions.patch
@@ -0,0 +1,25 @@
+From 42dee38ad2ac5c3f23bdf297d824022923270dd9 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:25:45 +0100
+Subject: [PATCH] amend for `Mapping`
+
+---
+ fail2ban/server/actions.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py
+index b7b95b445a..897d907c1a 100644
+--- a/fail2ban/server/actions.py
++++ b/fail2ban/server/actions.py
+@@ -28,7 +28,10 @@
+ import os
+ import sys
+ import time
+-from collections import Mapping
++try:
++ from collections.abc import Mapping
++except ImportError:
++ from collections import Mapping
+ try:
+ from collections import OrderedDict
+ except ImportError:
diff --git a/gnu/packages/patches/fail2ban-python310-server-jails.patch b/gnu/packages/patches/fail2ban-python310-server-jails.patch
new file mode 100644
index 0000000000..e5873c415e
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-jails.patch
@@ -0,0 +1,25 @@
+From 9f1d1f4fbd0804695a976beb191f2c49a2739834 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:35:59 +0100
+Subject: [PATCH] amend for `Mapping` (jails)
+
+---
+ fail2ban/server/jails.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/jails.py b/fail2ban/server/jails.py
+index 972a8c4bd2..27e12ddf65 100644
+--- a/fail2ban/server/jails.py
++++ b/fail2ban/server/jails.py
+@@ -22,7 +22,10 @@
+ __license__ = "GPL"
+
+ from threading import Lock
+-from collections import Mapping
++try:
++ from collections.abc import Mapping
++except ImportError:
++ from collections import Mapping
+
+ from ..exceptions import DuplicateJailException, UnknownJailException
+ from .jail import Jail
--
2.36.1
guix-patches <at> gnu.org:bug#56579; Package guix-patches.
(Fri, 15 Jul 2022 20:26:01 GMT) Full text and rfc822 format available.Message #11 received at 56579 <at> debbugs.gnu.org (full text, mbox):
From: muradm <mail <at> muradm.net> To: 56579 <at> debbugs.gnu.org Subject: [PATCH v3] gnu: admin: Add fail2ban 0.11.2. Date: Fri, 15 Jul 2022 23:25:12 +0300
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 162 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 +++++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 +++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 ++++++
.../patches/fail2ban-paths-guix-conf.patch | 32 ++++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 538 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..8e16f8256a 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,162 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (let ((make-suite
+ (lambda (t)
+ (string-append "tests.addTest.unittest.makeSuite." t ".."))))
+ (substitute* "fail2ban/tests/utils.py"
+ (((make-suite "actiontestcase.CommandActionTest")) "")
+ (((make-suite "misctestcase.SetupTest")) "")
+ (((make-suite "filtertestcase.DNSUtilsNetworkTests")) "")
+ (((make-suite "filtertestcase.IgnoreIPDNS")) "")
+ (((make-suite "filtertestcase.GetFailures")) "")
+ (((make-suite "fail2banclienttestcase.Fail2banServerTest")) "")
+ (((make-suite "servertestcase.ServerConfigReaderTests")) "")))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (with-directory-excursion "config"
+ (for-each delete-file '("paths-arch.conf"
+ "paths-debian.conf"
+ "paths-fedora.conf"
+ "paths-freebsd.conf"
+ "paths-opensuse.conf"
+ "paths-osx.conf")))
+ (with-directory-excursion "config/action.d"
+ (for-each delete-file
+ '("apf.conf"
+ "bsd-ipfw.conf"
+ "dshield.conf"
+ "ipfilter.conf"
+ "ipfw.conf"
+ "firewallcmd-allports.conf"
+ "firewallcmd-common.conf"
+ "firewallcmd-ipset.conf"
+ "firewallcmd-multiport.conf"
+ "firewallcmd-new.conf"
+ "firewallcmd-rich-logging.conf"
+ "firewallcmd-rich-rules.conf"
+ "osx-afctl.conf"
+ "osx-ipfw.conf"
+ "pf.conf"
+ "nginx-block-map.conf"
+ "npf.conf"
+ "shorewall.conf"
+ "shorewall-ipset-proto6.conf"
+ "ufw.conf")))
+ (let* ((lookup-cmd (lambda (i) (search-input-file inputs i)))
+ (bin (lambda (i) (lookup-cmd (string-append "/bin/" i))))
+ (sbin (lambda (i) (lookup-cmd (string-append "/sbin/" i))))
+ (ip (sbin "ip"))
+ (sendmail (sbin "sendmail")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with geoiplookup ..
+ (("(awk|curl|dig|jq)" all cmd)
+ (bin cmd))
+ (("(cat|echo|grep|head|printf|wc) " all cmd)
+ (string-append (bin cmd) " "))
+ ((" (date|rm|sed|tail|touch|tr) " all cmd)
+ (string-append " " (bin cmd) " "))
+ (("cut -d")
+ (string-append (bin "cut") " -d"))
+ (("`date`")
+ (string-append "`" (bin "date") "`"))
+ (("id -")
+ (string-append (bin "id") " -"))
+ (("ip -([46]) addr" all ver)
+ (string-append ip " -" ver " addr"))
+ (("ip route")
+ (string-append ip " route"))
+ (("ipset ")
+ (string-append (sbin "ipset") " "))
+ (("(iptables|ip6tables) <" all cmd)
+ (string-append (sbin cmd) " <"))
+ (("/usr/bin/nsupdate") (bin "nsupdate"))
+ (("mail -E")
+ (string-append sendmail " -E"))
+ (("nftables = nft")
+ (string-append "nftables = " (sbin "nft")))
+ (("perl -e")
+ (string-append (bin "perl") " -e"))
+ (("/usr/sbin/sendmail") sendmail)
+ (("test -e")
+ (string-append (bin "test") " -e"))
+ (("_whois = whois")
+ (string-append "_whois = " (bin "whois")))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf")))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester <at> sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
new file mode 100644
index 0000000000..b0b14364b1
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
@@ -0,0 +1,64 @@
+From 5ac303df8a171f748330d4c645ccbf1c2c7f3497 Mon Sep 17 00:00:00 2001
+From: sebres <info <at> sebres.de>
+Date: Sun, 19 Sep 2021 18:49:18 +0200
+Subject: [PATCH] fix gh-3098: build fails with error in fail2ban setup
+ command: use_2to3 is invalid (setuptools 58+)
+
+---
+ setup.py | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index f4c2550f6f..98413273c5 100755
+--- a/setup.py
++++ b/setup.py
+@@ -48,7 +48,7 @@
+ from glob import glob
+
+ from fail2ban.setup import updatePyExec
+-
++from fail2ban.version import version
+
+ source_dir = os.path.realpath(os.path.dirname(
+ # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.):
+@@ -112,22 +112,12 @@ def update_scripts(self, dry_run=False):
+ # Wrapper to specify fail2ban own options:
+ class install_command_f2b(install):
+ user_options = install.user_options + [
+- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'),
+ ('without-tests', None, 'without tests files installation'),
+ ]
+ def initialize_options(self):
+- self.disable_2to3 = None
+ self.without_tests = not with_tests
+ install.initialize_options(self)
+ def finalize_options(self):
+- global _2to3
+- ## in the test cases 2to3 should be already done (fail2ban-2to3):
+- if self.disable_2to3:
+- _2to3 = False
+- if _2to3:
+- cmdclass = self.distribution.cmdclass
+- cmdclass['build_py'] = build_py_2to3
+- cmdclass['build_scripts'] = build_scripts_2to3
+ if self.without_tests:
+ self.distribution.scripts.remove('bin/fail2ban-testcases')
+
+@@ -178,7 +168,6 @@ def run(self):
+ if setuptools:
+ setup_extra = {
+ 'test_suite': "fail2ban.tests.utils.gatherTests",
+- 'use_2to3': True,
+ }
+ else:
+ setup_extra = {}
+@@ -202,9 +191,6 @@ def run(self):
+ ('/usr/share/doc/fail2ban', doc_files)
+ )
+
+-# Get version number, avoiding importing fail2ban.
+-# This is due to tests not functioning for python3 as 2to3 takes place later
+-exec(open(join("fail2ban", "version.py")).read())
+
+ setup(
+ name = "fail2ban",
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
new file mode 100644
index 0000000000..91d973e72e
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
@@ -0,0 +1,48 @@
+From 747d4683221b5584f9663695fb48145689b42ceb Mon Sep 17 00:00:00 2001
+From: sebres <info <at> sebres.de>
+Date: Mon, 4 Jan 2021 02:42:38 +0100
+Subject: [PATCH] fixes century selector of %ExY and %Exy in datepattern for
+ tests, considering interval from 2005 (alternate now) to now; + better
+ grouping algorithm for resulting century RE
+
+---
+ fail2ban/server/strptime.py | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py
+index 1464a96d1f..39fc795865 100644
+--- a/fail2ban/server/strptime.py
++++ b/fail2ban/server/strptime.py
+@@ -36,10 +36,30 @@ def _getYearCentRE(cent=(0,3), distance=3, now=(MyTime.now(), MyTime.alternateNo
+ Thereby respect possible run in the test-cases (alternate date used there)
+ """
+ cent = lambda year, f=cent[0], t=cent[1]: str(year)[f:t]
++ def grp(exprset):
++ c = None
++ if len(exprset) > 1:
++ for i in exprset:
++ if c is None or i[0:-1] == c:
++ c = i[0:-1]
++ else:
++ c = None
++ break
++ if not c:
++ for i in exprset:
++ if c is None or i[0] == c:
++ c = i[0]
++ else:
++ c = None
++ break
++ if c:
++ return "%s%s" % (c, grp([i[len(c):] for i in exprset]))
++ return ("(?:%s)" % "|".join(exprset) if len(exprset[0]) > 1 else "[%s]" % "".join(exprset)) \
++ if len(exprset) > 1 else "".join(exprset)
+ exprset = set( cent(now[0].year + i) for i in (-1, distance) )
+ if len(now) and now[1]:
+- exprset |= set( cent(now[1].year + i) for i in (-1, distance) )
+- return "(?:%s)" % "|".join(exprset) if len(exprset) > 1 else "".join(exprset)
++ exprset |= set( cent(now[1].year + i) for i in xrange(-1, now[0].year-now[1].year+1, distance) )
++ return grp(sorted(list(exprset)))
+
+ timeRE = TimeRE()
+
diff --git a/gnu/packages/patches/fail2ban-paths-guix-conf.patch b/gnu/packages/patches/fail2ban-paths-guix-conf.patch
new file mode 100644
index 0000000000..8c2a5747ba
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-paths-guix-conf.patch
@@ -0,0 +1,32 @@
+From ef28dcf7a5bdbfd8ba586bb066d5ec53188a6bf9 Mon Sep 17 00:00:00 2001
+From: muradm <mail <at> muradm.net>
+Date: Fri, 15 Jul 2022 20:08:14 +0300
+Subject: [PATCH] Add paths-guix.conf file.
+
+---
+ config/paths-guix.conf | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+ create mode 100644 config/paths-guix.conf
+
+diff --git a/config/paths-guix.conf b/config/paths-guix.conf
+new file mode 100644
+index 00000000..b4a2e9f5
+--- /dev/null
++++ b/config/paths-guix.conf
+@@ -0,0 +1,13 @@
++# Guix
++
++[INCLUDES]
++
++before = paths-common.conf
++after = paths-overrides.local
++
++
++[DEFAULT]
++
++syslog_authpriv = /var/log/secure
++syslog_mail = /var/log/maillog
++syslog_mail_warn = /var/log/maillog
+--
+2.36.1
+
diff --git a/gnu/packages/patches/fail2ban-python310-server-action.patch b/gnu/packages/patches/fail2ban-python310-server-action.patch
new file mode 100644
index 0000000000..723d7f7aa6
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-action.patch
@@ -0,0 +1,27 @@
+From 2b6bb2c1bed8f7009631e8f8c306fa3160324a49 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:19:24 +0100
+Subject: [PATCH] follow bpo-37324: :ref:`collections-abstract-base-classes`
+ moved to the :mod:`collections.abc` module
+
+(since 3.10-alpha.5 `MutableMapping` is missing in collections module)
+---
+ fail2ban/server/action.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py
+index 3bc48fe046..f0f1e6f59a 100644
+--- a/fail2ban/server/action.py
++++ b/fail2ban/server/action.py
+@@ -30,7 +30,10 @@
+ import threading
+ import time
+ from abc import ABCMeta
+-from collections import MutableMapping
++try:
++ from collections.abc import MutableMapping
++except ImportError:
++ from collections import MutableMapping
+
+ from .failregex import mapTag2Opt
+ from .ipdns import DNSUtils
diff --git a/gnu/packages/patches/fail2ban-python310-server-actions.patch b/gnu/packages/patches/fail2ban-python310-server-actions.patch
new file mode 100644
index 0000000000..e31316d28b
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-actions.patch
@@ -0,0 +1,25 @@
+From 42dee38ad2ac5c3f23bdf297d824022923270dd9 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:25:45 +0100
+Subject: [PATCH] amend for `Mapping`
+
+---
+ fail2ban/server/actions.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py
+index b7b95b445a..897d907c1a 100644
+--- a/fail2ban/server/actions.py
++++ b/fail2ban/server/actions.py
+@@ -28,7 +28,10 @@
+ import os
+ import sys
+ import time
+-from collections import Mapping
++try:
++ from collections.abc import Mapping
++except ImportError:
++ from collections import Mapping
+ try:
+ from collections import OrderedDict
+ except ImportError:
diff --git a/gnu/packages/patches/fail2ban-python310-server-jails.patch b/gnu/packages/patches/fail2ban-python310-server-jails.patch
new file mode 100644
index 0000000000..e5873c415e
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-jails.patch
@@ -0,0 +1,25 @@
+From 9f1d1f4fbd0804695a976beb191f2c49a2739834 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:35:59 +0100
+Subject: [PATCH] amend for `Mapping` (jails)
+
+---
+ fail2ban/server/jails.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/jails.py b/fail2ban/server/jails.py
+index 972a8c4bd2..27e12ddf65 100644
+--- a/fail2ban/server/jails.py
++++ b/fail2ban/server/jails.py
+@@ -22,7 +22,10 @@
+ __license__ = "GPL"
+
+ from threading import Lock
+-from collections import Mapping
++try:
++ from collections.abc import Mapping
++except ImportError:
++ from collections import Mapping
+
+ from ..exceptions import DuplicateJailException, UnknownJailException
+ from .jail import Jail
--
2.36.1
guix-patches <at> gnu.org:bug#56579; Package guix-patches.
(Fri, 15 Jul 2022 22:12:02 GMT) Full text and rfc822 format available.Message #14 received at 56579 <at> debbugs.gnu.org (full text, mbox):
From: muradm <mail <at> muradm.net> To: 56579 <at> debbugs.gnu.org Subject: [PATCH v4] gnu: admin: Add fail2ban 0.11.2. Date: Sat, 16 Jul 2022 01:11:32 +0300
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 181 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 +++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 +++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
.../patches/fail2ban-paths-guix-conf.patch | 32 ++++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 557 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..0a14144059 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,181 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (let ((make-suite
+ (lambda (t)
+ (string-append "tests.addTest.unittest.makeSuite." t ".."))))
+ (substitute* "fail2ban/tests/utils.py"
+ (((make-suite "actiontestcase.CommandActionTest")) "")
+ (((make-suite "misctestcase.SetupTest")) "")
+ (((make-suite "filtertestcase.DNSUtilsNetworkTests")) "")
+ (((make-suite "filtertestcase.IgnoreIPDNS")) "")
+ (((make-suite "filtertestcase.GetFailures")) "")
+ (((make-suite "fail2banclienttestcase.Fail2banServerTest")) "")
+ (((make-suite "servertestcase.ServerConfigReaderTests")) "")))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (with-directory-excursion "config"
+ (for-each delete-file '("paths-arch.conf"
+ "paths-debian.conf"
+ "paths-fedora.conf"
+ "paths-freebsd.conf"
+ "paths-opensuse.conf"
+ "paths-osx.conf")))
+ (with-directory-excursion "config/action.d"
+ (for-each delete-file
+ '("apf.conf"
+ "bsd-ipfw.conf"
+ "dshield.conf"
+ "ipfilter.conf"
+ "ipfw.conf"
+ "firewallcmd-allports.conf"
+ "firewallcmd-common.conf"
+ "firewallcmd-ipset.conf"
+ "firewallcmd-multiport.conf"
+ "firewallcmd-new.conf"
+ "firewallcmd-rich-logging.conf"
+ "firewallcmd-rich-rules.conf"
+ "osx-afctl.conf"
+ "osx-ipfw.conf"
+ "pf.conf"
+ "nginx-block-map.conf"
+ "npf.conf"
+ "shorewall.conf"
+ "shorewall-ipset-proto6.conf"
+ "ufw.conf")))
+ (let* ((lookup-cmd (lambda (i) (search-input-file inputs i)))
+ (bin (lambda (i) (lookup-cmd (string-append "/bin/" i))))
+ (sbin (lambda (i) (lookup-cmd (string-append "/sbin/" i))))
+ (ip (sbin "ip"))
+ (sendmail (sbin "sendmail")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with geoiplookup ..
+ (("(awk|curl|dig|jq)" all cmd)
+ (bin cmd))
+ (("(cat|echo|grep|head|printf|wc) " all cmd)
+ (string-append (bin cmd) " "))
+ ((" (date|rm|sed|tail|touch|tr) " all cmd)
+ (string-append " " (bin cmd) " "))
+ (("cut -d")
+ (string-append (bin "cut") " -d"))
+ (("`date`")
+ (string-append "`" (bin "date") "`"))
+ (("id -")
+ (string-append (bin "id") " -"))
+ (("ip -([46]) addr" all ver)
+ (string-append ip " -" ver " addr"))
+ (("ip route")
+ (string-append ip " route"))
+ (("ipset ")
+ (string-append (sbin "ipset") " "))
+ (("(iptables|ip6tables) <" all cmd)
+ (string-append (sbin cmd) " <"))
+ (("/usr/bin/nsupdate") (bin "nsupdate"))
+ (("mail -E")
+ (string-append sendmail " -E"))
+ (("nftables = nft")
+ (string-append "nftables = " (sbin "nft")))
+ (("perl -e")
+ (string-append (bin "perl") " -e"))
+ (("/usr/sbin/sendmail") sendmail)
+ (("test -e")
+ (string-append (bin "test") " -e"))
+ (("_whois = whois")
+ (string-append "_whois = " (bin "whois")))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf"))))
+ (add-after 'install 'copy-man-pages
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((man (string-append (assoc-ref outputs "out") "/man"))
+ (install-man
+ (lambda (m)
+ (lambda (f)
+ (install-file
+ (string-append f "." m)
+ (string-append man "/man" m)))))
+ (install-man1 (install-man "1"))
+ (install-man5 (install-man "5")))
+ (with-directory-excursion "man"
+ (for-each install-man1 '("fail2ban"
+ "fail2ban-client"
+ "fail2ban-python"
+ "fail2ban-regex"
+ "fail2ban-server"
+ "fail2ban-testcases"))
+ (for-each install-man5 '("jail.conf")))))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester <at> sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
new file mode 100644
index 0000000000..b0b14364b1
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
@@ -0,0 +1,64 @@
+From 5ac303df8a171f748330d4c645ccbf1c2c7f3497 Mon Sep 17 00:00:00 2001
+From: sebres <info <at> sebres.de>
+Date: Sun, 19 Sep 2021 18:49:18 +0200
+Subject: [PATCH] fix gh-3098: build fails with error in fail2ban setup
+ command: use_2to3 is invalid (setuptools 58+)
+
+---
+ setup.py | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index f4c2550f6f..98413273c5 100755
+--- a/setup.py
++++ b/setup.py
+@@ -48,7 +48,7 @@
+ from glob import glob
+
+ from fail2ban.setup import updatePyExec
+-
++from fail2ban.version import version
+
+ source_dir = os.path.realpath(os.path.dirname(
+ # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.):
+@@ -112,22 +112,12 @@ def update_scripts(self, dry_run=False):
+ # Wrapper to specify fail2ban own options:
+ class install_command_f2b(install):
+ user_options = install.user_options + [
+- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'),
+ ('without-tests', None, 'without tests files installation'),
+ ]
+ def initialize_options(self):
+- self.disable_2to3 = None
+ self.without_tests = not with_tests
+ install.initialize_options(self)
+ def finalize_options(self):
+- global _2to3
+- ## in the test cases 2to3 should be already done (fail2ban-2to3):
+- if self.disable_2to3:
+- _2to3 = False
+- if _2to3:
+- cmdclass = self.distribution.cmdclass
+- cmdclass['build_py'] = build_py_2to3
+- cmdclass['build_scripts'] = build_scripts_2to3
+ if self.without_tests:
+ self.distribution.scripts.remove('bin/fail2ban-testcases')
+
+@@ -178,7 +168,6 @@ def run(self):
+ if setuptools:
+ setup_extra = {
+ 'test_suite': "fail2ban.tests.utils.gatherTests",
+- 'use_2to3': True,
+ }
+ else:
+ setup_extra = {}
+@@ -202,9 +191,6 @@ def run(self):
+ ('/usr/share/doc/fail2ban', doc_files)
+ )
+
+-# Get version number, avoiding importing fail2ban.
+-# This is due to tests not functioning for python3 as 2to3 takes place later
+-exec(open(join("fail2ban", "version.py")).read())
+
+ setup(
+ name = "fail2ban",
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
new file mode 100644
index 0000000000..91d973e72e
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
@@ -0,0 +1,48 @@
+From 747d4683221b5584f9663695fb48145689b42ceb Mon Sep 17 00:00:00 2001
+From: sebres <info <at> sebres.de>
+Date: Mon, 4 Jan 2021 02:42:38 +0100
+Subject: [PATCH] fixes century selector of %ExY and %Exy in datepattern for
+ tests, considering interval from 2005 (alternate now) to now; + better
+ grouping algorithm for resulting century RE
+
+---
+ fail2ban/server/strptime.py | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py
+index 1464a96d1f..39fc795865 100644
+--- a/fail2ban/server/strptime.py
++++ b/fail2ban/server/strptime.py
+@@ -36,10 +36,30 @@ def _getYearCentRE(cent=(0,3), distance=3, now=(MyTime.now(), MyTime.alternateNo
+ Thereby respect possible run in the test-cases (alternate date used there)
+ """
+ cent = lambda year, f=cent[0], t=cent[1]: str(year)[f:t]
++ def grp(exprset):
++ c = None
++ if len(exprset) > 1:
++ for i in exprset:
++ if c is None or i[0:-1] == c:
++ c = i[0:-1]
++ else:
++ c = None
++ break
++ if not c:
++ for i in exprset:
++ if c is None or i[0] == c:
++ c = i[0]
++ else:
++ c = None
++ break
++ if c:
++ return "%s%s" % (c, grp([i[len(c):] for i in exprset]))
++ return ("(?:%s)" % "|".join(exprset) if len(exprset[0]) > 1 else "[%s]" % "".join(exprset)) \
++ if len(exprset) > 1 else "".join(exprset)
+ exprset = set( cent(now[0].year + i) for i in (-1, distance) )
+ if len(now) and now[1]:
+- exprset |= set( cent(now[1].year + i) for i in (-1, distance) )
+- return "(?:%s)" % "|".join(exprset) if len(exprset) > 1 else "".join(exprset)
++ exprset |= set( cent(now[1].year + i) for i in xrange(-1, now[0].year-now[1].year+1, distance) )
++ return grp(sorted(list(exprset)))
+
+ timeRE = TimeRE()
+
diff --git a/gnu/packages/patches/fail2ban-paths-guix-conf.patch b/gnu/packages/patches/fail2ban-paths-guix-conf.patch
new file mode 100644
index 0000000000..8c2a5747ba
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-paths-guix-conf.patch
@@ -0,0 +1,32 @@
+From ef28dcf7a5bdbfd8ba586bb066d5ec53188a6bf9 Mon Sep 17 00:00:00 2001
+From: muradm <mail <at> muradm.net>
+Date: Fri, 15 Jul 2022 20:08:14 +0300
+Subject: [PATCH] Add paths-guix.conf file.
+
+---
+ config/paths-guix.conf | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+ create mode 100644 config/paths-guix.conf
+
+diff --git a/config/paths-guix.conf b/config/paths-guix.conf
+new file mode 100644
+index 00000000..b4a2e9f5
+--- /dev/null
++++ b/config/paths-guix.conf
+@@ -0,0 +1,13 @@
++# Guix
++
++[INCLUDES]
++
++before = paths-common.conf
++after = paths-overrides.local
++
++
++[DEFAULT]
++
++syslog_authpriv = /var/log/secure
++syslog_mail = /var/log/maillog
++syslog_mail_warn = /var/log/maillog
+--
+2.36.1
+
diff --git a/gnu/packages/patches/fail2ban-python310-server-action.patch b/gnu/packages/patches/fail2ban-python310-server-action.patch
new file mode 100644
index 0000000000..723d7f7aa6
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-action.patch
@@ -0,0 +1,27 @@
+From 2b6bb2c1bed8f7009631e8f8c306fa3160324a49 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:19:24 +0100
+Subject: [PATCH] follow bpo-37324: :ref:`collections-abstract-base-classes`
+ moved to the :mod:`collections.abc` module
+
+(since 3.10-alpha.5 `MutableMapping` is missing in collections module)
+---
+ fail2ban/server/action.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py
+index 3bc48fe046..f0f1e6f59a 100644
+--- a/fail2ban/server/action.py
++++ b/fail2ban/server/action.py
+@@ -30,7 +30,10 @@
+ import threading
+ import time
+ from abc import ABCMeta
+-from collections import MutableMapping
++try:
++ from collections.abc import MutableMapping
++except ImportError:
++ from collections import MutableMapping
+
+ from .failregex import mapTag2Opt
+ from .ipdns import DNSUtils
diff --git a/gnu/packages/patches/fail2ban-python310-server-actions.patch b/gnu/packages/patches/fail2ban-python310-server-actions.patch
new file mode 100644
index 0000000000..e31316d28b
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-actions.patch
@@ -0,0 +1,25 @@
+From 42dee38ad2ac5c3f23bdf297d824022923270dd9 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:25:45 +0100
+Subject: [PATCH] amend for `Mapping`
+
+---
+ fail2ban/server/actions.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py
+index b7b95b445a..897d907c1a 100644
+--- a/fail2ban/server/actions.py
++++ b/fail2ban/server/actions.py
+@@ -28,7 +28,10 @@
+ import os
+ import sys
+ import time
+-from collections import Mapping
++try:
++ from collections.abc import Mapping
++except ImportError:
++ from collections import Mapping
+ try:
+ from collections import OrderedDict
+ except ImportError:
diff --git a/gnu/packages/patches/fail2ban-python310-server-jails.patch b/gnu/packages/patches/fail2ban-python310-server-jails.patch
new file mode 100644
index 0000000000..e5873c415e
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-jails.patch
@@ -0,0 +1,25 @@
+From 9f1d1f4fbd0804695a976beb191f2c49a2739834 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:35:59 +0100
+Subject: [PATCH] amend for `Mapping` (jails)
+
+---
+ fail2ban/server/jails.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/jails.py b/fail2ban/server/jails.py
+index 972a8c4bd2..27e12ddf65 100644
+--- a/fail2ban/server/jails.py
++++ b/fail2ban/server/jails.py
+@@ -22,7 +22,10 @@
+ __license__ = "GPL"
+
+ from threading import Lock
+-from collections import Mapping
++try:
++ from collections.abc import Mapping
++except ImportError:
++ from collections import Mapping
+
+ from ..exceptions import DuplicateJailException, UnknownJailException
+ from .jail import Jail
--
2.36.1
guix-patches <at> gnu.org:bug#56579; Package guix-patches.
(Sun, 17 Jul 2022 02:31:02 GMT) Full text and rfc822 format available.Message #17 received at 56579 <at> debbugs.gnu.org (full text, mbox):
From: muradm <mail <at> muradm.net> To: 56579 <at> debbugs.gnu.org Subject: [PATCH v5] gnu: admin: Add fail2ban 0.11.2. Date: Sun, 17 Jul 2022 05:30:40 +0300
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 195 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 ++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 ++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
.../patches/fail2ban-paths-guix-conf.patch | 32 +++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 571 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..4e2b7b081a 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,195 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (let ((make-suite
+ (lambda (t)
+ (string-append "tests.addTest.unittest.makeSuite." t ".."))))
+ (substitute* "fail2ban/tests/utils.py"
+ (((make-suite "actiontestcase.CommandActionTest")) "")
+ (((make-suite "misctestcase.SetupTest")) "")
+ (((make-suite "filtertestcase.DNSUtilsNetworkTests")) "")
+ (((make-suite "filtertestcase.IgnoreIPDNS")) "")
+ (((make-suite "filtertestcase.GetFailures")) "")
+ (((make-suite "fail2banclienttestcase.Fail2banServerTest")) "")
+ (((make-suite "servertestcase.ServerConfigReaderTests")) "")))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'fix-default-config
+ (lambda* (#:key outputs #:allow-other-keys)
+ (for-each
+ (lambda (f)
+ (substitute* f
+ (("/etc/fail2ban")
+ (string-append
+ (assoc-ref outputs "out")
+ "/etc/fail2ban"))))
+ '("config/paths-common.conf"
+ "fail2ban/tests/utils.py"
+ "fail2ban/client/configreader.py"
+ "fail2ban/client/fail2bancmdline.py"
+ "fail2ban/client/fail2banregex.py"))))
+ (add-after 'fix-default-config 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (with-directory-excursion "config"
+ (for-each delete-file '("paths-arch.conf"
+ "paths-debian.conf"
+ "paths-fedora.conf"
+ "paths-freebsd.conf"
+ "paths-opensuse.conf"
+ "paths-osx.conf")))
+ (with-directory-excursion "config/action.d"
+ (for-each delete-file
+ '("apf.conf"
+ "bsd-ipfw.conf"
+ "dshield.conf"
+ "ipfilter.conf"
+ "ipfw.conf"
+ "firewallcmd-allports.conf"
+ "firewallcmd-common.conf"
+ "firewallcmd-ipset.conf"
+ "firewallcmd-multiport.conf"
+ "firewallcmd-new.conf"
+ "firewallcmd-rich-logging.conf"
+ "firewallcmd-rich-rules.conf"
+ "osx-afctl.conf"
+ "osx-ipfw.conf"
+ "pf.conf"
+ "nginx-block-map.conf"
+ "npf.conf"
+ "shorewall.conf"
+ "shorewall-ipset-proto6.conf"
+ "ufw.conf")))
+ (let* ((lookup-cmd (lambda (i) (search-input-file inputs i)))
+ (bin (lambda (i) (lookup-cmd (string-append "/bin/" i))))
+ (sbin (lambda (i) (lookup-cmd (string-append "/sbin/" i))))
+ (ip (sbin "ip"))
+ (sendmail (sbin "sendmail")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with geoiplookup ..
+ (("(awk|curl|dig|jq)" all cmd)
+ (bin cmd))
+ (("(cat|echo|grep|head|printf|wc) " all cmd)
+ (string-append (bin cmd) " "))
+ ((" (date|rm|sed|tail|touch|tr) " all cmd)
+ (string-append " " (bin cmd) " "))
+ (("cut -d")
+ (string-append (bin "cut") " -d"))
+ (("`date`")
+ (string-append "`" (bin "date") "`"))
+ (("id -")
+ (string-append (bin "id") " -"))
+ (("ip -([46]) addr" all ver)
+ (string-append ip " -" ver " addr"))
+ (("ip route")
+ (string-append ip " route"))
+ (("ipset ")
+ (string-append (sbin "ipset") " "))
+ (("(iptables|ip6tables) <" all cmd)
+ (string-append (sbin cmd) " <"))
+ (("/usr/bin/nsupdate") (bin "nsupdate"))
+ (("mail -E")
+ (string-append sendmail " -E"))
+ (("nftables = nft")
+ (string-append "nftables = " (sbin "nft")))
+ (("perl -e")
+ (string-append (bin "perl") " -e"))
+ (("/usr/sbin/sendmail") sendmail)
+ (("test -e")
+ (string-append (bin "test") " -e"))
+ (("_whois = whois")
+ (string-append "_whois = " (bin "whois")))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf"))))
+ (add-after 'install 'copy-man-pages
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((man (string-append (assoc-ref outputs "out") "/man"))
+ (install-man
+ (lambda (m)
+ (lambda (f)
+ (install-file
+ (string-append f "." m)
+ (string-append man "/man" m)))))
+ (install-man1 (install-man "1"))
+ (install-man5 (install-man "5")))
+ (with-directory-excursion "man"
+ (for-each install-man1 '("fail2ban"
+ "fail2ban-client"
+ "fail2ban-python"
+ "fail2ban-regex"
+ "fail2ban-server"
+ "fail2ban-testcases"))
+ (for-each install-man5 '("jail.conf")))))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester <at> sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
new file mode 100644
index 0000000000..b0b14364b1
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
@@ -0,0 +1,64 @@
+From 5ac303df8a171f748330d4c645ccbf1c2c7f3497 Mon Sep 17 00:00:00 2001
+From: sebres <info <at> sebres.de>
+Date: Sun, 19 Sep 2021 18:49:18 +0200
+Subject: [PATCH] fix gh-3098: build fails with error in fail2ban setup
+ command: use_2to3 is invalid (setuptools 58+)
+
+---
+ setup.py | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index f4c2550f6f..98413273c5 100755
+--- a/setup.py
++++ b/setup.py
+@@ -48,7 +48,7 @@
+ from glob import glob
+
+ from fail2ban.setup import updatePyExec
+-
++from fail2ban.version import version
+
+ source_dir = os.path.realpath(os.path.dirname(
+ # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.):
+@@ -112,22 +112,12 @@ def update_scripts(self, dry_run=False):
+ # Wrapper to specify fail2ban own options:
+ class install_command_f2b(install):
+ user_options = install.user_options + [
+- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'),
+ ('without-tests', None, 'without tests files installation'),
+ ]
+ def initialize_options(self):
+- self.disable_2to3 = None
+ self.without_tests = not with_tests
+ install.initialize_options(self)
+ def finalize_options(self):
+- global _2to3
+- ## in the test cases 2to3 should be already done (fail2ban-2to3):
+- if self.disable_2to3:
+- _2to3 = False
+- if _2to3:
+- cmdclass = self.distribution.cmdclass
+- cmdclass['build_py'] = build_py_2to3
+- cmdclass['build_scripts'] = build_scripts_2to3
+ if self.without_tests:
+ self.distribution.scripts.remove('bin/fail2ban-testcases')
+
+@@ -178,7 +168,6 @@ def run(self):
+ if setuptools:
+ setup_extra = {
+ 'test_suite': "fail2ban.tests.utils.gatherTests",
+- 'use_2to3': True,
+ }
+ else:
+ setup_extra = {}
+@@ -202,9 +191,6 @@ def run(self):
+ ('/usr/share/doc/fail2ban', doc_files)
+ )
+
+-# Get version number, avoiding importing fail2ban.
+-# This is due to tests not functioning for python3 as 2to3 takes place later
+-exec(open(join("fail2ban", "version.py")).read())
+
+ setup(
+ name = "fail2ban",
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
new file mode 100644
index 0000000000..91d973e72e
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
@@ -0,0 +1,48 @@
+From 747d4683221b5584f9663695fb48145689b42ceb Mon Sep 17 00:00:00 2001
+From: sebres <info <at> sebres.de>
+Date: Mon, 4 Jan 2021 02:42:38 +0100
+Subject: [PATCH] fixes century selector of %ExY and %Exy in datepattern for
+ tests, considering interval from 2005 (alternate now) to now; + better
+ grouping algorithm for resulting century RE
+
+---
+ fail2ban/server/strptime.py | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py
+index 1464a96d1f..39fc795865 100644
+--- a/fail2ban/server/strptime.py
++++ b/fail2ban/server/strptime.py
+@@ -36,10 +36,30 @@ def _getYearCentRE(cent=(0,3), distance=3, now=(MyTime.now(), MyTime.alternateNo
+ Thereby respect possible run in the test-cases (alternate date used there)
+ """
+ cent = lambda year, f=cent[0], t=cent[1]: str(year)[f:t]
++ def grp(exprset):
++ c = None
++ if len(exprset) > 1:
++ for i in exprset:
++ if c is None or i[0:-1] == c:
++ c = i[0:-1]
++ else:
++ c = None
++ break
++ if not c:
++ for i in exprset:
++ if c is None or i[0] == c:
++ c = i[0]
++ else:
++ c = None
++ break
++ if c:
++ return "%s%s" % (c, grp([i[len(c):] for i in exprset]))
++ return ("(?:%s)" % "|".join(exprset) if len(exprset[0]) > 1 else "[%s]" % "".join(exprset)) \
++ if len(exprset) > 1 else "".join(exprset)
+ exprset = set( cent(now[0].year + i) for i in (-1, distance) )
+ if len(now) and now[1]:
+- exprset |= set( cent(now[1].year + i) for i in (-1, distance) )
+- return "(?:%s)" % "|".join(exprset) if len(exprset) > 1 else "".join(exprset)
++ exprset |= set( cent(now[1].year + i) for i in xrange(-1, now[0].year-now[1].year+1, distance) )
++ return grp(sorted(list(exprset)))
+
+ timeRE = TimeRE()
+
diff --git a/gnu/packages/patches/fail2ban-paths-guix-conf.patch b/gnu/packages/patches/fail2ban-paths-guix-conf.patch
new file mode 100644
index 0000000000..8c2a5747ba
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-paths-guix-conf.patch
@@ -0,0 +1,32 @@
+From ef28dcf7a5bdbfd8ba586bb066d5ec53188a6bf9 Mon Sep 17 00:00:00 2001
+From: muradm <mail <at> muradm.net>
+Date: Fri, 15 Jul 2022 20:08:14 +0300
+Subject: [PATCH] Add paths-guix.conf file.
+
+---
+ config/paths-guix.conf | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+ create mode 100644 config/paths-guix.conf
+
+diff --git a/config/paths-guix.conf b/config/paths-guix.conf
+new file mode 100644
+index 00000000..b4a2e9f5
+--- /dev/null
++++ b/config/paths-guix.conf
+@@ -0,0 +1,13 @@
++# Guix
++
++[INCLUDES]
++
++before = paths-common.conf
++after = paths-overrides.local
++
++
++[DEFAULT]
++
++syslog_authpriv = /var/log/secure
++syslog_mail = /var/log/maillog
++syslog_mail_warn = /var/log/maillog
+--
+2.36.1
+
diff --git a/gnu/packages/patches/fail2ban-python310-server-action.patch b/gnu/packages/patches/fail2ban-python310-server-action.patch
new file mode 100644
index 0000000000..723d7f7aa6
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-action.patch
@@ -0,0 +1,27 @@
+From 2b6bb2c1bed8f7009631e8f8c306fa3160324a49 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:19:24 +0100
+Subject: [PATCH] follow bpo-37324: :ref:`collections-abstract-base-classes`
+ moved to the :mod:`collections.abc` module
+
+(since 3.10-alpha.5 `MutableMapping` is missing in collections module)
+---
+ fail2ban/server/action.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py
+index 3bc48fe046..f0f1e6f59a 100644
+--- a/fail2ban/server/action.py
++++ b/fail2ban/server/action.py
+@@ -30,7 +30,10 @@
+ import threading
+ import time
+ from abc import ABCMeta
+-from collections import MutableMapping
++try:
++ from collections.abc import MutableMapping
++except ImportError:
++ from collections import MutableMapping
+
+ from .failregex import mapTag2Opt
+ from .ipdns import DNSUtils
diff --git a/gnu/packages/patches/fail2ban-python310-server-actions.patch b/gnu/packages/patches/fail2ban-python310-server-actions.patch
new file mode 100644
index 0000000000..e31316d28b
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-actions.patch
@@ -0,0 +1,25 @@
+From 42dee38ad2ac5c3f23bdf297d824022923270dd9 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:25:45 +0100
+Subject: [PATCH] amend for `Mapping`
+
+---
+ fail2ban/server/actions.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py
+index b7b95b445a..897d907c1a 100644
+--- a/fail2ban/server/actions.py
++++ b/fail2ban/server/actions.py
+@@ -28,7 +28,10 @@
+ import os
+ import sys
+ import time
+-from collections import Mapping
++try:
++ from collections.abc import Mapping
++except ImportError:
++ from collections import Mapping
+ try:
+ from collections import OrderedDict
+ except ImportError:
diff --git a/gnu/packages/patches/fail2ban-python310-server-jails.patch b/gnu/packages/patches/fail2ban-python310-server-jails.patch
new file mode 100644
index 0000000000..e5873c415e
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-python310-server-jails.patch
@@ -0,0 +1,25 @@
+From 9f1d1f4fbd0804695a976beb191f2c49a2739834 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester <at> sebres.de>
+Date: Mon, 8 Feb 2021 17:35:59 +0100
+Subject: [PATCH] amend for `Mapping` (jails)
+
+---
+ fail2ban/server/jails.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fail2ban/server/jails.py b/fail2ban/server/jails.py
+index 972a8c4bd2..27e12ddf65 100644
+--- a/fail2ban/server/jails.py
++++ b/fail2ban/server/jails.py
+@@ -22,7 +22,10 @@
+ __license__ = "GPL"
+
+ from threading import Lock
+-from collections import Mapping
++try:
++ from collections.abc import Mapping
++except ImportError:
++ from collections import Mapping
+
+ from ..exceptions import DuplicateJailException, UnknownJailException
+ from .jail import Jail
--
2.36.1
guix-patches <at> gnu.org:bug#56579; Package guix-patches.
(Sun, 17 Jul 2022 13:49:02 GMT) Full text and rfc822 format available.Message #20 received at 56579 <at> debbugs.gnu.org (full text, mbox):
From: Jean Pierre De Jesus DIAZ <me <at> jeandudey.tech> To: "mail <at> muradm.net" <mail <at> muradm.net>, "56579 <at> debbugs.gnu.org" <56579 <at> debbugs.gnu.org> Subject: [PATCH] gnu: admin: Add fail2ban 0.11.2. Date: Sun, 17 Jul 2022 13:48:07 +0000
Hello muradm!
>+ (arguments
>+ '(#:phases (modify-phases %standard-phases
I think you can benefit a little bit from using G-Expressions here:
(arguments
(list #:phases
#~(modify-phases %modify-phases
...)))
For example:
>+ (let* ((awk (assoc-ref inputs "gawk"))
>+ (awk (string-append awk "/bin/awk"))
Could be replaced by:
(let* ((awk (string-append #$gawk "/bin/awk"))))
Applies to others too. Could save some vertical space.
—
Jean-Pierre De Jesus DIAZ
guix-patches <at> gnu.org:bug#56579; Package guix-patches.
(Sun, 17 Jul 2022 16:16:02 GMT) Full text and rfc822 format available.Message #23 received at 56579 <at> debbugs.gnu.org (full text, mbox):
From: muradm <mail <at> muradm.net> To: Jean Pierre De Jesus DIAZ <me <at> jeandudey.tech> Cc: "56579 <at> debbugs.gnu.org" <56579 <at> debbugs.gnu.org> Subject: Re: [PATCH] gnu: admin: Add fail2ban 0.11.2. Date: Sun, 17 Jul 2022 19:13:48 +0300
[Message part 1 (text/plain, inline)]
Hi, I think you are commenting on initial versions. Please refer to last v5, which is quite crafted. Jean Pierre De Jesus DIAZ <me <at> jeandudey.tech> writes: > Hello muradm! > >>+ (arguments >>+ '(#:phases (modify-phases %standard-phases > > I think you can benefit a little bit from using G-Expressions > here: > > (arguments > (list #:phases > #~(modify-phases %modify-phases > ...))) > > For example: > >>+ (let* ((awk (assoc-ref inputs "gawk")) >>+ (awk (string-append awk >>"/bin/awk")) > > Could be replaced by: > > (let* ((awk (string-append #$gawk "/bin/awk")))) > > Applies to others too. Could save some vertical space. > > — > Jean-Pierre De Jesus DIAZ
[signature.asc (application/pgp-signature, inline)]
Ludovic Courtès <ludo <at> gnu.org>:muradm <mail <at> muradm.net>:Message #28 received at 56579-done <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: muradm <mail <at> muradm.net> Cc: 56579-done <at> debbugs.gnu.org Subject: Re: bug#56579: [PATCH] gnu: admin: Add fail2ban 0.11.2. Date: Mon, 01 Aug 2022 17:19:16 +0200
Hi, muradm <mail <at> muradm.net> skribis: > * gnu/packages/admin.scm (fail2ban): New variable. > --- > gnu/packages/admin.scm | 195 ++++++++++++++++++ > .../fail2ban-0.11.2_CVE-2021-32749.patch | 155 ++++++++++++++ > ...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 ++++++ > .../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++ > .../patches/fail2ban-paths-guix-conf.patch | 32 +++ > .../fail2ban-python310-server-action.patch | 27 +++ > .../fail2ban-python310-server-actions.patch | 25 +++ > .../fail2ban-python310-server-jails.patch | 25 +++ > 8 files changed, 571 insertions(+) > create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch > create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch > create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch > create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch > create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch > create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch > create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch Applied with minimal changes: added the patches to ‘gnu/local.mk’, changed (for-each (lambda (f) (substitute* f …)) files) to (substitute* files …), changed ‘coreutils’ to ‘coreutils-minimal’, changed license to ‘gpl2+’ since headers carry the “or any later version” wording, and tweaked indentation. Thanks! Ludo’.
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Tue, 30 Aug 2022 11:24:11 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.