openSUSE Security Update: Security update for fail2ban______________________________________________________________________________Announcement ID: openSUSE-SU-2021:1274-1Rating: importantReferences: #1145181 #1146856 #1180738 #1188610 Cross-References: CVE-2021-32749CVSS scores: CVE-2021-32749 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Products: openSUSE Leap 15.2 openSUSE Backports SLE-15-SP3 openSUSE Backports SLE-15-SP2 openSUSE Backports SLE-15-SP1______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available.Description: This update for fail2ban fixes the following issues: - CVE-2021-32749: prevent a command injection via mail command (boo#1188610) - Integrate change to resolve boo#1146856 and boo#1180738 Update to 0.11.2 - increased stability, filter and action updates New Features and Enhancements * fail2ban-regex: - speedup formatted output (bypass unneeded stats creation) - extended with prefregex statistic - more informative output for datepattern (e. g. set from filter) - pattern : description * parsing of action in jail-configs considers space between action-names as separator also (previously only new-line was allowed), for example action = a b would specify 2 actions a and b * new filter and jail for GitLab recognizing failed application logins (gh#fail2ban/fail2ban#2689) * new filter and jail for Grafana recognizing failed application logins (gh#fail2ban/fail2ban#2855) * new filter and jail for SoftEtherVPN recognizing failed application logins (gh#fail2ban/fail2ban#2723) * filter.d/guacamole.conf extended with logging parameter to follow webapp-logging if it’s configured (gh#fail2ban/fail2ban#2631) * filter.d/bitwarden.conf enhanced to support syslog (gh#fail2ban/fail2ban#2778) * introduced new prefix {UNB} for datepattern to disable word boundaries in regex; * datetemplate: improved anchor detection for capturing groups (^...); * datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc) as well as some warnings signaling user about invalid pattern or zone (gh#fail2ban/fail2ban#2814): - filter gets mode in-operation, which gets activated if filter starts processing of new messages; in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected bypass of failure (previously exceeding findtime); - better interaction with non-matching optional datepattern or invalid timestamps; - implements special datepattern {NONE} - allow to find failures totally without date-time in log messages, whereas filter will use now as timestamp (gh#fail2ban/fail2ban#2802) * performance optimization of datepattern (better search algorithm in datedetector, especially for single template); * fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh#fail2ban/fail2ban#2791; * extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag prefix `