Address CVE-2021-32749.

Set locale to a UTF8 variant for tests

.gitignore

@@ -1 +1,24 @@
-/fail2ban-*/
+fail2ban-FAIL2BAN-0_8.tar.bz2
+fail2ban-0.8.4.tar.bz2
+/fail2ban_0.8.7.1.orig.tar.gz
+/fail2ban_0.8.8.orig.tar.gz
+/fail2ban-0.8.10.tar.gz
+/fail2ban-0.8.11.tar.gz
+/fail2ban-0.9-d529151.tar.xz
+/fail2ban-0.9-1f1a561.tar.xz
+/fail2ban-0.9.tar.gz
+/fail2ban-0.9.1.tar.gz
+/fail2ban-0.9.2.tar.gz
+/fail2ban-0.9.3.tar.gz
+/fail2ban-0.9.4.tar.gz
+/fail2ban-0.9.5.tar.gz
+/fail2ban-0.9.6.tar.gz
+/fail2ban-0.9.7.tar.gz
+/fail2ban-0.10.0.tar.gz
+/fail2ban-0.10.1.tar.gz
+/fail2ban-0.10.2.tar.gz
+/fail2ban-0.10.3.1.tar.gz
+/fail2ban-0.10.4.tar.gz
+/fail2ban-0.10.5.tar.gz
+/fail2ban-0.11.1.tar.gz
+/fail2ban-0.11.2.tar.gz

04ff4c060cdc233af9a6deeb85a6523da0416f31.patch

@@ -1,60 +0,0 @@
-From 04ff4c060cdc233af9a6deeb85a6523da0416f31 Mon Sep 17 00:00:00 2001
-From: Nic Boet <nic@boet.cc>
-Date: Fri, 13 Jun 2025 16:44:57 -0500
-Subject: [PATCH] Dovecot 2.4 filter support
-
-Dovecot 2.4 release is a major upgrade
-Logger event structure has changed, all messages are now
-prefixed with:
-
-        "Login aborted: " <reason> "auth failed"
-
-Maintain 2.3 support as many folks have yet to migrate,
-community edition is still receiving cretial security patches
-
-Dovecot 2.4.1
-Python 3.12.10
-
-Signed-off-by: Nic Boet <nic@boet.cc>
----
- config/filter.d/dovecot.conf      | 2 ++
- fail2ban/tests/files/logs/dovecot | 6 ++++++
- 2 files changed, 8 insertions(+)
-
-diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf
-index dc3ebbcd42..f49eebe726 100644
---- a/config/filter.d/dovecot.conf
-+++ b/config/filter.d/dovecot.conf
-@@ -17,6 +17,7 @@ prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_a
- 
- failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
-             ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
-+            ^(?:Login aborted):\s*%(_bypass_reject_reason)s.*?\((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\)(?:\s*\([^)]+\))?:\s*(?:user=<<F-USER>[^>]*</F-USER>>,?\s*)?(?:,?\s*method=\S+,\s*)?rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
-             ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$
-             ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch)
-             <mdre-<mode>>
-@@ -43,6 +44,7 @@ datepattern = {^LN-BEG}TAI64N
- # DEV Notes:
- # * the first regex is essentially a copy of pam-generic.conf
- # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
-+# * Dovecot version 2.4 changed event log structure, line prior needed to maintain 2.3 support
- #
- # Author: Martin Waschbuesch
- #         Daniel Black (rewrote with begin and end anchors)
-diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot
-index 0e33296129..4f5a0b7867 100644
---- a/fail2ban/tests/files/logs/dovecot
-+++ b/fail2ban/tests/files/logs/dovecot
-@@ -22,6 +22,12 @@ Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attem
- # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" }
- Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<info>, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210
- 
-+# Dovecot version 2.4
-+# failJSON: { "time": "2005-06-12T19:07:29", "match": true , "host": "192.0.2.241" }
-+Jun 12 19:07:29 hostname dovecot[241]: imap-login: Login aborted: Connection closed (auth failed, 3 attempts in 16 secs) (auth_failed): user=<test>, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<9ZHq02g3J8S60fan>
-+# failJSON: { "time": "2005-06-13T16:35:56", "match": true , "host": "192.0.2.241" }
-+Jun 13 16:35:56 mx dovecot[241]: managesieve-login: Login aborted: Logged out (auth failed, 1 attempts in 10 secs) (auth_failed): user=<user@domain>, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<Dp8j1Ho3suQYdo+k>
-+
- # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" }
- Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session=<YADINsQCDs5BH8Pg>
- 

3728.patch

@@ -1,160 +0,0 @@
-From a763fbbdfd6486e372965b4009eb3fe5db346718 Mon Sep 17 00:00:00 2001
-From: Branch Vincent <branchevincent@gmail.com>
-Date: Sat, 27 Apr 2024 10:24:01 -0700
-Subject: [PATCH 1/3] replace distutils for python 3.12
-
----
- doc/conf.py                        | 5 +----
- fail2ban/server/filterpyinotify.py | 3 +--
- fail2ban/server/filtersystemd.py   | 3 +--
- 3 files changed, 3 insertions(+), 8 deletions(-)
-
-diff --git a/doc/conf.py b/doc/conf.py
-index 20845a5a0e..48d27f7062 100644
---- a/doc/conf.py
-+++ b/doc/conf.py
-@@ -47,12 +47,9 @@
- #
- 
- from fail2ban.version import version as fail2ban_version
--from distutils.version import LooseVersion
--
--fail2ban_loose_version = LooseVersion(fail2ban_version)
- 
- # The short X.Y version.
--version = ".".join(str(_) for _ in fail2ban_loose_version.version[:2])
-+version = ".".join(str(_) for _ in fail2ban_version.split(".")[:2])
- # The full version, including alpha/beta/rc tags.
- release = fail2ban_version
- 
-diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py
-index 81bc7de393..c6972ced3f 100644
---- a/fail2ban/server/filterpyinotify.py
-+++ b/fail2ban/server/filterpyinotify.py
-@@ -24,7 +24,6 @@
- __license__ = "GPL"
- 
- import logging
--from distutils.version import LooseVersion
- import os
- from os.path import dirname, sep as pathsep
- 
-@@ -38,7 +37,7 @@
- 
- 
- if not hasattr(pyinotify, '__version__') \
--  or LooseVersion(pyinotify.__version__) < '0.8.3': # pragma: no cover
-+  or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover
-   raise ImportError("Fail2Ban requires pyinotify >= 0.8.3")
- 
- # Verify that pyinotify is functional on this system
-diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py
-index 5aea9fdadc..2d4f862b97 100644
---- a/fail2ban/server/filtersystemd.py
-+++ b/fail2ban/server/filtersystemd.py
-@@ -24,10 +24,9 @@
- 
- import os
- import time
--from distutils.version import LooseVersion
- 
- from systemd import journal
--if LooseVersion(getattr(journal, '__version__', "0")) < '204':
-+if getattr(journal, "__version__", "0").split(".") < "204".split("."):
- 	raise ImportError("Fail2Ban requires systemd >= 204")
- 
- from .failmanager import FailManagerEmpty
-
-From ed20a9a5b9039319dd8913dfecf640e6eafee28b Mon Sep 17 00:00:00 2001
-From: sebres <info@sebres.de>
-Date: Tue, 7 May 2024 12:51:14 +0200
-Subject: [PATCH 2/3] there is no systemd < 204 and pyinotify < 0.8.3 for
- supported python3 versions anymore
-
----
- fail2ban/server/filterpyinotify.py | 4 ----
- fail2ban/server/filtersystemd.py   | 2 --
- 2 files changed, 6 deletions(-)
-
-diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py
-index c6972ced3f..f2f31e6fb5 100644
---- a/fail2ban/server/filterpyinotify.py
-+++ b/fail2ban/server/filterpyinotify.py
-@@ -36,10 +36,6 @@
- from ..helpers import getLogger
- 
- 
--if not hasattr(pyinotify, '__version__') \
--  or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover
--  raise ImportError("Fail2Ban requires pyinotify >= 0.8.3")
--
- # Verify that pyinotify is functional on this system
- # Even though imports -- might be dysfunctional, e.g. as on kfreebsd
- try:
-diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py
-index 2d4f862b97..abd66e1f76 100644
---- a/fail2ban/server/filtersystemd.py
-+++ b/fail2ban/server/filtersystemd.py
-@@ -26,8 +26,6 @@
- import time
- 
- from systemd import journal
--if getattr(journal, "__version__", "0").split(".") < "204".split("."):
--	raise ImportError("Fail2Ban requires systemd >= 204")
- 
- from .failmanager import FailManagerEmpty
- from .filter import JournalFilter, Filter
-
-From 0185e1c7d5e6534ab212462dd2aeab6f89e2fb50 Mon Sep 17 00:00:00 2001
-From: sebres <info@sebres.de>
-Date: Tue, 7 May 2024 13:06:50 +0200
-Subject: [PATCH 3/3] setup.py: no distutils anymore
-
----
- setup.py | 25 ++++++-------------------
- 1 file changed, 6 insertions(+), 19 deletions(-)
-
-diff --git a/setup.py b/setup.py
-index 9f7bd8fb59..ee9ea4df82 100755
---- a/setup.py
-+++ b/setup.py
-@@ -24,23 +24,10 @@
- 
- import platform
- 
--try:
--	import setuptools
--	from setuptools import setup
--	from setuptools.command.install import install
--	from setuptools.command.install_scripts import install_scripts
--	from setuptools.command.build_py import build_py
--	build_scripts = None
--except ImportError:
--	setuptools = None
--	from distutils.core import setup
--
--# older versions
--if setuptools is None:
--	from distutils.command.build_py import build_py
--	from distutils.command.build_scripts import build_scripts
--	from distutils.command.install import install
--	from distutils.command.install_scripts import install_scripts
-+import setuptools
-+from setuptools import setup
-+from setuptools.command.install import install
-+from setuptools.command.install_scripts import install_scripts
- 
- import os
- from os.path import isfile, join, isdir, realpath
-@@ -207,9 +194,9 @@ def run(self):
- 	url = "http://www.fail2ban.org",
- 	license = "GPL",
- 	platforms = "Posix",
--	cmdclass = dict({'build_py': build_py, 'build_scripts': build_scripts} if build_scripts else {}, **{
-+	cmdclass = {
- 		'install_scripts': install_scripts_f2b, 'install': install_command_f2b
--	}),
-+	},
- 	scripts = [
- 		'bin/fail2ban-client',
- 		'bin/fail2ban-server',

3782.patch

@@ -1,94 +0,0 @@
-From 2fed408c05ac5206b490368d94599869bd6a056d Mon Sep 17 00:00:00 2001
-From: Fabian Dellwing <fabian.dellwing@mbconnectline.de>
-Date: Tue, 2 Jul 2024 07:54:15 +0200
-Subject: [PATCH 1/5] Adjust sshd filter for OpenSSH 9.8 new daemon name
-
----
- config/filter.d/sshd.conf | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
-index 1c8a02deb5..a1fd749aed 100644
---- a/config/filter.d/sshd.conf
-+++ b/config/filter.d/sshd.conf
-@@ -16,7 +16,7 @@ before = common.conf
- 
- [DEFAULT]
- 
--_daemon = sshd
-+_daemon = (?:sshd(?:-session)?)
- 
- # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
- __pref = (?:(?:error|fatal): (?:PAM: )?)?
-
-From 7b335f47ea112e2a36e59287582e613aef2fa0a3 Mon Sep 17 00:00:00 2001
-From: "Sergey G. Brester" <serg.brester@sebres.de>
-Date: Wed, 3 Jul 2024 19:09:28 +0200
-Subject: [PATCH 2/5] sshd: add test coverage for new format, gh-3782
-
----
- fail2ban/tests/files/logs/sshd | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
-index ed54ded4d4..7d3948ed80 100644
---- a/fail2ban/tests/files/logs/sshd
-+++ b/fail2ban/tests/files/logs/sshd
-@@ -20,6 +20,9 @@ Feb 25 14:34:10 belka sshd[31603]: Failed password for invalid user ROOT from aa
- # failJSON: { "time": "2005-02-25T14:34:11", "match": true , "host": "aaaa:bbbb:cccc:1234::1:1" }
- Feb 25 14:34:11 belka sshd[31603]: Failed password for invalid user ROOT from aaaa:bbbb:cccc:1234::1:1
- 
-+# failJSON: { "time": "2005-07-03T14:59:17", "match": true , "host": "192.0.2.1", "desc": "new log with session in daemon prefix, gh-3782" }
-+Jul  3 14:59:17 host sshd-session[1571]: Failed password for root from 192.0.2.1 port 56502 ssh2
-+
- #3
- # failJSON: { "time": "2005-01-05T01:31:41", "match": true , "host": "1.2.3.4" }
- Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
-
-From 8360776ce1b119d519a842069c73bec7f5e24fad Mon Sep 17 00:00:00 2001
-From: "Sergey G. Brester" <serg.brester@sebres.de>
-Date: Wed, 3 Jul 2024 19:33:39 +0200
-Subject: [PATCH 3/5] zzz-sshd-obsolete-multiline.conf: adjusted to new
- sshd-session log format
-
----
- fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
-index ad8adeb69f..14256ba68c 100644
---- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
-+++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
-@@ -9,7 +9,7 @@ before = ../../../../config/filter.d/common.conf
- 
- [DEFAULT]
- 
--_daemon = sshd
-+_daemon = sshd(?:-session)?
- 
- # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
- __pref = (?:(?:error|fatal): (?:PAM: )?)?
-
-From 50ff131a0fd8f54fdeb14b48353f842ee8ae8c1a Mon Sep 17 00:00:00 2001
-From: "Sergey G. Brester" <serg.brester@sebres.de>
-Date: Wed, 3 Jul 2024 19:35:28 +0200
-Subject: [PATCH 4/5] filter.d/sshd.conf: ungroup (unneeded for _daemon)
-
----
- config/filter.d/sshd.conf | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
-index a1fd749aed..3a84b1ba52 100644
---- a/config/filter.d/sshd.conf
-+++ b/config/filter.d/sshd.conf
-@@ -16,7 +16,7 @@ before = common.conf
- 
- [DEFAULT]
- 
--_daemon = (?:sshd(?:-session)?)
-+_daemon = sshd(?:-session)?
- 
- # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
- __pref = (?:(?:error|fatal): (?:PAM: )?)?
-

410a6ce5c80dd981c22752da034f2529b5eee844.patch

@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf         | 2 +-
+ config/action.d/dshield.conf          | 2 +-
+ config/action.d/mail-buffered.conf    | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf       | 6 +++---
+ config/action.d/mail.conf             | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+ # Values:  CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+ 
+ # Option:  mailargs
+ # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+ # Values:  CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+ 
+ # Option:  mailargs
+ # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+               The jail <name> has been started successfully.\n
+               Output will be buffered until <lines> lines are available.\n
+               Regards,\n
+-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+ 
+ # Option:  actionstop
+ # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+                  These hosts have been banned by Fail2Ban.\n
+                  `cat <tmpfile>`
+                  Regards,\n
+-                 Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++                 Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+                  rm <tmpfile>
+              fi
+              printf %%b "Hi,\n
+              The jail <name> has been stopped.\n
+              Regards,\n
+-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+ 
+ # Option:  actioncheck
+ # Notes.:  command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+                 These hosts have been banned by Fail2Ban.\n
+                 `cat <tmpfile>`
+                 \nRegards,\n
+-                Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++                Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+                 rm <tmpfile>
+             fi
+ 
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+ # Values:  CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+ 
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+               The jail <name> has been started successfully.\n
+               Regards,\n
+-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+ 
+ # Option:  actionstop
+ # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+              The jail <name> has been stopped.\n
+              Regards,\n
+-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+ 
+ # Option:  actioncheck
+ # Notes.:  command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+             Here is more information about <ip> :\n
+             `%(_whois_command)s`\n
+             Regards,\n
+-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++            Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+ 
+ # Option:  actionunban
+ # Notes.:  command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+               The jail <name> has been started successfully.\n
+               Regards,\n
+-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started  on <fq-hostname>" <dest>
++              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started  on <fq-hostname>" <dest>
+ 
+ # Option:  actionstop
+ # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+              The jail <name> has been stopped.\n
+              Regards,\n
+-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+ 
+ # Option:  actioncheck
+ # Notes.:  command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+             The IP <ip> has just been banned by Fail2Ban after
+             <failures> attempts against <name>.\n
+             Regards,\n
+-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++            Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+ 
+ # Option:  actionunban
+ # Notes.:  command executed when unbanning an IP. Take care that the

54c0effceb998b73545073ac59c479d9d9bf19a4.patch

@@ -1,23 +0,0 @@
-From 54c0effceb998b73545073ac59c479d9d9bf19a4 Mon Sep 17 00:00:00 2001
-From: sebres <info@sebres.de>
-Date: Sun, 11 Aug 2024 12:10:12 +0200
-Subject: [PATCH] filter.d/sshd.conf: amend to #3747/#3812 (new ssh version
- would log with `_COMM=sshd-session`)
-
----
- config/filter.d/sshd.conf | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
-index 206b913a78..595e957f0b 100644
---- a/config/filter.d/sshd.conf
-+++ b/config/filter.d/sshd.conf
-@@ -126,7 +126,7 @@ ignoreregex =
- 
- maxlines = 1
- 
--journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
-+journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + _COMM=sshd-session
- 
- # DEV Notes:
- #

ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch

@@ -1,148 +0,0 @@
-From ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b Mon Sep 17 00:00:00 2001
-From: sebres <info@sebres.de>
-Date: Fri, 14 Jun 2024 14:31:21 +0200
-Subject: [PATCH] beautifier detect whether it can use unicode chars in stats
- table; asciified output of beautifier in test suite; closes gh-3750
-
----
- fail2ban/client/beautifier.py              | 51 ++++++++++++++--------
- fail2ban/tests/clientbeautifiertestcase.py | 22 ++++++----
- 2 files changed, 45 insertions(+), 28 deletions(-)
-
-diff --git a/fail2ban/client/beautifier.py b/fail2ban/client/beautifier.py
-index 7ef173a655..21c49b9483 100644
---- a/fail2ban/client/beautifier.py
-+++ b/fail2ban/client/beautifier.py
-@@ -21,8 +21,10 @@
- __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2013- Yaroslav Halchenko"
- __license__ = "GPL"
- 
-+import sys
-+
- from ..exceptions import UnknownJailException, DuplicateJailException
--from ..helpers import getLogger, logging
-+from ..helpers import getLogger, logging, PREFER_ENC
- 
- # Gets the instance of the logger.
- logSys = getLogger(__name__)
-@@ -36,6 +38,11 @@
- 
- class Beautifier:
- 
-+	stdoutEnc = PREFER_ENC
-+	if sys.stdout and sys.stdout.encoding is not None:
-+		stdoutEnc = sys.stdout.encoding
-+	encUtf = 1 if stdoutEnc.lower() == 'utf-8' else 0
-+
- 	def __init__(self, cmd = None):
- 		self.__inputCmd = cmd
- 
-@@ -104,7 +111,11 @@ def jail_stat(response, pref=""):
- 							jail_stat(j, "      " if i == len(jstat) else "   |  ")
- 				msg = "\n".join(msg)
- 			elif inC[0:1] == ['stats'] or inC[0:1] == ['statistics']:
--				def _statstable(response):
-+				chrTable = [
-+					['|', '-', '|', 'x', 'x', '-', '|', '-'], ## ascii
-+					["\u2551", "\u2550", "\u255F", "\u256B", "\u256C", "\u2569", "\u2502", "\u2500"] ## utf-8
-+				];
-+				def _statstable(response, ct):
- 					tophead = ["Jail", "Backend", "Filter", "Actions"]
- 					headers = ["", "", "cur", "tot", "cur", "tot"]
- 					minlens = [8, 8, 3, 3, 3, 3]
-@@ -120,29 +131,31 @@ def _statstable(response):
- 						f = "%%%ds" if ralign[i] else "%%-%ds"
- 						rfmt.append(f % lens[i])
- 						hfmt.append(f % lens[i])
--					rfmt = [rfmt[0], rfmt[1], "%s \u2502 %s" % (rfmt[2], rfmt[3]), "%s \u2502 %s" % (rfmt[4], rfmt[5])]
--					hfmt = [hfmt[0], hfmt[1], "%s \u2502 %s" % (hfmt[2], hfmt[3]), "%s \u2502 %s" % (hfmt[4], hfmt[5])]
-+					rfmt = [rfmt[0], rfmt[1], "%s %s %s" % (rfmt[2], ct[6], rfmt[3]), "%s %s %s" % (rfmt[4], ct[6], rfmt[5])]
-+					hfmt = [hfmt[0], hfmt[1], "%s %s %s" % (hfmt[2], ct[6], hfmt[3]), "%s %s %s" % (hfmt[4], ct[6], hfmt[5])]
- 					tlens = [lens[0], lens[1], 3 + lens[2] + lens[3], 3 + lens[4] + lens[5]]
- 					tfmt = [hfmt[0], hfmt[1], "%%-%ds" % (tlens[2],), "%%-%ds" % (tlens[3],)]
- 					tsep = tfmt[0:2]
--					rfmt = " \u2551 ".join(rfmt)
--					hfmt = " \u2551 ".join(hfmt)
--					tfmt = " \u2551 ".join(tfmt)
--					tsep = " \u2551 ".join(tsep)
--					separator = ((tsep % tuple(tophead[0:2])) + " \u255F\u2500" + 
--						("\u2500\u256B\u2500".join(['\u2500' * n for n in tlens[2:]])) + '\u2500')
-+					rfmt = (" "+ct[0]+" ").join(rfmt)
-+					hfmt = (" "+ct[0]+" ").join(hfmt)
-+					tfmt = (" "+ct[0]+" ").join(tfmt)
-+					tsep = (" "+ct[0]+" ").join(tsep)
-+					separator = ((tsep % tuple(tophead[0:2])) + " "+ct[2]+ct[7] + 
-+						((ct[7]+ct[3]+ct[7]).join([ct[7] * n for n in tlens[2:]])) + ct[7])
- 					ret = []
--					ret.append(tfmt % tuple(["", ""]+tophead[2:]))
--					ret.append(separator)
--					ret.append(hfmt % tuple(headers))
--					separator = "\u2550\u256C\u2550".join(['\u2550' * n for n in tlens]) + '\u2550'
--					ret.append(separator)
-+					ret.append(" "+tfmt % tuple(["", ""]+tophead[2:]))
-+					ret.append(" "+separator)
-+					ret.append(" "+hfmt % tuple(headers))
-+					separator = (ct[1]+ct[4]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1]
-+					ret.append(ct[1]+separator)
- 					for row in rows:
--						ret.append(rfmt % tuple(row))
--					separator = "\u2550\u2569\u2550".join(['\u2550' * n for n in tlens]) + '\u2550'
--					ret.append(separator)
-+						ret.append(" "+rfmt % tuple(row))
-+					separator = (ct[1]+ct[5]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1]
-+					ret.append(ct[1]+separator)
- 					return ret
--				msg = "\n".join(_statstable(response))
-+				if not response:
-+					return "No jails found."
-+				msg = "\n".join(_statstable(response, chrTable[self.encUtf]))
- 			elif len(inC) < 2:
- 				pass # to few cmd args for below
- 			elif inC[1] == "syslogsocket":
-diff --git a/fail2ban/tests/clientbeautifiertestcase.py b/fail2ban/tests/clientbeautifiertestcase.py
-index defedbe1bf..5fcb240479 100644
---- a/fail2ban/tests/clientbeautifiertestcase.py
-+++ b/fail2ban/tests/clientbeautifiertestcase.py
-@@ -34,6 +34,7 @@ def setUp(self):
- 		""" Call before every test case """
- 		super(BeautifierTest, self).setUp()
- 		self.b = Beautifier()
-+		self.b.encUtf = 0; ## we prefer ascii in test suite (see #3750)
- 
- 	def tearDown(self):
- 		""" Call after every test case """
-@@ -170,22 +171,25 @@ def testStatus(self):
- 
- 	def testStatusStats(self):
- 		self.b.setInputCmd(["stats"])
-+		## no jails:
-+		self.assertEqual(self.b.beautify({}), "No jails found.")
-+		## 3 jails:
- 		response = {
- 			"ssh": ["systemd", (3, 6), (12, 24)],
- 			"exim4": ["pyinotify", (6, 12), (20, 20)],
- 			"jail-with-long-name": ["polling", (0, 0), (0, 0)]
- 		}
- 		output = (""
--			+ "                    ?           ? Filter    ? Actions  \n"
--			+ "Jail                ? Backend   ????????????????????????\n"
--			+ "                    ?           ? cur ? tot ? cur ? tot\n"
--			+ "????????????????????????????????????????????????????????\n"
--			+ "ssh                 ? systemd   ?   3 ?   6 ?  12 ?  24\n"
--			+ "exim4               ? pyinotify ?   6 ?  12 ?  20 ?  20\n"
--			+ "jail-with-long-name ? polling   ?   0 ?   0 ?   0 ?   0\n"
--			+ "????????????????????????????????????????????????????????"
-+			+ "                     |           | Filter    | Actions  \n"
-+			+ " Jail                | Backend   |-----------x-----------\n"
-+			+ "                     |           | cur | tot | cur | tot\n"
-+			+ "---------------------x-----------x-----------x-----------\n"
-+			+ " ssh                 | systemd   |   3 |   6 |  12 |  24\n"
-+			+ " exim4               | pyinotify |   6 |  12 |  20 |  20\n"
-+			+ " jail-with-long-name | polling   |   0 |   0 |   0 |   0\n"
-+			+ "---------------------------------------------------------"
- 		)
--		response = self.b.beautify(response).encode('ascii', 'replace').decode('ascii')
-+		response = self.b.beautify(response)
- 		self.assertEqual(response, output)
- 			
- 

f259dac74721c00f0184bf45277137771fc747fe.patch

@@ -0,0 +1,48 @@
+From 747d4683221b5584f9663695fb48145689b42ceb Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Mon, 4 Jan 2021 02:42:38 +0100
+Subject: [PATCH] fixes century selector of %ExY and %Exy in datepattern for
+ tests, considering interval from 2005 (alternate now) to now; + better
+ grouping algorithm for resulting century RE
+
+---
+ fail2ban/server/strptime.py | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py
+index 1464a96d1f..39fc795865 100644
+--- a/fail2ban/server/strptime.py
++++ b/fail2ban/server/strptime.py
+@@ -36,10 +36,30 @@ def _getYearCentRE(cent=(0,3), distance=3, now=(MyTime.now(), MyTime.alternateNo
+ 	Thereby respect possible run in the test-cases (alternate date used there)
+ 	"""
+ 	cent = lambda year, f=cent[0], t=cent[1]: str(year)[f:t]
++	def grp(exprset):
++		c = None
++		if len(exprset) > 1:
++			for i in exprset:
++				if c is None or i[0:-1] == c:
++					c = i[0:-1]
++				else:
++					c = None
++					break
++			if not c:
++				for i in exprset:
++					if c is None or i[0] == c:
++						c = i[0]
++					else:
++						c = None
++						break
++			if c:
++				return "%s%s" % (c, grp([i[len(c):] for i in exprset]))
++		return ("(?:%s)" % "|".join(exprset) if len(exprset[0]) > 1 else "[%s]" % "".join(exprset)) \
++			if len(exprset) > 1 else "".join(exprset)
+ 	exprset = set( cent(now[0].year + i) for i in (-1, distance) )
+ 	if len(now) and now[1]:
+-		exprset |= set( cent(now[1].year + i) for i in (-1, distance) )
+-	return "(?:%s)" % "|".join(exprset) if len(exprset) > 1 else "".join(exprset)
++		exprset |= set( cent(now[1].year + i) for i in xrange(-1, now[0].year-now[1].year+1, distance) )
++	return grp(sorted(list(exprset)))
+ 
+ timeRE = TimeRE()
+ 

fail2ban-1.1.0.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmYqzEoACgkQaDvxvr0K
-iCwMfQf9GcxsuVs/LiHeDYmmvFOxCmS2zO4K5pzDuX1JmtSzKCj9HbPSxUWbIZIc
-yJv+x8t6QNBPBMnxI70TP+RcxKpCO4Fc2WRcrYS5B6gDTKy9Ty0fHorHlA4QQthu
-ywoqxf1eddQKcwlk+lw/wI1QPwZ1xA93BkasJht/bTnhAvXJBeN1Tgf+jZ23bHHf
-9FIGV8zt8fvaAIG8lB22AD/+PhSYEkp1TRuRx9VEuBbkH00u1i054I0cHTrsu3Fr
-jTIljf5TgpmFyXHBCA6JT6nnGn0jsaNDT/lBNxUmw5BmMxGWUTv4SlKbcjKjgXRH
-MTZipOHHYPx/7IyKJJvB1p1gvmOxyg==
-=qvry
------END PGP SIGNATURE-----

fail2ban-nftables.patch

@@ -1,62 +0,0 @@
-Index: fail2ban-1.0.2/config/action.d/firewallcmd-rich-rules.conf
-===================================================================
---- fail2ban-1.0.2.orig/config/action.d/firewallcmd-rich-rules.conf
-+++ fail2ban-1.0.2/config/action.d/firewallcmd-rich-rules.conf
-@@ -37,8 +37,8 @@ actioncheck =
- 
- fwcmd_rich_rule = rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' %(rich-suffix)s
- 
--actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
-+actionban = ports="<port>"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
- 	   
--actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
-+actionunban = ports="<port>"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
- 
--rich-suffix = <rich-blocktype>
-\ No newline at end of file
-+rich-suffix = <rich-blocktype>
-Index: fail2ban-1.0.2/fail2ban/tests/servertestcase.py
-===================================================================
---- fail2ban-1.0.2.orig/fail2ban/tests/servertestcase.py
-+++ fail2ban-1.0.2/fail2ban/tests/servertestcase.py
-@@ -2051,32 +2051,32 @@ class ServerConfigReaderTests(LogCapture
- 			('j-fwcmd-rr', 'firewallcmd-rich-rules[port="22:24", protocol="tcp"]', {
- 				'ip4': ("family='ipv4'", "icmp-port-unreachable",), 'ip6': ("family='ipv6'", 'icmp6-port-unreachable',),
- 				'ip4-ban': (
--					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""",
-+					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""",
- 				),
- 				'ip4-unban': (
--					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""",
-+					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""",
- 				),
- 				'ip6-ban': (
--					""" `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""",
-+					""" `ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""",
- 				),
- 				'ip6-unban': (
--					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""",
-+					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""",
- 				),					
- 			}),
- 			# firewallcmd-rich-logging --
- 			('j-fwcmd-rl', 'firewallcmd-rich-logging[port="22:24", protocol="tcp"]', {
- 				'ip4': ("family='ipv4'", "icmp-port-unreachable",), 'ip6': ("family='ipv6'", 'icmp6-port-unreachable',),
- 				'ip4-ban': (
--					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""",
-+					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""",
- 				),
- 				'ip4-unban': (
--					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""",
-+					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""",
- 				),
- 				'ip6-ban': (
--					""" `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""",
-+					""" `ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""",
- 				),
- 				'ip6-unban': (
--					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""",
-+					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""",
- 				),					
- 			}),
- 		)

fail2ban.fc

@@ -1,4 +1,4 @@
-#/etc/rc\.d/init\.d/fail2ban	--	gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/fail2ban	--	gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0)
 
 /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 /usr/bin/fail2ban-client	--	gen_context(system_u:object_r:fail2ban_client_exec_t,s0)
@@ -6,5 +6,4 @@
 
 /var/lib/fail2ban(/.*)?	gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
 /var/log/fail2ban\.log.*	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
-
-/run/fail2ban(/.*)?				gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+/var/run/fail2ban.*	gen_context(system_u:object_r:fail2ban_var_run_t,s0)

fail2ban.if

@@ -243,7 +243,7 @@ interface(`fail2ban_read_pid_files',`
 
 ########################################
 ## <summary>
-##	dontaudit read and write leaked file descriptors
+##	dontaudit read and write an leaked file descriptors
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -264,7 +264,7 @@ interface(`fail2ban_dontaudit_leaks',`
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
-##	a fail2ban environment
+##	an fail2ban environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>

fail2ban.spec

@@ -1,91 +1,50 @@
-%if 0%{?rhel} >= 9
-%bcond_with     shorewall
-%else
-%bcond_without  shorewall
-%endif
-
-# RHEL < 10 and Fedora < 40 use file context entries in /var/run
-%if %{defined rhel} && 0%{?rhel} < 10
-%define legacy_var_run 1
-%endif
-
 Name: fail2ban
-Version: 1.1.0
-Release: 15%{?dist}
+Version: 0.11.2
+Release: 3%{?dist}
 Summary: Daemon to ban hosts that cause multiple authentication errors
 
-License: GPL-2.0-or-later
-URL: https://www.fail2ban.org
+License: GPLv2+
+URL: http://fail2ban.sourceforge.net/
 Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
-Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
-# Releases are signed by Serg G. Brester (sebres) <info AT sebres.de>.  The
-# fingerprint can be found in a signature file:
-#   gpg --list-packets fail2ban-1.0.2.tar.gz.asc | grep 'issuer fpr'
-#
-# The following commands can be used to fetch the signing key via fingerprint
-# and extract it:
-#   fpr=8738559E26F671DF9E2C6D9E683BF1BEBD0A882C
-#   gpg --receive-keys $fpr
-#   gpg -a --export-options export-minimal --export $fpr >gpgkey-$fpr.asc
-Source2: gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc
 # SELinux policy
-Source3: fail2ban.fc
-Source4: fail2ban.if
-Source5: fail2ban.te
-Source6: Makefile
-
+Source1: fail2ban.fc
+Source2: fail2ban.if
+Source3: fail2ban.te
+Source4: Makefile
 # Give up being PartOf iptables and ipset for now
 # https://bugzilla.redhat.com/show_bug.cgi?id=1379141
 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185
 Patch0: fail2ban-partof.patch
-# default port in jail.conf is not compatible with firewalld-cmd syntax
-# https://bugzilla.redhat.com/show_bug.cgi?id=1850164
-Patch1: fail2ban-nftables.patch
-# Work around encoding issues during tests
-Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2315252
-Patch3: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2295265
-Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728.patch
-# Upstream fix to also catch sshd-session logs
-# https://bugzilla.redhat.com/show_bug.cgi?id=2332945
-Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch
-# Needed for Dovecot change to loging format in 2.4, fixed in f2b version 1.1.1.
-# https://bugzilla.redhat.com/show_bug.cgi?id=2426440
-Patch6: https://github.com/fail2ban/fail2ban/commit/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch
+# https://github.com/fail2ban/fail2ban/issues/2904#issuecomment-754042663
+Patch1: https://github.com/fail2ban/fail2ban/commit/f259dac74721c00f0184bf45277137771fc747fe.patch
+# CVE-2021-32749 https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm
+Patch3: https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844.patch
 
 
 BuildArch: noarch
 
+%if 0%{?rhel} && 0%{?rhel} < 8
+BuildRequires: python-devel
+BuildRequires: python-setuptools
+# For testcases
+BuildRequires: python-inotify
+%else
 BuildRequires: python3-devel
 BuildRequires: python3-setuptools
+BuildRequires: /usr/bin/2to3
 # For testcases
 BuildRequires: python3-inotify
-# using a python3_version-based conditional does not work here, so
-# this is a proxy for "Python version greater than 3.12". asyncore
-# and asynchat were dropped from cpython core in 3.12, these modules
-# make them available again. See:
-# https://github.com/fail2ban/fail2ban/issues/3487
-# https://bugzilla.redhat.com/show_bug.cgi?id=2219991
-%if 0%{?fedora} || 0%{?rhel} >= 10
-BuildRequires: python3-pyasyncore
-BuildRequires: python3-pyasynchat
 %endif
 BuildRequires: sqlite
 BuildRequires: systemd
 BuildRequires: selinux-policy-devel
-BuildRequires: make
-%if 0%{?fedora} || 0%{?rhel} >= 11
-BuildRequires: bash-completion-devel
-%else
-BuildRequires: bash-completion
-%endif
-BuildRequires: gnupg2
 
 # Default components
 Requires: %{name}-firewalld = %{version}-%{release}
 Requires: %{name}-sendmail = %{version}-%{release}
 Requires: %{name}-server = %{version}-%{release}
+# Currently this breaks jails that don't log to the journal
+#Requires: %{name}-systemd = %{version}-%{release}
 
 
 %description
@@ -116,16 +75,20 @@ SELinux policies for Fail2Ban.
 
 %package server
 Summary: Core server component for Fail2Ban
+%if 0%{?rhel} && 0%{?rhel} < 8
+Requires: systemd-python
+Requires: ipset
+Requires: iptables
+%else
 Requires: python3-systemd
 Requires: nftables
+%endif
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
+
+%if 0%{?fedora}
 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
-# see note above in BuildRequires section
-%if 0%{?fedora} || 0%{?rhel} >= 10
-Requires: python3-pyasyncore
-Requires: python3-pyasynchat
 %endif
 
 %description server
@@ -141,11 +104,17 @@ Requires: %{name}-hostsdeny = %{version}-%{release}
 Requires: %{name}-mail = %{version}-%{release}
 Requires: %{name}-sendmail = %{version}-%{release}
 Requires: %{name}-server = %{version}-%{release}
-%if %{with shorewall}
 Requires: %{name}-shorewall = %{version}-%{release}
-%endif
+# Currently this breaks jails that don't log to the journal
+#Requires: %{name}-systemd = %{version}-%{release}
 Requires: perl-interpreter
+%if 0%{?rhel} && 0%{?rhel} < 8
+Requires: python-inotify
+# No python3 support for gamin so epel only
+Requires: gamin-python
+%else
 Requires: python3-inotify
+%endif
 Requires: /usr/bin/whois
 
 %description all
@@ -184,7 +153,7 @@ This package contains Fail2Ban's testscases and scripts.
 %package mail
 Summary: Mail actions for Fail2Ban
 Requires: %{name}-server = %{version}-%{release}
-Requires: /usr/bin/mail
+Requires: mailx
 
 %description mail
 This package installs Fail2Ban's mail actions.  These are an alternative
@@ -201,7 +170,6 @@ This package installs Fail2Ban's sendmail actions.  This is the default
 mail actions for Fail2Ban.
 
 
-%if %{with shorewall}
 %package shorewall
 Summary: Shorewall support for Fail2Ban
 Requires: %{name}-server = %{version}-%{release}
@@ -220,7 +188,6 @@ Conflicts: %{name}-shorewall
 
 %description shorewall-lite
 This package enables support for manipulating shorewall rules.
-%endif
 
 
 %package systemd
@@ -233,44 +200,39 @@ by default.
 
 
 %prep
-%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1
 
 # Use Fedora paths
 sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf
-
-# SELinux sources
-cp -p %SOURCE3 %SOURCE4 %SOURCE5 .
-
-%if %{defined legacy_var_run}
-sed -i 's|^/run/|/var/run/|' %{name}.fc
+%if 0%{?fedora} || 0%{?rhel} >= 8
+2to3 --write --nobackups .
+find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3_version},' {} +
 %endif
 
-# 2to3 has been removed from setuptools and we already use the binary in
-# %%prep.
-sed -i "/use_2to3/d" setup.py
-
-
-%generate_buildrequires
-%pyproject_buildrequires
+# SELinux sources
+cp -p %SOURCE1 %SOURCE2 %SOURCE3 .
 
 
 %build
-%pyproject_wheel
-make -f %SOURCE6
-
+%if 0%{?rhel} && 0%{?rhel} < 8
+%py2_build
+%else
+%py3_build
+%endif
+make -f %SOURCE4
 
 %install
-%pyproject_install
+%if 0%{?rhel} && 0%{?rhel} < 8
+%py2_install
+# Make symbolic link relative
+ln -fs python2 %{buildroot}%{_bindir}/fail2ban-python
+%else
+%py3_install
 ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python
-mv %{buildroot}%{python3_sitelib}/etc %{buildroot}
-mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir}
-rmdir %{buildroot}%{python3_sitelib}%{_prefix}
+%endif
 
 mkdir -p %{buildroot}%{_unitdir}
-# Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite
-# so we will do our own modification
-sed -e 's,@BINDIR@,%{_bindir},' files/fail2ban.service.in > %{buildroot}%{_unitdir}/fail2ban.service
+cp -p build/fail2ban.service %{buildroot}%{_unitdir}/
 mkdir -p %{buildroot}%{_mandir}/man{1,5}
 install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1
 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5
@@ -281,7 +243,6 @@ install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid
 install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
 mkdir -p %{buildroot}%{_tmpfilesdir}
 install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf
-mkdir -p %{buildroot}%{_sysconfdir}/%{name}/jail.d
 
 # Remove non-Linux actions
 rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf
@@ -297,8 +258,8 @@ cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf <<EOF
 # the firewalld actions as the default actions.  You can remove this package
 # (along with the empty fail2ban meta-package) if you do not use firewalld
 [DEFAULT]
-banaction = firewallcmd-rich-rules
-banaction_allports = firewallcmd-rich-rules
+banaction = firewallcmd-rich-rules[actiontype=<multiport>]
+banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]
 EOF
 
 # systemd journal configuration
@@ -319,14 +280,14 @@ rm -r %{buildroot}%{_docdir}/%{name}
 install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
 install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
 
-#BASH completion
-COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion)
-%__mkdir_p $COMPLETIONDIR
-%__install -p -m 644 files/bash-completion $COMPLETIONDIR/fail2ban
-
 
 %check
+%if 0%{?rhel} && 0%{?rhel} < 8
+# set locale to a UTF8 version as workaround to https://github.com/fail2ban/fail2ban/issues/2936
+LC_ALL=en_US.UTF-8 %python2 bin/fail2ban-testcases --verbosity=2 --no-network
+%else
 %python3 bin/fail2ban-testcases --verbosity=2 --no-network
+%endif
 
 
 %pre selinux
@@ -366,17 +327,21 @@ fi
 %{_bindir}/fail2ban-python
 %{_bindir}/fail2ban-regex
 %{_bindir}/fail2ban-server
+%if 0%{?rhel} && 0%{?rhel} < 8
+%{python2_sitelib}/*
+%exclude %{python2_sitelib}/fail2ban/tests
+%else
 %{python3_sitelib}/*
 %exclude %{python3_sitelib}/fail2ban/tests
+%endif
 %{_unitdir}/fail2ban.service
-%{_datadir}/bash-completion/
 %{_mandir}/man1/fail2ban.1*
 %{_mandir}/man1/fail2ban-client.1*
 %{_mandir}/man1/fail2ban-python.1*
 %{_mandir}/man1/fail2ban-regex.1*
 %{_mandir}/man1/fail2ban-server.1*
 %{_mandir}/man5/*.5*
-%config(noreplace) %{_sysconfdir}/fail2ban/
+%config(noreplace) %{_sysconfdir}/fail2ban
 %exclude %{_sysconfdir}/fail2ban/action.d/complain.conf
 %exclude %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf
 %exclude %{_sysconfdir}/fail2ban/action.d/mail.conf
@@ -403,7 +368,11 @@ fi
 %files tests
 %{_bindir}/fail2ban-testcases
 %{_mandir}/man1/fail2ban-testcases.1*
+%if 0%{?rhel} && 0%{?rhel} < 8
+%{python2_sitelib}/fail2ban/tests
+%else
 %{python3_sitelib}/fail2ban/tests
+%endif
 
 %files mail
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf
@@ -415,163 +384,23 @@ fi
 %files sendmail
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf
 
-%if %{with shorewall}
 %files shorewall
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/shorewall.conf
 
 %files shorewall-lite
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/shorewall.conf
-%endif
 
 %files systemd
 %config(noreplace) %{_sysconfdir}/fail2ban/jail.d/00-systemd.conf
 
 
 %changelog
-* Wed Dec 31 2025 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-15
-- Add patch for Dovecot 2.4 jail. Fixes BZ#2426440.
+* Wed Oct 13 2021 Richard Shaw <hobbes1069@gmail.com> - 0.11.2-3
+- Address CVE-2021-32749.
 
-* Sat Oct 11 2025 Orion Poplawski <orion@nwra.com> - 1.1.0-14
-- Cleanup old conditionals
-
-* Fri Oct 10 2025 Orion Poplawski <orion@nwra.com> - 1.1.0-13
-- Fix paths in fail2ban.service (rhbz#2399981)
-
-* Fri Sep 19 2025 Python Maint <python-maint@redhat.com> - 1.1.0-12
-- Rebuilt for Python 3.14.0rc3 bytecode
-
-* Thu Aug 21 2025 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-11
-- Move from setup.py to wheels per
-  https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros.
-
-* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 1.1.0-10
-- Rebuilt for Python 3.14.0rc2 bytecode
-
-* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Tue Jun 03 2025 Python Maint <python-maint@redhat.com> - 1.1.0-8
-- Rebuilt for Python 3.14
-
-* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Thu Dec 19 2024 Orion Poplawski <orion@nwra.com> - 1.1.0-6
-- Add upstream fix for sshd filter (rhbz#2332945)
-
-* Wed Oct 16 2024 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-5
-- Add upstream patch for python distutils removal.
-
-* Sat Sep 28 2024 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-4
-- Add patch to deal with changes to OpenSSL log output.
-
-* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Fri Jul 12 2024 Nils Philippsen <nils@tiptoe.de> - 1.1.0-2
-- Use SPDX license identifier
-- Use https upstream URL
-
-* Wed Jun 12 2024 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-1
-- Update to 1.1.0 for Python 3.13 support.
-
-* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 1.0.2-16
-- Rebuilt for Python 3.13
-
-* Sat May 11 2024 Todd Zullinger <tmz@pobox.com> - 1.0.2-15
-- Handle /var/run->/run transition in older Fedora and EPEL (RHBZ#2279054)
-
-* Sun May 05 2024 Richard Shaw <hobbes1069@gmail.com> - 1.0.2-14
-- Increment SELinux module version.
-- Tweak selinux regex for /run/fail2ban.
-
-* Thu Apr 25 2024 Richard Shaw <hobbes1069@gmail.com> - 1.0.2-13
-- Add nftables patch and fix selinux /var/run->/run issue, fixes RHBZ#1850164
-  and RHBZ#2272476.
-
-* Thu Feb 22 2024 Orion Poplawski <orion@nwra.com> - 1.0.2-12
-- Allow watch on more logfiles
-
-* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-11
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-10
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Wed Sep 27 2023 Adam Williamson <awilliam@redhat.com> - 1.0.2-9
-- Require pyasynchat and pyasyncore with Python 3.12+
-- Disable smtp tests on F39+ due to removal of smtpd from Python 3.12
-- Disable db repair test on F39+ as it's broken with sqlite 3.42.0+
-
-* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Mon Jun 26 2023 Todd Zullinger <tmz@pobox.com> - 1.0.2-7
-- exclude shorewall subpackage on epel9 (rhbz#2217649)
-
-* Wed Jun 14 2023 Python Maint <python-maint@redhat.com> - 1.0.2-6
-- Rebuilt for Python 3.12
-
-* Tue Apr 04 2023 Orion Poplawski <orion@nwra.com> - 1.0.2-5
-- Drop downstream python3.11 patch, upstream went with a different fix
-
-* Sun Apr 02 2023 Todd Zullinger <tmz@pobox.com> - 1.0.2-4
-- verify upstream source signature
-
-* Thu Mar 30 2023 Orion Poplawski <orion@nwra.com> - 1.0.2-3
-- Add upstream patch to remove warning about allowipv6 (bz#2160781)
-
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Sat Dec 17 2022 Richard Shaw <hobbes1069@gmail.com> - 1.0.2-1
-- Update to 1.0.2.
-
-* Wed Nov 02 2022 Richard Shaw <hobbes1069@gmail.com> - 1.0.1-2
-- Add patch for dovecot eating 100% CPU.
-
-* Sun Oct 02 2022 Richard Shaw <hobbes1069@gmail.com> - 1.0.1-1
-- Update to 1.0.1.
-
-* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.2-14
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Wed Jun 15 2022 Python Maint <python-maint@redhat.com> - 0.11.2-13
-- Rebuilt for Python 3.11
-
-* Wed May 18 2022 Orion Poplawski <orion@nwra.com> - 0.11.2-12
-- Fix SELinux policy to allow watch on var_log_t (bz#2083923)
-
-* Fri Jan 28 2022 Orion Poplawski <orion@nwra.com> - 0.11.2-11
-- Require /usr/bin/mail instead of mailx
-
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.2-10
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Sun Sep 26 2021 Mikel Olasagasti Uranga <mikel@olasagasti.info> - 0.11.2-9
-- Fix CVE-2021-32749 RHBZ#1983223
-
-* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.2-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Mon Jun 07 2021 Python Maint <python-maint@redhat.com> - 0.11.2-7
-- Rebuilt for Python 3.10
-
-* Sun Jun 06 2021 Richard Shaw <hobbes1069@gmail.com> - 0.11.2-6
-- Update selinux policy for Fedora 34+
-
-* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 0.11.2-5
-- Rebuilt for Python 3.10
-
-* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.11.2-4
-- Rebuilt for updated systemd-rpm-macros
-  See https://pagure.io/fesco/issue/2583.
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.2-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Wed Jan 06 2021 Richard Shaw <hobbes1069@gmail.com> - 0.11.2-2
-- Add patch to deal with a new century in tests (2021).
+* Thu Oct 07 2021 Mikel Olasagasti Uranga <mikel@olasagasti.info> - 0.11.2-2
+- Add upstream patch for issue #2904
+- Set locale to a UTF8 variant for tests
 
 * Tue Nov 24 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.2-1
 - Update to 0.11.2.

fail2ban.te

@@ -1,4 +1,4 @@
-policy_module(fail2ban, 1.5.1)
+policy_module(fail2ban, 1.5.0)
 
 ########################################
 #
@@ -88,6 +88,7 @@ files_read_etc_runtime_files(fail2ban_t)
 files_list_var(fail2ban_t)
 files_dontaudit_list_tmp(fail2ban_t)
 
+fs_list_inotifyfs(fail2ban_t)
 fs_getattr_all_fs(fail2ban_t)
 
 auth_use_nsswitch(fail2ban_t)
@@ -99,13 +100,6 @@ logging_read_syslog_pid(fail2ban_t)
 logging_dontaudit_search_audit_logs(fail2ban_t)
 logging_mmap_generic_logs(fail2ban_t)
 logging_mmap_journal(fail2ban_t)
-# Not in EL9 yet
-#logging_watch_audit_log_files(fail2ban_t)
-logging_watch_all_log_files(fail2ban_t)
-logging_watch_all_log_dirs(fail2ban_t)
-logging_watch_audit_log_files(fail2ban_t)
-logging_watch_audit_log_dirs(fail2ban_t)
-logging_watch_journal_dir(fail2ban_t)
 
 mta_send_mail(fail2ban_t)
 

gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc

@@ -1,29 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQENBFeHbzIBCACWgr54J4t2fpI7EIrMTqso5kqPRTSY7eO2T0965JW6Zl4C0HZT
-Wz+9c5aGlKeotf4Fv7zOhpUwULFSGAq3tVbxAxW9++LAXPGad6uE4aPsXoQ6+0RV
-lJozNclURRal46vz3uuGLiSJ5+VQ1WD1sFLuw2/bMzE4GFR0z4w4UOc3ufAQ3obC
-i5szSy5JWtCsmvCdNlhXTxa66aUddN8/8IHJSB6QZabGEcG4WfsfhUiH38KUuqrO
-hYvT9ROY74pwSsHuWEzVRE00eJB4uxngsKHAGMYhkNxdKCG7Blu2IbJRcBE8QAs3
-BGqJR8FBify86COZYUZ7CuAyLyo1U6BZd7ohABEBAAG0KVNlcmcgRy4gQnJlc3Rl
-ciAoc2VicmVzKSA8aW5mb0BzZWJyZXMuZGU+iQE4BBMBAgAiBQJXh28yAhsDBgsJ
-CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoO/G+vQqILMThB/0YUr7Y+urJChgm
-NG9exjjmTayoNb+XiMR5T2+A919NrKulEaH2mb51B7XBmFuCj8x5O1wA3xYo7B6h
-RVuNyb2eI3+bRD33QsKcs6NsgK/I1xLD15NrEftPckWqYypR6//u9Tmz5o9n9+/n
-2dH7SU7UPW468/bRUhFp+SQ70B0XLdyDgGLEN9TNsAvnEi30Vtjbia4Lp/NXYRkq
-GEzvpgZ7Dt9YhT+qdSs6AwyN0ZhnvX+zqXi+Q18xlbnuq2ZZkwK8Es/HdEDu2HNJ
-3nn3l15pyMe/OxYhg646NcqGR6j1rEZ7jXyN2i5sEdspXfwv0lGtLr7ANElWqOvX
-XYBAspRvuQENBFeHbzIBCACyCMv4CQ+blzj53ZLPyBMnj38oQ7bbpAtDThfB8hEZ
-uk6Kmo799Zo2rLG2iqvy8SEuN/bLQKyzFTiB4UYWvRxne792N0nWLU24/bd7j/Gh
-Q4EHUhs38WRSYtu93XCKzvyzn5s3504luOBF6czNrLeDfWXGVGosBsBoASY7de7a
-kiXb7a28dNDSG0JaR+QwONjmde9hAzqOX0iOYHvJeu68UKaUp4IrJ+nTMHFhwUbf
-awCmz+NPPrm360j4BuvYSWhS06tM7c6+gfvXHOTtJ5TEGbrm+I8d2q7nhxg3nku6
-7qnddkW2OS8EQVlw7XFox929mTLzw0MEmjqmSRTx2Qk3ABEBAAGJAR8EGAECAAkF
-AleHbzICGwwACgkQaDvxvr0KiCwdxQf7BM7jo6v7uU7324ZkLQmtZndcXnXZMbSw
-2pDzR2h01Vx7dHppzNOkyv8DvUWttwaMaTU57cdzThTkQPk8Lx8sCvi40RmWS2vs
-IArgTS1HNStprPUg4sk99JOZg2y4LBqkLUxZveDsH+rXdFA/fp8048/M4ss6qj4O
-ySe4crABbbv5yRADBJZt4LQdFoNGEpSaOtcxJmwJ7hrV+wQhVMm9m+/JpgzNT4rb
-muPgveqzmSiTGJ6Yy2bEKyY0dCyPuWbWWPt4mCcT+9emZC1O8EjST0i9f9EUUU6c
-6UCy7zi5EQ9CVv1Dlz1qefm/5/iFAAFQ5DtYC3cwDq8CqgqzoHMtNg==
-=vqSW
------END PGP PUBLIC KEY BLOCK-----

sources

@@ -1 +1 @@
-SHA512 (fail2ban-1.1.0.tar.gz) = 9bff7b9c41e58a953901800468e5c4153c9db6af01c7eb18111ad8620b40d03a0771020472fb759b2809d250e2bb45471e6c7e8283e72ea48290ecf7bf921821
+SHA512 (fail2ban-0.11.2.tar.gz) = 46b27abd947b00ea64106dbac563ef8afef38eec86684024d47d9a0e8c1969ff864ad6df7f4f8de2aa3eb1af6d769fb6796592d9f0e35521d5f95f17b8cade97