Changes - j0ke.net Open Build Service

Difference Between Revision 33 and internetx:managed:testing / mod_security

[-] [+]	Changed	mod_security-ix.changes
@@ -1,96 +1,4 @@ ------------------------------------------------------------------- -Wed Jan 11 06:34:21 UTC 2023 - Carsten Schoene <carsten.schoene@internetx.com> - -- Update to release 2.9.7 - -------------------------------------------------------------------- -Thu Mar 17 10:30:16 UTC 2022 - Local OBS User <cs@linux-administrator.com> - -- Update to release 2.9.5 - -------------------------------------------------------------------- -Mon Aug 23 11:39:54 UTC 2021 - Local OBS User <cs@linux-administrator.com> - -- Update to release 2.9.4 - -------------------------------------------------------------------- -Wed Feb 5 09:52:49 UTC 2020 - Local OBS User <cs@linux-administrator.com> - -- Update to release 2.9.3 - -------------------------------------------------------------------- -Wed May 16 06:44:59 UTC 2018 - cs@linux-administrator.com - -- Update to release 2.9.2 - -------------------------------------------------------------------- -Thu Apr 9 09:26:32 UTC 2015 - cs@linux-administrator.com - -- Update to relesae 2.9.0 -- set PERL ENV var to /usr/bin/perl -- drop mlogc-disable-force-sslv3.patch (TLSv1 is default now) - -------------------------------------------------------------------- -Fri Aug 8 17:29:19 UTC 2014 - cs@linux-administrator.com - -- Update to release 2.8.0 - -------------------------------------------------------------------- -Sun Jan 5 16:20:52 UTC 2014 - cs@linux-administrator.com - -- enable --enable-htaccess-config - -------------------------------------------------------------------- -Thu Dec 19 23:23:46 UTC 2013 - cs@linux-administrator.com - -- Update to release 2.7.7 - -------------------------------------------------------------------- -Tue Jul 30 17:01:30 UTC 2013 - cs@linux-administrator.com - -- Update to release 2.7.5 - -------------------------------------------------------------------- -Thu Jul 11 19:33:18 UTC 2013 - cs@linux-administrator.com - -- build against asl-libxml2 for EL5 based systems - -------------------------------------------------------------------- -Sat Jun 29 17:00:16 UTC 2013 - cs@linux-administrator.com - -- added CVE-2013-2765.patch for 2.6.8 (included in 2.7.4) - -------------------------------------------------------------------- -Wed Jun 5 10:16:47 UTC 2013 - cs@linux-administrator.com - -- fix permissions in cleanup cron script - -------------------------------------------------------------------- -Mon May 27 17:02:32 UTC 2013 - cs@linux-administrator.com - -- Update to release 2.7.4 (only for >= SLE_11, >= EL6) - -------------------------------------------------------------------- -Fri Mar 29 17:31:45 UTC 2013 - cs@linux-administrator.com - -- Update to release 2.7.3 (only for >= SLE_11, >= EL6) - -------------------------------------------------------------------- -Fri Jan 25 20:10:39 UTC 2013 - cs@linux-administrator.com - -- Update to release 2.7.2 (only for >= SLE_11, >= EL6) - -------------------------------------------------------------------- -Sat Dec 29 10:33:37 UTC 2012 - cs@linux-administrator.com - -- Update to release 2.7.1 (only for >= SLE_11, >= EL6) - -------------------------------------------------------------------- -Wed Oct 3 08:10:36 UTC 2012 - cs@linux-administrator.com - -- Update to release 2.6.8 - -------------------------------------------------------------------- Sun Jul 29 15:58:38 UTC 2012 - cs@linux-administrator.com - Update to release 2.6.7
[-] [+]	Changed	mod_security-ix.spec ^
@@ -1,36 +1,11 @@ -%define aslxml 1 -%define pkgname modsecurity- Summary: Security module for the Apache HTTP Server Name: mod_security -%if 0%{?centos_version} >= 6 \|\| 0%{?rhel_version} >= 600 \|\| 0%{?sl_version} >= 600 \|\| 0%{?suse_version} >= 1110 \|\| 0%{?sles_version} >= 11 -%define pkgversion 2.9.7 -%define oldver 0 -%define _aslxml 0 -%define epoch 1 -BuildRequires: libxml2-devel -%else -%if %{aslxml} -%define pkgversion 2.9.7 -%define oldver 0 -%define _aslxml 1 -%define epoch 1 -BuildRequires: asl-libxml2-devel -%else -%define pkgversion 2.6.8 -%define pkgname modsecurity-apache_ -%define oldver 1 -%define _aslxml 0 -%define epoch 0 -BuildRequires: libxml2-devel -%endif -%endif -Version: %{pkgversion} -Epoch: %{epoch} -Release: 35 +Version: 2.6.7 +Release: 30 License: GPLv2 URL: http://www.modsecurity.org/ Group: System Environment/Daemons -Source: http://www.modsecurity.org/download/%{pkgname}%{version}.tar.bz2 +Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.bz2 %if 0%{?rhel_version} \|\| 0%{?centos_version} \|\| 0%{?sl_version} \|\| 0%{?redhat_version} Source1: 00_mod_security.conf Source2: modsecurity_crs_10_config-default.conf @@ -44,18 +19,13 @@ Source5: modsec-clamscan.pl Source6: modsec-clean_var-asl-data-audit Patch1: waf-label.patch -Patch2: modsecurity-2.9.1_curl-lower_7.34.patch -Patch50: CVE-2013-2765.patch +Patch2: mlogc-disable-force-sslv3.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if 0%{?rhel_version} \|\| 0%{?centos_version} \|\| 0%{?sl_version} \|\| 0%{?redhat_version} Requires: httpd httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn \|\| echo missing) BuildRequires: httpd-devel pkgconfig lua-devel Requires: lua -%if 0%{?rhel} >= 7 -%define apxs %{_bindir}/apxs -%else %define apxs %{_sbindir}/apxs -%endif %define apache_libexecdir %(%{apxs} -q LIBEXECDIR) ##%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR) %define apache_sysconfdir /etc/httpd @@ -79,10 +49,9 @@ Provides: apache2-mod_security2 = %{version} %endif -BuildRequires: pcre-devel libtool curl-devel +BuildRequires: libxml2-devel pcre-devel libtool curl-devel BuildRequires: curl -BuildRequires: autoconf automake Requires: libxml2 pcre Provides: ix-mod_security = %{version} @@ -92,28 +61,20 @@ as a powerful umbrella - shielding web applications from attacks. %prep -%setup -n %{pkgname}%{version} +%setup -n modsecurity-apache_%{version} %patch1 -p1 -%patch2 -p0 -%if 0%{?oldver} == 1 -%patch50 -p1 -%endif +%patch2 %build CFLAGS="%{optflags}" export CFLAGS -export PERL=/usr/bin/perl - -[ ! -f configure ] && ./autogen.sh %configure \ -%if 0%{_aslxml} == 1 - --with-libxml=/var/asl/usr/ \ -%endif - --enable-pcre-match-limit=no \ - --enable-pcre-match-limit-recursion=no \ - --enable-pcre-study \ - --enable-htaccess-config + --disable-pcre-match-limit \ + --disable-pcre-match-limit-recursion + +# Legacy from LoadFile +#perl -pi.orig -e 's\|LIBDIR\|%{_libdir}\|;' %{SOURCE1} make %{_smp_mflags} @@ -134,7 +95,6 @@ install -D -m644 %{SOURCE4} %{buildroot}/%{apache_sysconfdir}/modsec/zzz_asl_custom_local_exclude.conf install -D -m755 %{SOURCE5} %{buildroot}%{_bindir}/modsec-clamscan.pl install -D -m755 %{SOURCE6} %{buildroot}%{_sysconfdir}/cron.daily/modsec-clean_var-asl-data-audit -sed -i s@"%APAUSR%:%APAGRP%"@"%{apache_usr}:%{apache_grp}"@g %{buildroot}%{_sysconfdir}/cron.daily/modsec-clean_var-asl-data-audit mkdir -p %{buildroot}/var/log/mlogc/data install -D -m755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
[-] [+]	Deleted	CVE-2013-2765.patch ^
@@ -1,10 +0,0 @@ ---- modsecurity-apache_2.6.8/apache2/msc_reqbody.c.orig 2013-06-29 18:56:31.446864803 +0200 -+++ modsecurity-apache_2.6.8/apache2/msc_reqbody.c 2013-06-29 18:56:45.354863561 +0200 -@@ -170,6 +170,7 @@ - - /* Would storing this chunk mean going over the limit? / - if ((msr->msc_reqbody_spilltodisk) -+ && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON) - && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit)) - { - msc_data_chunk *chunks;
[-] [+]	Deleted	modsecurity-2.9.1_curl-lower_7.34.patch ^
@@ -1,60 +0,0 @@ ---- mlogc/mlogc.c.orig 2016-06-02 09:15:03.283648355 +0200 -+++ mlogc/mlogc.c 2016-06-02 10:59:44.378377602 +0200 -@@ -1270,33 +1270,36 @@ - } - - -- /* Seems like CURL_SSLVERSION_TLSv1_2 is not supported on libcurl -- * < v7.34.0 -- * -- * version_num is a 24 bit number created like this: -- * <8 bits major number> \| <8 bits minor number> \| <8 bits patch number>. -- / -- switch (tlsprotocol) { -- case 0: -- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0); -- break; -- case 1: -- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1); -- break; -- case 2: -- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); -- break; -- default: -- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); -- break; -- } - cmaj = curlversion->version_num >> 16; - cmin = (curlversion->version_num & 0x00ff00) >> 8; - cpat = (curlversion->version_num & 0x0000ff); - / If cURL version < v7.34.0, use TLS v1.x / - if (cmaj <= 7 && cmin < 34) { - curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); -- } -+#ifdef CURL_SSLVERSION_TLSv1_0 -+ } else { -+ / Seems like CURL_SSLVERSION_TLSv1_2 is not supported on libcurl -+ * < v7.34.0 -+ * -+ * version_num is a 24 bit number created like this: -+ * <8 bits major number> \| <8 bits minor number> \| <8 bits patch number>. -+ */ -+ switch (tlsprotocol) { -+ case 0: -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0); -+ break; -+ case 1: -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1); -+ break; -+ case 2: -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); -+ break; -+ default: -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); -+ break; -+ } -+#endif -+ } - - curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 15); - curl_easy_setopt(curl, CURLOPT_NOSIGNAL, TRUE);
[-] [+]	Changed	modsec-clamscan.pl ^
@@ -27,7 +27,7 @@ my ($FILE) = @ARGV; -$cmd = "$CLAMSCAN --stdout --no-summary $FILE"; +$cmd = "$CLAMSCAN --stdout --disable-summary $FILE"; $input = `$cmd`; $input =~ m/^(.+)/; $error_message = $1;
[-] [+]	Changed	modsec-clean_var-asl-data-audit ^
@@ -1,5 +1,4 @@ #!/bin/bash -nice -n 19 find /var/asl/data/audit -type d -mindepth 1 -cmin +30 -print0 \| xargs -r -0 rm -rf +nice -n 19 find /var/asl/data/audit -type d -cmin +30 -print0 \| xargs -r -0 rm -rf mkdir -p /var/asl/data/audit -chown -R %APAUSR%:%APAGRP% /var/asl/data/audit [ -x /usr/local/bin/modsec-permissions ] && /usr/local/bin/modsec-permissions \|\| :
	Deleted	modsecurity-2.8.0.tar.bz2 ^
	Deleted	modsecurity-2.9.0.tar.bz2 ^
	Deleted	modsecurity-2.9.2.tar.bz2 ^
	Deleted	modsecurity-2.9.3.tar.bz2 ^
	Deleted	modsecurity-2.9.4.tar.bz2 ^
	Deleted	modsecurity-2.9.5.tar.bz2 ^
	Deleted	modsecurity-2.9.7.tar.bz2 ^
[-] [+]	Changed	modsecurity-apache_2.6.7.tar.bz2/CHANGES ^
@@ -1,13 +1,8 @@ -25 Sep 2012 - 2.6.8 -------------------- - - * Fixed ctl:ruleRemoveTargetByID order issue (MODSEC-333). Thanks to Armadillo Dasypodidae. - - * Fixed variable HIGHEST_SEVERITY incorrectly gets reset in a chain rule (MODSEC-315). Thanks to Valery Reznic. - 23 Jul 2012 - 2.6.7 ------------------- + * Fixed PCRE mismtach version warning message (Thanks Victor Julien). + * Fixed explicit target replacement using SecUpdateTargetById was broken. * The ctl:ruleUpdateTargetById is deprecated and will be removed for future versions since
[-] [+]	Changed	modsecurity-apache_2.6.7.tar.bz2/apache2/mod_security2.c ^
@@ -84,7 +84,7 @@ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "ModSecurity: Loaded APR do not match with compiled!"); } - pcre_vrs = apr_psprintf(mp,"%d.%d ", PCRE_MAJOR, PCRE_MINOR); + pcre_vrs = apr_psprintf(mp,"%d.%02d", PCRE_MAJOR, PCRE_MINOR); ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, "ModSecurity: PCRE compiled version=\"%s\"; "
[-] [+]	Changed	modsecurity-apache_2.6.7.tar.bz2/apache2/msc_release.h ^
@@ -38,7 +38,7 @@ #define MODSEC_VERSION_MAJOR "2" #define MODSEC_VERSION_MINOR "6" -#define MODSEC_VERSION_MAINT "8" +#define MODSEC_VERSION_MAINT "7" #define MODSEC_VERSION_TYPE "" #define MODSEC_VERSION_RELEASE ""
[-] [+]	Changed	modsecurity-apache_2.6.7.tar.bz2/apache2/re.c ^
@@ -52,7 +52,7 @@ char myvalue = NULL, myname = NULL; const apr_array_header_t tarr = NULL; const apr_table_entry_t telts = NULL; - int i, match = 0; + int i, match; if(msr == NULL) return 0; @@ -107,7 +107,6 @@ name = apr_strtok(variable,":",&value); } else { name = variable; - value = NULL; } if((strlen(myname) == strlen(name)) && @@ -149,7 +148,7 @@ } - if(match == 1) + if(match) return 1; return 0; @@ -2385,8 +2384,8 @@ } /* Keep track of the highest severity matched so far */ - if ((acting_actionset->severity > 0) && (acting_actionset->severity < msr->highest_severity) - && !rule->actionset->is_chained) { + if ((acting_actionset->severity > 0) && (acting_actionset->severity < msr->highest_severity)) + { msr->highest_severity = acting_actionset->severity; }
	Deleted	modsecurity-apache_2.7.4.tar.bz2 ^
	Deleted	modsecurity-apache_2.7.5.tar.bz2 ^
	Deleted	modsecurity-apache_2.7.7.tar.bz2 ^