pool/apache2-mod_security2
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- package cleanup, coordinated with owasp-modsecurity-crs cleanup

Browse Source 
- version update to 2.9.8 (changed upstream: Trustwave -> OWASP)
  * Fixed ap_log_perror() usage
  * Memory leaks + enhanced logging
  * CI improvement: First check syntax & always display error/audit logs
  * Fixed assert() usage
  * Removed useless code
  * feat: Check if the MP header contains invalid character
  * Use standard httpd logging format in error log
  * fix msc_regexec() != PCRE_ERROR_NOMATCH strict check
  * Move xmlFree() call to the right place
  * Add collection size in log in case of writing error
  * Passing address of lock instead of lock in acquire_global_lock()
  * Invalid pointer access in case rule id == NOT_SET_P
  * Show error.log after httpd start in CI
  * chore: add pull request template
  * chore: add gitignore file
  * Possible double free
  * Set 'jit' variable's initial value
  * Missing null byte + optimization
  * fix: remove usage of insecure tmpname
  * docs: update copyright
  * Enhanced logging [Issue #3107]
  * Check for null pointer dereference (almost) everywhere
  * Fix possible segfault in collection_unpack
  * fix: Replace obsolete macros
  * chore: update bug-report-for-version-2-x.md
  * feat: Add more steps: install built module and restart the server
  * Add new flag: --without-lua
  * Initial release of CI worklow

OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=97
This commit is contained in:
Petr Gajdos 2025-01-27 09:41:24 +00:00 committed by Git OBS Bridge
commit 7312016b17
18 changed files with 1092 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

13
README-SUSE-mod_security2.txt Normal file
View File

@ -0,0 +1,13 @@
#
# Dear Administrator,
#
# mod_security2 is not activated by default upon installation of the
# apache module.
#
# Your starting point for the configuration of mod_security2 is
# /etc/apache2/conf.d/mod_security2.conf .
# Please see that file for comments on how to activate the module
# and on how to assign rules.
#

23
README_SUSE Normal file
View File

@ -0,0 +1,23 @@
# mod_security2 is not activated by default upon installation of the
# apache module.
#
# Use
# # a2enmod unique_id
# # a2enmod security2
#
# to activate security2 module.
#
# Configuration directories:
# /etc/apache2/mod_security2.d is read first
# /etc/apache2/mod_security2.d/rules is read second
#
# owasp-modsecurity-crs and owasp-modsecurity-crs-apache2 can be installed.
# To test:
W
# curl 'http://localhost/?foo=/etc/passwd&bar=/bin/sh'
#
# sholud give 403 with appropriate entry in /var/log/apache2/modsec_audit.log
# and /var/log/apache2/error_log.
#
# See https://coreruleset.org/docs/1-getting-started/1-1-crs-installation/
# for details.

3
SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:637b53696e96f3855f8d4bc678dd67dc8a4ba1ce7da418dafc74524cbf36c92a
size 291337

35
apache2-mod_security2-gcc14.patch Normal file
View File

@ -0,0 +1,35 @@
Index: modsecurity-2.9.7/tests/msc_test.c
===================================================================
--- modsecurity-2.9.7.orig/tests/msc_test.c
+++ modsecurity-2.9.7/tests/msc_test.c
@@ -81,7 +81,7 @@ char DSOLOCAL *real_server_signature = N
int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
char DSOLOCAL *remote_rules_fail_message = NULL;
module AP_MODULE_DECLARE_DATA security2_module = {
- NULL,
+ STANDARD20_MODULE_STUFF,
NULL,
NULL,
NULL,
Index: modsecurity-2.9.7/standalone/config.c
===================================================================
--- modsecurity-2.9.7.orig/standalone/config.c
+++ modsecurity-2.9.7/standalone/config.c
@@ -989,7 +989,7 @@ AP_DECLARE(const char *) process_fnmatch
const char *rootpath, *filepath = fname;
/* locate the start of the directories proper */
- status = apr_filepath_root(&rootpath, &filepath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp);
+ status = apr_filepath_root((const char **) &rootpath, (const char **) &filepath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp);
/* we allow APR_SUCCESS and APR_EINCOMPLETE */
if (APR_ERELATIVE == status) {
@@ -1104,7 +1104,7 @@ ProcessInclude:
incpath = w;
/* locate the start of the directories proper */
- status = apr_filepath_root(&rootpath, &incpath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp);
+ status = apr_filepath_root((const char**) &rootpath, (const char **) &incpath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp);
/* we allow APR_SUCCESS and APR_EINCOMPLETE */
if (APR_ERELATIVE == status) {

57
apache2-mod_security2-no_rpath.diff Normal file
View File

@ -0,0 +1,57 @@
Index: modsecurity-v2.9.8/apache2/Makefile.am
===================================================================
--- modsecurity-v2.9.8.orig/apache2/Makefile.am
+++ modsecurity-v2.9.8/apache2/Makefile.am
@@ -125,7 +125,7 @@ mod_security2_la_LDFLAGS = -module -avoi
endif
if LINUX
-mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \
+mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@APR_LDFLAGS@ \
@APU_LDFLAGS@ \
@APXS_LDFLAGS@ \
Index: modsecurity-v2.9.8/apache2/Makefile.in
===================================================================
--- modsecurity-v2.9.8.orig/apache2/Makefile.in
+++ modsecurity-v2.9.8/apache2/Makefile.in
@@ -743,7 +743,7 @@ libinjection/mod_security2_la-libinjecti
libinjection/$(DEPDIR)/$(am__dirstamp)
mod_security2.la: $(mod_security2_la_OBJECTS) $(mod_security2_la_DEPENDENCIES) $(EXTRA_mod_security2_la_DEPENDENCIES)
- $(AM_V_CCLD)$(mod_security2_la_LINK) -rpath $(pkglibdir) $(mod_security2_la_OBJECTS) $(mod_security2_la_LIBADD) $(LIBS)
+ $(AM_V_CCLD)$(mod_security2_la_LINK) $(mod_security2_la_OBJECTS) $(mod_security2_la_LIBADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
Index: modsecurity-v2.9.8/build/libtool.m4
===================================================================
--- modsecurity-v2.9.8.orig/build/libtool.m4
+++ modsecurity-v2.9.8/build/libtool.m4
@@ -5079,7 +5079,7 @@ dnl Note also adjust exclude_expsyms for
# are reset later if shared libraries are not supported. Putting them
# here allows them to be overridden if necessary.
runpath_var=LD_RUN_PATH
- _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+ _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
_LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic'
# ancient GNU ld didn't support --whole-archive et. al.
if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
@@ -5350,7 +5350,7 @@ _LT_EOF
# DT_RUNPATH tag from executables and libraries. But doing so
# requires that you compile everything twice, which is a pain.
if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
- _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+ _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
else
@@ -6439,7 +6439,7 @@ if test yes != "$_lt_caught_CXX_error";
_LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib'
_LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
- _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+ _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
_LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic'
# If archive_cmds runs LD, not CC, wlarc should be empty

576
apache2-mod_security2.changes Normal file
View File

@ -0,0 +1,576 @@
-------------------------------------------------------------------
Tue Jan 21 13:28:24 UTC 2025 - pgajdos@suse.com
- package cleanup, coordinated with owasp-modsecurity-crs cleanup
- version update to 2.9.8 (changed upstream: Trustwave -> OWASP)
* Fixed ap_log_perror() usage
* Memory leaks + enhanced logging
* CI improvement: First check syntax & always display error/audit logs
* Fixed assert() usage
* Removed useless code
* feat: Check if the MP header contains invalid character
* Use standard httpd logging format in error log
* fix msc_regexec() != PCRE_ERROR_NOMATCH strict check
* Move xmlFree() call to the right place
* Add collection size in log in case of writing error
* Passing address of lock instead of lock in acquire_global_lock()
* Invalid pointer access in case rule id == NOT_SET_P
* Show error.log after httpd start in CI
* chore: add pull request template
* chore: add gitignore file
* Possible double free
* Set 'jit' variable's initial value
* Missing null byte + optimization
* fix: remove usage of insecure tmpname
* docs: update copyright
* Enhanced logging [Issue #3107]
* Check for null pointer dereference (almost) everywhere
* Fix possible segfault in collection_unpack
* fix: Replace obsolete macros
* chore: update bug-report-for-version-2-x.md
* feat: Add more steps: install built module and restart the server
* Add new flag: --without-lua
* Initial release of CI worklow
* V2/fixbuildissue
* ; incorrectly replaced by space in cmdline
* Detailed error message when writing collections
* docs: Fix organization name in references and security e-mail (v2)
* ctl:ruleRemoveByTag isn't executed if no rule id is present in the rule
* Suppress useless loop on tag matching
* Optimization: Avoid last loop and storing an empty value in case nothing
after last %{..} macro
* Ignore (consistently) empty actions
* Add context info to error message
* Implement msre_action_phase_validate()
* Avoid some useless code and memory allocation in case no macro is present
* 'jit' variable not initialized when WITH_PCRE2 is defined
* Configure: do not check for pcre1 if pcre2 requested
* Double memory allocation
* Fix for DEBUG_CONF compile flag
* Enhance logging
* Fix possible segfault in collection_unpack
* Set the minimum security protocol version for SecRemoteRules
* Allow lua version 5.4
* Configure: do not check for pcre1 if pcre2 requested
* Check return code of apr_procattr_io_set()
* Do not escape special chars in rx pattern with macro
* Substitute two equals-equals operators in build
- modified patches
% apache2-mod_security2-no_rpath.diff (refreshed)
% modsecurity-2.9.3-input_filtering_errors.patch (refreshed)
% modsecurity-fixes.patch (refreshed)
- added sources
+ apache2-mod_security2.keyring
-------------------------------------------------------------------
Tue Jun 4 12:14:51 UTC 2024 - pgajdos@suse.com
- %autopatch instead of %patchN
- modified patches
% apache2-mod_security2-no_rpath.diff (refreshed)
-------------------------------------------------------------------
Tue Jun 4 11:03:29 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Fix patch application syntax: Use %patch -P N instead of
deprecated %patchN.
-------------------------------------------------------------------
Tue May 7 13:16:44 UTC 2024 - pgajdos@suse.com
- added patches
fix fix build with gcc14
+ apache2-mod_security2-gcc14.patch
-------------------------------------------------------------------
Tue Feb 20 11:02:36 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Use %patch -P N instead of deprecated %patchN.
-------------------------------------------------------------------
Sat Jul 15 17:09:55 UTC 2023 - Dirk Müller <dmueller@suse.com>
- update to 2.9.7:
* Fix: FILES_TMP_CONTENT may sometimes lack complete content
* Support configurable limit on number of arguments processed
* Silence compiler warning about discarded const
* Support for JIT option for PCRE2
* Use uid for user if apr_uid_name_get() fails
* Fix: handle error with SecConnReadStateLimit configuration
* Only check for pcre2 install if required
* Adjustment of previous fix for log messages
* Mark apache error log messages as from mod_security2
* Use pkg-config to find libxml2 first
* Support for PCRE2 in mlogc
* Support for PCRE2
* Adjust parser activation rules in modsecurity.conf-
recommended
* Multipart parsing fixes and new MULTIPART_PART_HEADERS
collection
* Limit rsub null termination to where necessary
* IIS: Update dependencies for next planned release
* XML parser cleanup: NULL duplicate pointer
* Properly cleanup XML parser contexts upon completion
* Fix memory leak in streams
* Fix: negative usec on log line when data type long is 32b
* mlogc log-line parsing fails due to enhanced timestamp
* Allow no-key, single-value JSON body
* Set SecStatusEngine Off in modsecurity.conf-recommended
* Fix memory leak that occurs on JSON parsing error
* Multipart names/filenames may include single quote if double-
quote enclosed
* Add SecRequestBodyJsonDepthLimit to modsecurity.conf-
recommended
* IIS: Update dependencies for Windows build as of v2.9.5
* Support configurable limit on depth of JSON parsing
-------------------------------------------------------------------
Mon Jul 19 09:37:45 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
- Update to 2.9.4:
* Add microsec timestamp resolution to the formatted log timestamp
* Added missing Geo Countries
* Store temporaries in the request pool for regexes compiled per-request.
* Fix other usage of the global pool for request temporaries in re_operators.c
* Adds a sanity check before use ctl:ruleRemoveTargetById and ctl:ruleRemoveTargetByMsg.
* Fix the order of error_msg validation
* When the input filter finishes, check whether we returned data
* fix: care non-null terminated chunk data
* Fix for apr_global_mutex_create() crashes with mod_security
* Fix inet addr handling on 64 bit big endian systems
- Run spec-cleaner
- Remove if/else for older version of SUSE distribution
-------------------------------------------------------------------
Tue Feb 23 07:49:57 UTC 2021 - pgajdos@suse.com
- version update to 2.9.3
* Enable optimization for large stream input by default on IIS
[Issue #1299 - @victorhora, @zimmerle]
* Allow 0 length JSON requests.
[Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern]
* Include unanmed JSON values in unnamed ARGS
[Issue #1577, #1576 - @marcstern, @victorhora, @zimmerle]
* Fix buffer size for utf8toUnicode transformation
[Issue #1208 - @katef, @victorhora]
* Fix sanitizing JSON request bodies in native audit log format
[p0pr0ck5, @victorhora]
* IIS: Update Wix installer to bundle a supported CRS version (3.0)
[@victorhora, @zimmerle]
* IIS: Update dependencies for Windows build
[Issue #1848 - @victorhora, @hsluoyz]
* IIS: Set SecStreamInBodyInspection by default on IIS builds (#1299)
[Issue #1299 - @victorhora]
* IIS: Update modsecurity.conf
[Issue #788 - @victorhora, @brianclark]
* Add sanity check for a couple malloc() and make code more resilient
[Issue #979 - @dogbert2, @victorhora, @zimmerl]
* Fix NetBSD build by renaming the hmac function to avoid conflicts
[Issue #1241 - @victorhora, @joerg, @sevan]
* IIS: Windows build, fix duplicate YAJL dir in script
[Issue #1612 - @allanbomsft, @victorhora]
* IIS: Remove body prebuffering due to no locking in modsecProcessRequest
[Issue #1917 - @allanbomsft, @victorhora]
* Fix mpm-itk / mod_ruid2 compatibility
[Issue #712 - @ju5t , @derhansen, @meatlayer, @victorhora]
* Code cosmetics: checks if actionset is not null before use it
[Issue #1556 - @marcstern, @zimmerle, @victorhora]
* Only generate SecHashKey when SecHashEngine is On
[Issue #1671 - @dmuey, @monkburger, @zimmerle]
* Docs: Reformat README to Markdown and update dependencies
[Issue #1857 - @hsluoyz, @victorhora]
* IIS: no lock on ProcessRequest. No reload of config.
[Issue #1826 - @allanbomsft]
* IIS: buffer request body before taking lock
[Issue #1651 - @allanbomsft]
* good practices: Initialize variables before use it
[Issue #1889 - Marc Stern]
* Let body parsers observe SecRequestBodyNoFilesLimit
[Issue #1613 - @allanbomsft]
* potential off by one in parse_arguments
[Issue #1799 - @tinselcity, @zimmerle]
* Fix utf-8 character encoding conversion
[Issue #1794 - @tinselcity, @zimmerle]
* Fix ip tree lookup on netmask content
[Issue #1793 - @tinselcity, @zimmerle]
* IIS: set overrideModeDefault to Allow so that individual websites can
add <ModSecurity ...> to their web.config file
[Issue #1781 - @default-kramer]
* modsecurity.conf-recommended: Fix spelling
[Issue #1721 - @padraigdoran]
* build: fix when multiple lines for curl version
[Issue #1771 - @Artistan]
* Fix arabic charset in unicode_mapping file
[Issue #1619 - @alaa-ahmed-a]
* Optionally preallocates memory when SecStreamInBodyInspection is on
[Issue #1366 - @allanbomsft, @zimmerle]
* Fixed typo in build_yajl.bat
[Issue #1366 - @allanbomsft]
* Fixes SecConnWriteStateLimit
[Issue #1545 - @nicjansma]
* Added "empy chunk" check
[Issue #1347, #1446 - @gravagli, @bostrt, @zimmerle]
* Add capture action to @detectXSS operator
[Issue #1488, #1482 - @victorhora]
* Fix for wildcard operator when loading conf files on Nginx / IIS
[Issue #1486, #1285 - @victorhora and @thierry-f-78]
* Set of fixies to make windows build workable with the buildbots
[Commit 94fe3 - @zimmerle]
* Uses LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH
[Issue #1510 - @marcstern]
* Adds missing headers
[Issue #1454 - @devnexen]
- modified patches
% modsecurity-fixes.patch (fix crash caused by our patch)
[bsc#1180830]
- added patches
+ modsecurity-2.9.3-input_filtering_errors.patch
[bsc#1180830]
-------------------------------------------------------------------
Wed Feb 12 10:26:15 UTC 2020 - pgajdos@suse.com
- removing %apache_test_* macros, do not test module just by
loading the module
-------------------------------------------------------------------
Fri Dec 29 00:09:38 UTC 2017 - jengelh@inai.de
- Trim advertisement and filler wording from descriptions.
-------------------------------------------------------------------
Wed Dec 20 09:13:49 UTC 2017 - pgajdos@suse.com
- fix build for SLE_11_SP4: BuildRoot and %deffattr have to be
present
-------------------------------------------------------------------
Mon Oct 2 11:02:58 UTC 2017 - kstreitova@suse.com
- update to 2.9.2
* release notes
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2
* refresh apache2-mod_security2-no_rpath.diff
* remove apache2-mod_security2-lua-5.3.patch that was applied
upstream
- remove outdated html pages and diagram (they can be accessed
online at https://github.com/SpiderLabs/ModSecurity/wiki)
* Reference-Manual.html.bz2
* ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2
* modsecurity_diagram_apache_request_cycle.jpg
- don't pack the whole doc directory as it contains also Makefiles
or doxygen configuration files
- disable mlogc as we don't pack it and it also can't be built for
curl <=7.34
- add basic and regression test suite (but disabled for now)
* add apache2-mod_security2_tests_conf.patch for apache2
configuration file used for tests that was trying to load
mpm_worker_module (it's static for our apache2 package)
* add "BuildRequires: perl-libwww-perl" needed for the test suite
-------------------------------------------------------------------
Wed Jun 21 10:16:28 UTC 2017 - dimstar@opensuse.org
- Update modsecurity-fixes.patch: additionally include netdb.h in
order to have gethostbyname defined.
-------------------------------------------------------------------
Thu Mar 23 15:14:11 UTC 2017 - kstreitova@suse.com
- cleanup with spec-cleaner
-------------------------------------------------------------------
Wed Jul 29 06:42:19 UTC 2015 - pgajdos@suse.com
- fix build for lua 5.3
+ apache2-mod_security2-lua-5.3.patch
-------------------------------------------------------------------
Thu Jul 16 07:22:02 UTC 2015 - pgajdos@suse.com
- Requries: %{apache_suse_maintenance_mmn}
This will pull this module to the update (in released distribution)
when apache maintainer thinks it is good (due api/abi changes).
-------------------------------------------------------------------
Mon Mar 2 14:46:15 UTC 2015 - tchvatal@suse.com
- Remove useless comment lines/whitespace
-------------------------------------------------------------------
Tue Feb 24 04:23:11 UTC 2015 - crrodriguez@opensuse.org
- spec, build: Respect optflags
- spec: buildrequire pkgconfig
- modsecurity-fixes.patch: mod_security fails at:
* building with optflags enabled due to undefined behaviour
and implicit declarations.
* It abuses it apr_allocator api, creating one allocator
per request and then destroying it, flooding the system
with mmap() , munmap requests, this is particularly nasty
with threaded mpms. it should instead use the allocator
from the request pool.
-------------------------------------------------------------------
Sat Feb 14 17:51:49 UTC 2015 - thomas.worm@sicsec.de
- Raised to version 2.9.0
- Updated patch: apache2-mod_security2-no_rpath.diff
(adapted lines)
-------------------------------------------------------------------
Mon Nov 3 09:41:02 UTC 2014 - pgajdos@suse.com
- call spec-cleaner
- use apache rpm macros
-------------------------------------------------------------------
Wed Aug 27 17:30:25 CEST 2014 - draht@suse.de
- Portability: provide /etc/apache2/mod_security2.d/empty.conf
to avoid a non-match of the file-glob in the Include statement
from /etc/apache2/conf.d/mod_security2.conf . This restores
the Include back from the IncludeOptional, which is not portable.
- Source URL set to (expanded)
https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
-------------------------------------------------------------------
Mon Aug 25 19:33:11 UTC 2014 - thomas.worm@sicsec.de
- Fixed spec file to work with older distribution versions.
Before openSuSE 13.1 aclocal doesn't work, instead autoreconf
has to be called.
-------------------------------------------------------------------
Mon Jul 7 14:06:19 CEST 2014 - draht@suse.de
- last changelog does not say that
apache2-mod_security2-libtool-fix.diff was obsoleted.
-------------------------------------------------------------------
Mon Jun 16 19:04:00 CEST 2014 - draht@suse.de
- BuildRequires: libtool missing
-------------------------------------------------------------------
Mon Jun 16 18:17:26 CEST 2014 - draht@suse.de
- apache2-mod_security2-libtool-fix.diff: initialize libtool.
-------------------------------------------------------------------
Mon Jun 16 17:31:34 CEST 2014 - draht@suse.de
- apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath
in autoconf m4 macros. Obsoletes patch
modsecurity-apache_2.8.0-build_fix_pcre.diff
- use automake for build, add autoconf and automake to
BuildRequires:. This fix is combined with [bnc#876878].
- turn on --enable-htaccess-config
- use %{?_smp_mflags} for build
-------------------------------------------------------------------
Thu Jun 12 12:33:49 CEST 2014 - draht@suse.de
- OWASP rule set. [bnc#876878]
new in 2.8.0 (more complete changelog to add to last changelog):
* Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit)
now support white and suspicious list
* New variables: FULL_REQUEST and FULL_REQUEST_LENGTH
* GPLv2 replaced by Apache License v2
* rules are not part of the source tarball any longer, but
maintaned upstream externally, and included in this package.
* documentation was externalized to a wiki. Package contains
the FAQ and the reference manual in html form.
* renamed the term "Encryption" in directives that actually refer
to hashes. See CHANGES file for more details.
* byte conversion issues on s390x when logging fixed.
* many small issues fixed that were discovered by a Coverity scanner
* updated reference manual
* wrong time calculation when logging for some timezones fixed.
* replaced time-measuring mechanism with finer granularity for
measured request/answer phases. (Stopwatch remains for compat.)
* cookie parser memory leak fix
* parsing of quoted strings in multipart Content-Disposition
headers fixed.
-------------------------------------------------------------------
Thu May 1 05:06:15 UTC 2014 - thomas.worm@sicsec.de
- Raised to version 2.8.0.
- updated patches:
* modsecurity-apache_2.8.0-build_fix_pcre.diff
-> modsecurity-apache_2.7.7-build_fix_pcre.diff
-------------------------------------------------------------------
Sat Jan 25 17:43:33 UTC 2014 - thomas.worm@sicsec.de
- Raised to version 2.7.7.
- modified patches:
* modsecurity-apache_2.7.5-build_fix_pcre.diff,
renamed to modsecurity-apache_2.7.7-build_fix_pcre.diff.
-------------------------------------------------------------------
Thu Jan 23 13:06:09 UTC 2014 - aj@ajaissle.de
- Use correct source Url
-------------------------------------------------------------------
Fri Aug 2 14:18:39 CEST 2013 - draht@suse.de
- complete overhaul of this package, with update to 2.7.5.
- ruleset update to 2.2.8-0-g0f07cbb.
- new configuration framework private to mod_security2:
/etc/apache2/conf.d/mod_security2.conf loads
/usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf,
then /etc/apache2/mod_security2.d/*.conf , as set up based on
advice in /etc/apache2/conf.d/mod_security2.conf
Your configuration starting point is
/etc/apache2/conf.d/mod_security2.conf
- !!! Please note that mod_unique_id is needed for mod_security2 to run!
- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous
linker parameter, preventing rpath in shared object.
- fixes contained for the following bugs:
* CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling
* [bnc#768293] multi-part bypass, minor threat
* CVE-2013-1915 [bnc#813190] XML external entity vulnerability
* CVE-2012-4528 [bnc#789393] rule bypass
* CVE-2013-2765 [bnc#822664] null pointer dereference crash
- new from 2.5.9 to 2.7.5, only major changes:
* GPLv2 replaced by Apache License v2
* rules are not part of the source tarball any longer, but
maintaned upstream externally, and included in this package.
* documentation was externalized to a wiki. Package contains
the FAQ and the reference manual in html form.
* renamed the term "Encryption" in directives that actually refer
to hashes. See CHANGES file for more details.
* new directive SecXmlExternalEntity, default off
* byte conversion issues on s390x when logging fixed.
* many small issues fixed that were discovered by a Coverity scanner
* updated reference manual
* wrong time calculation when logging for some timezones fixed.
* replaced time-measuring mechanism with finer granularity for
measured request/answer phases. (Stopwatch remains for compat.)
* cookie parser memory leak fix
* parsing of quoted strings in multipart Content-Disposition
headers fixed.
* SDBM deadlock fix
* @rsub memory leak fix
* cookie separator code improvements
* build failure fixes
* compile time option --enable-htaccess-config (set)
-------------------------------------------------------------------
Mon Aug 27 11:43:47 UTC 2012 - cfarrell@suse.com
- license update: Apache-2.0 and GPL-2.0
Many of the files in the rules/ subdirectory are GPL-2.0 licensed
-------------------------------------------------------------------
Mon Aug 6 20:59:45 UTC 2012 - crrodriguez@opensuse.org
- Update to version 2.6.7, fixes build in apache 2.4
- Update spec file macros.
-------------------------------------------------------------------
Sat Sep 17 11:20:39 UTC 2011 - jengelh@medozas.de
- Remove redundant tags/sections from specfile
- Use %_smp_mflags for parallel build
-------------------------------------------------------------------
Wed Jul 6 04:33:49 CEST 2011 - draht@suse.de
- update to version 2.6.1-rc1 for submission to SLE11-SP2 (fate#309433):
- SecUnicodeCodePage and SecUnicodeMapFile directives added
- fixed bug: SecRequestBodyLimit was truncating the real request
body
additional fixes from 2.6.0:
- buffering filter problems fixed
- memory leak fix when using MATCHED_VAR_NAMES
- SecWriteStateLimit added against slow DoS
additional fixes from 2.6.0 release candidates:
- optimizations
- bug in logging code fixed
- cleanup
- google safe browsing support
-------------------------------------------------------------------
Thu May 14 18:05:26 CEST 2009 - mrueckert@suse.de
- update to version 2.5.9
- Fixed parsing multipart content with a missing part header name
which would crash Apache. Discovered by "Internet Security
Auditors" (isecauditors.com).
- Added ability to specify the config script directly using
--with-apr and --with-apu.
- Added macro expansion for append/prepend action.
- Fixed race condition in concurrent updates of persistent
counters. Updates are now atomic.
- Cleaned up build, adding an option for verbose configure output
and making the mlogc build more portable.
- additional changes from 2.5.8
- Fixed PDF XSS issue where a non-GET request for a PDF file
would crash the Apache httpd process. Discovered by Steve
Grubb at Red Hat.
- Removed an invalid "Internal error: Issuing "%s" for
unspecified error." message that was logged when denying with
nolog/noauditlog set and causing the request to be audited.
- additional changes from 2.5.7
- Fixed XML DTD/Schema validation which will now fail after
request body processing errors, even if the XML parser returns
a document tree.
- Added ctl:forceRequestBodyVariable=on|off which, when enabled,
will force the REQUEST_BODY variable to be set when a request
body processor is not set. Previously the REQUEST_BODY target
was only populated by the URLENCODED request body processor.
- Integrated mlogc source.
- Fixed logging the hostname in the error_log which was logging
the request hostname instead of the Apache resolved hostname.
- Allow for disabling request body limit checks in phase:1.
- Added transformations for processing parity for legacy
protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit,
t:parityZero7bit
- Added t:cssDecode transformation to decode CSS escapes.
- Now log XML parsing/validation warnings and errors to be in the
debug log at levels 3 and 4, respectivly.
- build and package mlogc
- remove --with-apxs from the configure args as it breaks the build
configure now finds our apxs2
-------------------------------------------------------------------
Fri Jan 23 16:56:55 CET 2009 - skh@suse.de
- fix broken config [bnc#457200]
-------------------------------------------------------------------
Mon Sep 15 14:05:05 CEST 2008 - skh@suse.de
- update to version 2.5.6
- initial submit to FACTORY
-------------------------------------------------------------------
Mon May 12 05:25:07 CEST 2008 - jg@internetx.de
-update to 2.1.7
-------------------------------------------------------------------
Thu Feb 3 05:44:12 CEST 2008 - jg@internetx.de
-update to 2.1.6
-------------------------------------------------------------------
Wed Aug 8 05:36:42 CEST 2007 - mrueckert@suse.de
- update to 2.1.2
-------------------------------------------------------------------
Mon Apr 16 10:34:05 CEST 2007 - mrueckert@suse.de
- update to 2.1.1
- switched to perl based patching instead of cmdline params for make
-------------------------------------------------------------------
Fri Sep 22 08:31:51 CEST 2006 - poeml@suse.de
- fix build (./install was vanished)

52
apache2-mod_security2.keyring Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGW1M88BEACdOnF8zBA5RiSyv5V8vslhbqysNSkqsUmVvGnGoguI8kA0CRNU
YNdaxZ5E/WsZ0lbBNw/xjf9Wa52ZUCKHkGjR4DNxn0IZRjowYTYNxNWrSvdon9MY
XXAN6uomWtRFAbvLTo7VnV5NhrKnx8mXl0SgVDMveaQJ0NCa7onmFpVgNj+i1neU
fPiXqFl///dM6xNLL8DU3a2k42ZUUVYpcu94f78WFfGujePdgP1tHRP08JxfvvaZ
VnwpYHXJXjaoXCpiK4A6jj79BeZIgpEGLcYbI+mk+uIe7L81U4nRIOJgoYk8nIv8
0no+lS8KDzW3hnBDyzFp6bfyP1K4lM4vc6k1DHVBkUZT3C9CDdxgAbbfD0deq8yI
+5/q38mPAJ6gyicnskji25PzzxnzCRt73wQHCZ/x4RAwnKVeStYLtNqsDSk/Zm0n
qqOwZKf0DpMuwJUCQ2I5xYL/R5FthElL/QAQ9E0C2GG1kj5+V/4spsBwwzQ3Ct2x
ntnME4CInxWPfhlAAVLw28Zb/paExLGO28VcQHM8uBMMZXP4T5L+INbb2ax1WB2n
h3NzBrxzL3H47woWFmTcM1beqcqya5k/Q2tfTl1x4AmifOWXOytGqUpgiM6J2lSS
/0N0rbykep9JftaIZbj2TTVk2VKOv7KQdLUgFXmtPWmb12fVOpkhAfweVQARAQAB
tClPV0FTUCBNb2RTZWN1cml0eSA8bW9kc2VjdXJpdHlAb3dhc3Aub3JnPokCTgQT
AQgAOBYhBAsroZJAZbRGkSAqKtKG4CIUnw9uBQJltTPPAhsDBQsJCAcCBhUKCQgL
AgQWAgMBAh4BAheAAAoJENKG4CIUnw9u2C0P/jVJB7sCyDMAgyp0KkYynt7Qgf2q
WQFDVz/KoPqj1qZaKOBjScZbprgDMuqkDELqpAP4MuzhWjcL9CDTbSuu+YQhwfBo
5mkbBBElFVw5n1rkhY/mpSe+uSZBLOGp37PCqrc17ihXm27Z/d9+mS1bX61ScpOy
50r5rm1r9KG3bXTZRKkK+3bkR25Blapo4rDW8k6LzfmlfucsZ0/VZIol/+GOl3HX
9IPWbUmW7LwS7+SYPms6c6XrPa57v2RgZDb/MOULqeayUjiOMX6bAAlVYJaoQ1yp
VOO5kafResYHhK2Vz6oYvpR4va1KqkVEwOPsBmMmR0qQGtAqeE+yvI7Dm4mUZtYc
jZdx8CDCqgLz8xuGcO2ewenhxy50CkLpoNKvYIMcZo+s+EfL4M9TG+eMDZlEmgGG
rPk96uplna9aWZWYXO2rgZ8kj8G9yOuf+vQAAGh9se2iQmSUw0ph9Sex04VjJAD/
XQyDeS4Z1TT2TBhHf9+zxb8EsLiEjYzC1Rxj4wsr6uxJpXIdnSLusZ75z2ZpKtpU
O3aDcqMfosO+iocvKgy+TOWgF4SRjoVe/P5INHP/NMHrEX/ZAMqk0CE7jM2z9I/B
aZ2wK87djVaTRgk3x+i2run3hpGr3eKAm0P6lTKhS/zZ9NEa3L1XSzD7JwBEmRuS
70M0myS+bzhfB9VouQINBGW1M88BEACxgm1yOuZLy0IrMfW9DohAVDbspd3VjxjP
+uAF4ZPFuxyXP+Co9Rts3XsBZaPqyFOYknlvo0IBq6EPmsWpZ5jT2cbJyo9LZE4N
aGheccpin3kg1WN/sWdYPW2hlJhgOA/AKsyil0TDEYvGht1M1uz2Hf5d6kp1Ex5d
inVgKneVHTRyJp5jlvgzxYsJKlMX4S+5APo0IfXDiko6BA4ltmd0knQSn6owARkM
BOa4fxzknRZHmYmd24AhYzDShNCGVQHSFn1Pz+wD88FFOczDiPPiaEq8T2J8A15g
kxntWSa67d0R9k6arF3SEHA4YvSCzIQsdhXdnGJwgEl341qr6uant2PErAaWDIXT
XJ4e3oCMT73OW/lEawJvPSJYDDi03RgJBQcs4iN073zzwUIuaFV21RIUcGjRmwnX
mJ7ttyLGqYya88DgXT4zX3xm7un/ZkcRKL0KPNOWGoc2rl/XDMYChqgRvOOPaOlr
6oAF8jxTKnpWSI9edhg7PBAlpQtl3DPnJ8pg9KUvuledJnfIs6VjtbfsGwD7b7M+
LDVErH218SYsEJ61nmPBzomlJpb9T7TxImBbuP9H6QUq0FKeTk1dbc4bx2Msw7dM
b3AwIGgpS3T1zoS2au9daieoiZxFrjlsyut2DnuZ2XeWJts/VPW/JsREH3nSucQQ
sQVp0ToZtQARAQABiQI2BBgBCAAgFiEECyuhkkBltEaRICoq0obgIhSfD24FAmW1
M88CGwwACgkQ0obgIhSfD24gXQ//dsZRiGsiZ7rJ9MvFQvSMuKnjNVNhQYCzBO02
7RQDUKL/pcdjXNaAkGMP+60e6ipPBJPV1dEz2C8no1IBQokF7bMkC3u22dGywH4j
9ddtkE8qeJQ/7Dc+rS7w5dno8EzLiVW9088wm00NXydJ4FuqEpEvUHyEIIqBGPja
UheL5WzzAmPkYPNGAHNKoPp55aPrpcJAr1Dknv+fhptnzcPtNSia+NHeC/aBjPXQ
YBpzcGXbEuj/Jn0ugmMhLhDYQDc8uKmeYSp6p9PjIjZxry6ISGtAKNVJe5+xBKvt
AdotNiOl2ida9Z7RpmgpNqblCyTwIWfji66XCnvZHQzCdMBXfeO5MRvg6diVtcA2
CJYaiN6FvSWmolp47SRg1/bvRdNxe+IPBWPFufWmU/CrQOyfJy8/H3VjKuaHA0Ba
HyAgobm/kGjkQy2ZO/KMyjesqPcAL8CtKZ57Fzgus3UFIhANC+T6KtxQTIpj1nlN
OdWlYCl1FQXPc561Tgicv4oiJOXOOxiVlF0H3+ldBzijNviciaJcBCS+2clN2moY
GRQm4g0sSm1ItA57xD6dzjqdfN4X0lptKOoQyDfrTJZftuUUtU4xifnVIuWrtBsn
yNxo8FXdFKN9E5vHeAQsZRIXG66Ym0VqI+KhkMYzJpRN6SqZJNiFjdddmJhiCg7o
kKSFrwk=
=tFPe
-----END PGP PUBLIC KEY BLOCK-----

95
apache2-mod_security2.spec Normal file
View File

@ -0,0 +1,95 @@
#
# spec file for package apache2-mod_security2
#
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: apache2-mod_security2
Version: 2.9.8
Release: 0
Summary: Web Application Firewall for Apache httpd
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
URL: https://www.modsecurity.org/
Source0: https://github.com/owasp-modsecurity/ModSecurity/releases/download/v%{version}/modsecurity-v%{version}.tar.gz
Source1: https://github.com/owasp-modsecurity/ModSecurity/releases/download/v%{version}/modsecurity-v%{version}.tar.gz.asc
Source2: apache2-mod_security2.keyring
Source3: mod_security2.conf
Source4: README_SUSE
Patch0: apache2-mod_security2-no_rpath.diff
Patch1: modsecurity-fixes.patch
Patch2: apache2-mod_security2_tests_conf.patch
# https://github.com/SpiderLabs/ModSecurity/issues/2514
Patch3: modsecurity-2.9.3-input_filtering_errors.patch
# fix build with gcc14
Patch4: apache2-mod_security2-gcc14.patch
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel
BuildRequires: apache2-prefork
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: c++_compiler
BuildRequires: libcurl-devel
BuildRequires: libtool
BuildRequires: libxml2-devel
BuildRequires: lua53-devel
BuildRequires: pcre-devel
BuildRequires: perl-libwww-perl
BuildRequires: pkgconfig
Requires: %{apache_mmn}
Requires: %{apache_suse_maintenance_mmn}
Requires: apache2
Recommends: owasp-modsecurity-crs-apache2
%description
ModSecurity is an intrusion detection and prevention
engine for web applications (or a web application firewall). Operating
as an Apache Web server module or standalone, the purpose of
ModSecurity is to increase web application security, protecting web
applications from known and unknown attacks.
%prep
%autosetup -p1 -n modsecurity-v%{version}
cp %{SOURCE4} .
%build
aclocal
automake
%configure --with-apxs=%{apache_apxs} --enable-request-early --enable-htaccess-config --disable-mlogc
CFLAGS="%{optflags}" make %{?_smp_mflags}
%install
pushd apache2
install -d -m 0755 %{buildroot}%{apache_libexecdir}
install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/mod_security2.so
popd
mkdir -p %{buildroot}%{apache_sysconfdir}/mod_security2.d
mkdir -p %{buildroot}%{apache_sysconfdir}/mod_security2.d/rules
mkdir -p %{buildroot}%{apache_sysconfdir}/conf.d/
cp -a %{SOURCE3} %{buildroot}%{apache_sysconfdir}/conf.d/
%check
make test
%files
%{apache_libexecdir}/mod_security2.so
%license LICENSE
%dir %{apache_sysconfdir}/mod_security2.d
%dir %{apache_sysconfdir}/mod_security2.d/rules
%dir %{apache_sysconfdir}/conf.d/
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_security2.conf
%doc README.md CHANGES NOTICE authors.txt README_SUSE
%changelog

14
apache2-mod_security2_tests_conf.patch Normal file
View File

@ -0,0 +1,14 @@
Index: modsecurity-2.9.2/tests/regression/server_root/conf/httpd.conf.in
===================================================================
--- modsecurity-2.9.2.orig/tests/regression/server_root/conf/httpd.conf.in
+++ modsecurity-2.9.2/tests/regression/server_root/conf/httpd.conf.in
@@ -14,9 +14,6 @@ LoadModule security2_module @MSC_BASE_DI
<IfModule !mod_unixd.c>
LoadModule unixd_module @APXS_LIBEXECDIR@/mod_unixd.so
</IfModule>
- <IfModule !mpm_worker_module>
- LoadModule mpm_worker_module @APXS_LIBEXECDIR@/mod_mpm_worker.so
- </IfModule>
LoadModule access_compat_module @APXS_LIBEXECDIR@/mod_access_compat.so
LoadModule authn_core_module @APXS_LIBEXECDIR@/mod_authn_core.so
LoadModule authz_core_module @APXS_LIBEXECDIR@/mod_authz_core.so

4
empty.conf Normal file
View File

@ -0,0 +1,4 @@
# This configuration file has been intentionally left empty to avoid errors
# resulting from an Include statement that matches no files.
# (IncludeOptional is available for apache > 2.4)
#

55
mod_security2.conf Normal file
View File

@ -0,0 +1,55 @@
<IfModule mod_security2.c>
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/apache2/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security2
SecDataDir /var/lib/mod_security2
IncludeOptional /etc/apache2/mod_security2.d/*.conf
IncludeOptional /etc/apache2/mod_security2.d/rules/*.conf
</IfModule>

82
modsecurity-2.9.3-input_filtering_errors.patch Normal file
View File

@ -0,0 +1,82 @@
Index: modsecurity-v2.9.8/apache2/apache2_io.c
===================================================================
--- modsecurity-v2.9.8.orig/apache2/apache2_io.c
+++ modsecurity-v2.9.8/apache2/apache2_io.c
@@ -222,6 +222,10 @@ apr_status_t read_request_body(modsec_re
* too large and APR_EGENERAL when the client disconnects.
*/
switch(rc) {
+ case AP_FILTER_ERROR :
+ *error_msg = apr_pstrdup(msr->mp, "Error reading request body: filter error");
+ return -8;
+
case APR_INCOMPLETE :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
return -7;
@@ -231,7 +235,7 @@ apr_status_t read_request_body(modsec_re
case APR_TIMEUP :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
return -4;
- case AP_FILTER_ERROR :
+ case APR_ENOSPC:
*error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)");
return -3;
case APR_EGENERAL :
Index: modsecurity-v2.9.8/apache2/mod_security2.c
===================================================================
--- modsecurity-v2.9.8.orig/apache2/mod_security2.c
+++ modsecurity-v2.9.8/apache2/mod_security2.c
@@ -1032,7 +1032,7 @@ static int hook_request_late(request_rec
}
rc = read_request_body(msr, &my_error_msg);
- if (rc < 0 && msr->txcfg->is_enabled == MODSEC_ENABLED) {
+ if (rc < 0) {
switch(rc) {
case -1 :
if (my_error_msg != NULL) {
@@ -1040,6 +1040,21 @@ static int hook_request_late(request_rec
}
return HTTP_INTERNAL_SERVER_ERROR;
break;
+ case -2 : /* Bad request. */
+ case -6 : /* EOF when reading request body. */
+ case -7 : /* Partial recieved */
+ if (my_error_msg != NULL) {
+ msr_log(msr, 4, "%s", my_error_msg);
+ }
+ r->connection->keepalive = AP_CONN_CLOSE;
+ return HTTP_BAD_REQUEST;
+ break;
+ case -3 : /* Apache's LimitRequestBody. */
+ if (my_error_msg != NULL) {
+ msr_log(msr, 1, "%s", my_error_msg);
+ }
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ break;
case -4 : /* Timeout. */
if (my_error_msg != NULL) {
msr_log(msr, 4, "%s", my_error_msg);
@@ -1061,19 +1076,11 @@ static int hook_request_late(request_rec
}
}
break;
- case -6 : /* EOF when reading request body. */
- if (my_error_msg != NULL) {
- msr_log(msr, 4, "%s", my_error_msg);
- }
- r->connection->keepalive = AP_CONN_CLOSE;
- return HTTP_BAD_REQUEST;
- break;
- case -7 : /* Partial recieved */
+ case -8 : /* Filter error. */
if (my_error_msg != NULL) {
- msr_log(msr, 4, "%s", my_error_msg);
+ msr_log(msr, 1, "%s", my_error_msg);
}
- r->connection->keepalive = AP_CONN_CLOSE;
- return HTTP_BAD_REQUEST;
+ return AP_FILTER_ERROR;
break;
default :
/* allow through */

3
modsecurity-2.9.7.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839
size 4320766

37
modsecurity-fixes.patch Normal file
View File

@ -0,0 +1,37 @@
Index: modsecurity-v2.9.8/apache2/msc_status_engine.c
===================================================================
--- modsecurity-v2.9.8.orig/apache2/msc_status_engine.c
+++ modsecurity-v2.9.8/apache2/msc_status_engine.c
@@ -40,6 +40,8 @@
#if (defined(__linux__) || defined(__gnu_linux__))
#include <linux/if.h>
#include <linux/sockios.h>
+#include <sys/ioctl.h>
+#include <netdb.h>
#endif
#ifdef HAVE_SYS_UTSNAME_H
#include <sys/utsname.h>
Index: modsecurity-v2.9.8/apache2/msc_remote_rules.c
===================================================================
--- modsecurity-v2.9.8.orig/apache2/msc_remote_rules.c
+++ modsecurity-v2.9.8/apache2/msc_remote_rules.c
@@ -797,6 +797,7 @@ next:
"compilation.";
return -1;
#endif
+ return -1;
}
Index: modsecurity-v2.9.8/apache2/msc_util.c
===================================================================
--- modsecurity-v2.9.8.orig/apache2/msc_util.c
+++ modsecurity-v2.9.8/apache2/msc_util.c
@@ -18,6 +18,7 @@
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
+#include <arpa/inet.h>
#include "msc_release.h"
#include "msc_util.h"

3
modsecurity-v2.9.8.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cd57bd37f6062dca39dc8fba8d3e8db7351c5095de1e9ce7c3aa3890bc95855f
size 4341347

16
modsecurity-v2.9.8.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEECyuhkkBltEaRICoq0obgIhSfD24FAmbXB9IACgkQ0obgIhSf
D24nAA//aT21bY/w4MWg72yhXoi0GzcsZ6JU1HwWH3Y+NYfHcmgnwH1FkLdZSGM0
P9iZE6HCphqSEctm7oHrKzzUAfvdJo+Qv1dKxFAYf7MT4IPfCH2JGXM5IfW6Nx9S
7dh37kR53x0a9oj9n2+m8jWVbCr8yW4t2bOsmLHH6eBqSKAMYNI01wOhH+4kexVH
d56CVIeZ2RmoT6t0KwnsBoLOFHFOr+sHCowlsjvHVB74r/c6bx5uDok6FVbCmEKI
ettqURJerKrqfR9L145pqjJXPuCZJuYDDm905CfsdnTmNs4v7Hgimo9n2BLARtHf
tG+SEpUxotMLEA2ZE6W+cd/AM2nIIJ/TvY/S3XBDb7mmQW33A6wopJ7tu2XZ5SJJ
Nw5n5v9x3K6UYU/NgjdHbgGxy9TVFqSYaAqSrVUVIz2GpM6Oj0wJ9f1Wtj+v9iim
FYO/dXta29D91RT/0SShX1GAfpt8220zDEX0T+6J71znKzPH5+5Cr+UoDLmIR35t
EVbKcGMZW/6hL1mUyHFbjJgKnhFtRoMPuXUSXPWRjfc3HekwrKQmT8oDfkhdqP+Y
WxNspOGyUjKchUvrnnSkZnlGZSPXamFQ7/DLWNFp3P/aT0NkRSa8S0mLvAmRxY51
HiMAP+AQcsUcLAw0z5Lh7d52UJzYdMaBfs+p+j5GC05qflBpetY=
=oDiC
-----END PGP SIGNATURE-----