From 7312016b17e3ae80651640170757d0eccace8a63c5031a4cba406a95d29c0fc0 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Mon, 27 Jan 2025 09:41:24 +0000 Subject: [PATCH] - package cleanup, coordinated with owasp-modsecurity-crs cleanup - version update to 2.9.8 (changed upstream: Trustwave -> OWASP) * Fixed ap_log_perror() usage * Memory leaks + enhanced logging * CI improvement: First check syntax & always display error/audit logs * Fixed assert() usage * Removed useless code * feat: Check if the MP header contains invalid character * Use standard httpd logging format in error log * fix msc_regexec() != PCRE_ERROR_NOMATCH strict check * Move xmlFree() call to the right place * Add collection size in log in case of writing error * Passing address of lock instead of lock in acquire_global_lock() * Invalid pointer access in case rule id == NOT_SET_P * Show error.log after httpd start in CI * chore: add pull request template * chore: add gitignore file * Possible double free * Set 'jit' variable's initial value * Missing null byte + optimization * fix: remove usage of insecure tmpname * docs: update copyright * Enhanced logging [Issue #3107] * Check for null pointer dereference (almost) everywhere * Fix possible segfault in collection_unpack * fix: Replace obsolete macros * chore: update bug-report-for-version-2-x.md * feat: Add more steps: install built module and restart the server * Add new flag: --without-lua * Initial release of CI worklow OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=97 --- .gitattributes | 23 + .gitignore | 1 + README-SUSE-mod_security2.txt | 13 + README_SUSE | 23 + ...sp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz | 3 + apache2-mod_security2-gcc14.patch | 35 ++ apache2-mod_security2-no_rpath.diff | 57 ++ apache2-mod_security2.changes | 576 ++++++++++++++++++ apache2-mod_security2.keyring | 52 ++ apache2-mod_security2.spec | 95 +++ apache2-mod_security2_tests_conf.patch | 14 + empty.conf | 4 + mod_security2.conf | 55 ++ ...ecurity-2.9.3-input_filtering_errors.patch | 82 +++ modsecurity-2.9.7.tar.gz | 3 + modsecurity-fixes.patch | 37 ++ modsecurity-v2.9.8.tar.gz | 3 + modsecurity-v2.9.8.tar.gz.asc | 16 + 18 files changed, 1092 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 README-SUSE-mod_security2.txt create mode 100644 README_SUSE create mode 100644 SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz create mode 100644 apache2-mod_security2-gcc14.patch create mode 100644 apache2-mod_security2-no_rpath.diff create mode 100644 apache2-mod_security2.changes create mode 100644 apache2-mod_security2.keyring create mode 100644 apache2-mod_security2.spec create mode 100644 apache2-mod_security2_tests_conf.patch create mode 100644 empty.conf create mode 100644 mod_security2.conf create mode 100644 modsecurity-2.9.3-input_filtering_errors.patch create mode 100644 modsecurity-2.9.7.tar.gz create mode 100644 modsecurity-fixes.patch create mode 100644 modsecurity-v2.9.8.tar.gz create mode 100644 modsecurity-v2.9.8.tar.gz.asc diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/README-SUSE-mod_security2.txt b/README-SUSE-mod_security2.txt new file mode 100644 index 0000000..ed8e241 --- /dev/null +++ b/README-SUSE-mod_security2.txt @@ -0,0 +1,13 @@ + +# +# Dear Administrator, +# +# mod_security2 is not activated by default upon installation of the +# apache module. +# +# Your starting point for the configuration of mod_security2 is +# /etc/apache2/conf.d/mod_security2.conf . +# Please see that file for comments on how to activate the module +# and on how to assign rules. +# + diff --git a/README_SUSE b/README_SUSE new file mode 100644 index 0000000..4f11897 --- /dev/null +++ b/README_SUSE @@ -0,0 +1,23 @@ +# mod_security2 is not activated by default upon installation of the +# apache module. +# +# Use +# # a2enmod unique_id +# # a2enmod security2 +# +# to activate security2 module. +# +# Configuration directories: +# /etc/apache2/mod_security2.d is read first +# /etc/apache2/mod_security2.d/rules is read second +# +# owasp-modsecurity-crs and owasp-modsecurity-crs-apache2 can be installed. +# To test: +W +# curl 'http://localhost/?foo=/etc/passwd&bar=/bin/sh' +# +# sholud give 403 with appropriate entry in /var/log/apache2/modsec_audit.log +# and /var/log/apache2/error_log. +# +# See https://coreruleset.org/docs/1-getting-started/1-1-crs-installation/ +# for details. diff --git a/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz b/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz new file mode 100644 index 0000000..f6fa190 --- /dev/null +++ b/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:637b53696e96f3855f8d4bc678dd67dc8a4ba1ce7da418dafc74524cbf36c92a +size 291337 diff --git a/apache2-mod_security2-gcc14.patch b/apache2-mod_security2-gcc14.patch new file mode 100644 index 0000000..00ec97a --- /dev/null +++ b/apache2-mod_security2-gcc14.patch @@ -0,0 +1,35 @@ +Index: modsecurity-2.9.7/tests/msc_test.c +=================================================================== +--- modsecurity-2.9.7.orig/tests/msc_test.c ++++ modsecurity-2.9.7/tests/msc_test.c +@@ -81,7 +81,7 @@ char DSOLOCAL *real_server_signature = N + int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL; + char DSOLOCAL *remote_rules_fail_message = NULL; + module AP_MODULE_DECLARE_DATA security2_module = { +- NULL, ++ STANDARD20_MODULE_STUFF, + NULL, + NULL, + NULL, +Index: modsecurity-2.9.7/standalone/config.c +=================================================================== +--- modsecurity-2.9.7.orig/standalone/config.c ++++ modsecurity-2.9.7/standalone/config.c +@@ -989,7 +989,7 @@ AP_DECLARE(const char *) process_fnmatch + const char *rootpath, *filepath = fname; + + /* locate the start of the directories proper */ +- status = apr_filepath_root(&rootpath, &filepath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp); ++ status = apr_filepath_root((const char **) &rootpath, (const char **) &filepath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp); + + /* we allow APR_SUCCESS and APR_EINCOMPLETE */ + if (APR_ERELATIVE == status) { +@@ -1104,7 +1104,7 @@ ProcessInclude: + incpath = w; + + /* locate the start of the directories proper */ +- status = apr_filepath_root(&rootpath, &incpath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp); ++ status = apr_filepath_root((const char**) &rootpath, (const char **) &incpath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp); + + /* we allow APR_SUCCESS and APR_EINCOMPLETE */ + if (APR_ERELATIVE == status) { diff --git a/apache2-mod_security2-no_rpath.diff b/apache2-mod_security2-no_rpath.diff new file mode 100644 index 0000000..a0aa4ad --- /dev/null +++ b/apache2-mod_security2-no_rpath.diff @@ -0,0 +1,57 @@ +Index: modsecurity-v2.9.8/apache2/Makefile.am +=================================================================== +--- modsecurity-v2.9.8.orig/apache2/Makefile.am ++++ modsecurity-v2.9.8/apache2/Makefile.am +@@ -125,7 +125,7 @@ mod_security2_la_LDFLAGS = -module -avoi + endif + + if LINUX +-mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ ++mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ \ + @APU_LDFLAGS@ \ + @APXS_LDFLAGS@ \ +Index: modsecurity-v2.9.8/apache2/Makefile.in +=================================================================== +--- modsecurity-v2.9.8.orig/apache2/Makefile.in ++++ modsecurity-v2.9.8/apache2/Makefile.in +@@ -743,7 +743,7 @@ libinjection/mod_security2_la-libinjecti + libinjection/$(DEPDIR)/$(am__dirstamp) + + mod_security2.la: $(mod_security2_la_OBJECTS) $(mod_security2_la_DEPENDENCIES) $(EXTRA_mod_security2_la_DEPENDENCIES) +- $(AM_V_CCLD)$(mod_security2_la_LINK) -rpath $(pkglibdir) $(mod_security2_la_OBJECTS) $(mod_security2_la_LIBADD) $(LIBS) ++ $(AM_V_CCLD)$(mod_security2_la_LINK) $(mod_security2_la_OBJECTS) $(mod_security2_la_LIBADD) $(LIBS) + + mostlyclean-compile: + -rm -f *.$(OBJEXT) +Index: modsecurity-v2.9.8/build/libtool.m4 +=================================================================== +--- modsecurity-v2.9.8.orig/build/libtool.m4 ++++ modsecurity-v2.9.8/build/libtool.m4 +@@ -5079,7 +5079,7 @@ dnl Note also adjust exclude_expsyms for + # are reset later if shared libraries are not supported. Putting them + # here allows them to be overridden if necessary. + runpath_var=LD_RUN_PATH +- _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' ++ _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic' + # ancient GNU ld didn't support --whole-archive et. al. + if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then +@@ -5350,7 +5350,7 @@ _LT_EOF + # DT_RUNPATH tag from executables and libraries. But doing so + # requires that you compile everything twice, which is a pain. + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then +- _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' ++ _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + else +@@ -6439,7 +6439,7 @@ if test yes != "$_lt_caught_CXX_error"; + _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + +- _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' ++ _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic' + + # If archive_cmds runs LD, not CC, wlarc should be empty diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes new file mode 100644 index 0000000..8c33e6e --- /dev/null +++ b/apache2-mod_security2.changes @@ -0,0 +1,576 @@ +------------------------------------------------------------------- +Tue Jan 21 13:28:24 UTC 2025 - pgajdos@suse.com + +- package cleanup, coordinated with owasp-modsecurity-crs cleanup +- version update to 2.9.8 (changed upstream: Trustwave -> OWASP) + * Fixed ap_log_perror() usage + * Memory leaks + enhanced logging + * CI improvement: First check syntax & always display error/audit logs + * Fixed assert() usage + * Removed useless code + * feat: Check if the MP header contains invalid character + * Use standard httpd logging format in error log + * fix msc_regexec() != PCRE_ERROR_NOMATCH strict check + * Move xmlFree() call to the right place + * Add collection size in log in case of writing error + * Passing address of lock instead of lock in acquire_global_lock() + * Invalid pointer access in case rule id == NOT_SET_P + * Show error.log after httpd start in CI + * chore: add pull request template + * chore: add gitignore file + * Possible double free + * Set 'jit' variable's initial value + * Missing null byte + optimization + * fix: remove usage of insecure tmpname + * docs: update copyright + * Enhanced logging [Issue #3107] + * Check for null pointer dereference (almost) everywhere + * Fix possible segfault in collection_unpack + * fix: Replace obsolete macros + * chore: update bug-report-for-version-2-x.md + * feat: Add more steps: install built module and restart the server + * Add new flag: --without-lua + * Initial release of CI worklow + * V2/fixbuildissue + * ; incorrectly replaced by space in cmdline + * Detailed error message when writing collections + * docs: Fix organization name in references and security e-mail (v2) + * ctl:ruleRemoveByTag isn't executed if no rule id is present in the rule + * Suppress useless loop on tag matching + * Optimization: Avoid last loop and storing an empty value in case nothing + after last %{..} macro + * Ignore (consistently) empty actions + * Add context info to error message + * Implement msre_action_phase_validate() + * Avoid some useless code and memory allocation in case no macro is present + * 'jit' variable not initialized when WITH_PCRE2 is defined + * Configure: do not check for pcre1 if pcre2 requested + * Double memory allocation + * Fix for DEBUG_CONF compile flag + * Enhance logging + * Fix possible segfault in collection_unpack + * Set the minimum security protocol version for SecRemoteRules + * Allow lua version 5.4 + * Configure: do not check for pcre1 if pcre2 requested + * Check return code of apr_procattr_io_set() + * Do not escape special chars in rx pattern with macro + * Substitute two equals-equals operators in build +- modified patches + % apache2-mod_security2-no_rpath.diff (refreshed) + % modsecurity-2.9.3-input_filtering_errors.patch (refreshed) + % modsecurity-fixes.patch (refreshed) +- added sources + + apache2-mod_security2.keyring + +------------------------------------------------------------------- +Tue Jun 4 12:14:51 UTC 2024 - pgajdos@suse.com + +- %autopatch instead of %patchN +- modified patches + % apache2-mod_security2-no_rpath.diff (refreshed) + +------------------------------------------------------------------- +Tue Jun 4 11:03:29 UTC 2024 - Dominique Leuenberger + +- Fix patch application syntax: Use %patch -P N instead of + deprecated %patchN. + +------------------------------------------------------------------- +Tue May 7 13:16:44 UTC 2024 - pgajdos@suse.com + +- added patches + fix fix build with gcc14 + + apache2-mod_security2-gcc14.patch + +------------------------------------------------------------------- +Tue Feb 20 11:02:36 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + +------------------------------------------------------------------- +Sat Jul 15 17:09:55 UTC 2023 - Dirk Müller + +- update to 2.9.7: + * Fix: FILES_TMP_CONTENT may sometimes lack complete content + * Support configurable limit on number of arguments processed + * Silence compiler warning about discarded const + * Support for JIT option for PCRE2 + * Use uid for user if apr_uid_name_get() fails + * Fix: handle error with SecConnReadStateLimit configuration + * Only check for pcre2 install if required + * Adjustment of previous fix for log messages + * Mark apache error log messages as from mod_security2 + * Use pkg-config to find libxml2 first + * Support for PCRE2 in mlogc + * Support for PCRE2 + * Adjust parser activation rules in modsecurity.conf- + recommended + * Multipart parsing fixes and new MULTIPART_PART_HEADERS + collection + * Limit rsub null termination to where necessary + * IIS: Update dependencies for next planned release + * XML parser cleanup: NULL duplicate pointer + * Properly cleanup XML parser contexts upon completion + * Fix memory leak in streams + * Fix: negative usec on log line when data type long is 32b + * mlogc log-line parsing fails due to enhanced timestamp + * Allow no-key, single-value JSON body + * Set SecStatusEngine Off in modsecurity.conf-recommended + * Fix memory leak that occurs on JSON parsing error + * Multipart names/filenames may include single quote if double- + quote enclosed + * Add SecRequestBodyJsonDepthLimit to modsecurity.conf- + recommended + * IIS: Update dependencies for Windows build as of v2.9.5 + * Support configurable limit on depth of JSON parsing + +------------------------------------------------------------------- +Mon Jul 19 09:37:45 UTC 2021 - Danilo Spinella + +- Update to 2.9.4: + * Add microsec timestamp resolution to the formatted log timestamp + * Added missing Geo Countries + * Store temporaries in the request pool for regexes compiled per-request. + * Fix other usage of the global pool for request temporaries in re_operators.c + * Adds a sanity check before use ctl:ruleRemoveTargetById and ctl:ruleRemoveTargetByMsg. + * Fix the order of error_msg validation + * When the input filter finishes, check whether we returned data + * fix: care non-null terminated chunk data + * Fix for apr_global_mutex_create() crashes with mod_security + * Fix inet addr handling on 64 bit big endian systems +- Run spec-cleaner +- Remove if/else for older version of SUSE distribution + +------------------------------------------------------------------- +Tue Feb 23 07:49:57 UTC 2021 - pgajdos@suse.com + +- version update to 2.9.3 + * Enable optimization for large stream input by default on IIS + [Issue #1299 - @victorhora, @zimmerle] + * Allow 0 length JSON requests. + [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern] + * Include unanmed JSON values in unnamed ARGS + [Issue #1577, #1576 - @marcstern, @victorhora, @zimmerle] + * Fix buffer size for utf8toUnicode transformation + [Issue #1208 - @katef, @victorhora] + * Fix sanitizing JSON request bodies in native audit log format + [p0pr0ck5, @victorhora] + * IIS: Update Wix installer to bundle a supported CRS version (3.0) + [@victorhora, @zimmerle] + * IIS: Update dependencies for Windows build + [Issue #1848 - @victorhora, @hsluoyz] + * IIS: Set SecStreamInBodyInspection by default on IIS builds (#1299) + [Issue #1299 - @victorhora] + * IIS: Update modsecurity.conf + [Issue #788 - @victorhora, @brianclark] + * Add sanity check for a couple malloc() and make code more resilient + [Issue #979 - @dogbert2, @victorhora, @zimmerl] + * Fix NetBSD build by renaming the hmac function to avoid conflicts + [Issue #1241 - @victorhora, @joerg, @sevan] + * IIS: Windows build, fix duplicate YAJL dir in script + [Issue #1612 - @allanbomsft, @victorhora] + * IIS: Remove body prebuffering due to no locking in modsecProcessRequest + [Issue #1917 - @allanbomsft, @victorhora] + * Fix mpm-itk / mod_ruid2 compatibility + [Issue #712 - @ju5t , @derhansen, @meatlayer, @victorhora] + * Code cosmetics: checks if actionset is not null before use it + [Issue #1556 - @marcstern, @zimmerle, @victorhora] + * Only generate SecHashKey when SecHashEngine is On + [Issue #1671 - @dmuey, @monkburger, @zimmerle] + * Docs: Reformat README to Markdown and update dependencies + [Issue #1857 - @hsluoyz, @victorhora] + * IIS: no lock on ProcessRequest. No reload of config. + [Issue #1826 - @allanbomsft] + * IIS: buffer request body before taking lock + [Issue #1651 - @allanbomsft] + * good practices: Initialize variables before use it + [Issue #1889 - Marc Stern] + * Let body parsers observe SecRequestBodyNoFilesLimit + [Issue #1613 - @allanbomsft] + * potential off by one in parse_arguments + [Issue #1799 - @tinselcity, @zimmerle] + * Fix utf-8 character encoding conversion + [Issue #1794 - @tinselcity, @zimmerle] + * Fix ip tree lookup on netmask content + [Issue #1793 - @tinselcity, @zimmerle] + * IIS: set overrideModeDefault to Allow so that individual websites can + add to their web.config file + [Issue #1781 - @default-kramer] + * modsecurity.conf-recommended: Fix spelling + [Issue #1721 - @padraigdoran] + * build: fix when multiple lines for curl version + [Issue #1771 - @Artistan] + * Fix arabic charset in unicode_mapping file + [Issue #1619 - @alaa-ahmed-a] + * Optionally preallocates memory when SecStreamInBodyInspection is on + [Issue #1366 - @allanbomsft, @zimmerle] + * Fixed typo in build_yajl.bat + [Issue #1366 - @allanbomsft] + * Fixes SecConnWriteStateLimit + [Issue #1545 - @nicjansma] + * Added "empy chunk" check + [Issue #1347, #1446 - @gravagli, @bostrt, @zimmerle] + * Add capture action to @detectXSS operator + [Issue #1488, #1482 - @victorhora] + * Fix for wildcard operator when loading conf files on Nginx / IIS + [Issue #1486, #1285 - @victorhora and @thierry-f-78] + * Set of fixies to make windows build workable with the buildbots + [Commit 94fe3 - @zimmerle] + * Uses LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH + [Issue #1510 - @marcstern] + * Adds missing headers + [Issue #1454 - @devnexen] +- modified patches + % modsecurity-fixes.patch (fix crash caused by our patch) + [bsc#1180830] +- added patches + + modsecurity-2.9.3-input_filtering_errors.patch + [bsc#1180830] + +------------------------------------------------------------------- +Wed Feb 12 10:26:15 UTC 2020 - pgajdos@suse.com + +- removing %apache_test_* macros, do not test module just by + loading the module + +------------------------------------------------------------------- +Fri Dec 29 00:09:38 UTC 2017 - jengelh@inai.de + +- Trim advertisement and filler wording from descriptions. + +------------------------------------------------------------------- +Wed Dec 20 09:13:49 UTC 2017 - pgajdos@suse.com + +- fix build for SLE_11_SP4: BuildRoot and %deffattr have to be + present + +------------------------------------------------------------------- +Mon Oct 2 11:02:58 UTC 2017 - kstreitova@suse.com + +- update to 2.9.2 + * release notes + https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2 + * refresh apache2-mod_security2-no_rpath.diff + * remove apache2-mod_security2-lua-5.3.patch that was applied + upstream +- remove outdated html pages and diagram (they can be accessed + online at https://github.com/SpiderLabs/ModSecurity/wiki) + * Reference-Manual.html.bz2 + * ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2 + * modsecurity_diagram_apache_request_cycle.jpg +- don't pack the whole doc directory as it contains also Makefiles + or doxygen configuration files +- disable mlogc as we don't pack it and it also can't be built for + curl <=7.34 +- add basic and regression test suite (but disabled for now) + * add apache2-mod_security2_tests_conf.patch for apache2 + configuration file used for tests that was trying to load + mpm_worker_module (it's static for our apache2 package) + * add "BuildRequires: perl-libwww-perl" needed for the test suite + +------------------------------------------------------------------- +Wed Jun 21 10:16:28 UTC 2017 - dimstar@opensuse.org + +- Update modsecurity-fixes.patch: additionally include netdb.h in + order to have gethostbyname defined. + +------------------------------------------------------------------- +Thu Mar 23 15:14:11 UTC 2017 - kstreitova@suse.com + +- cleanup with spec-cleaner + +------------------------------------------------------------------- +Wed Jul 29 06:42:19 UTC 2015 - pgajdos@suse.com + +- fix build for lua 5.3 + + apache2-mod_security2-lua-5.3.patch + +------------------------------------------------------------------- +Thu Jul 16 07:22:02 UTC 2015 - pgajdos@suse.com + +- Requries: %{apache_suse_maintenance_mmn} + This will pull this module to the update (in released distribution) + when apache maintainer thinks it is good (due api/abi changes). + +------------------------------------------------------------------- +Mon Mar 2 14:46:15 UTC 2015 - tchvatal@suse.com + +- Remove useless comment lines/whitespace + +------------------------------------------------------------------- +Tue Feb 24 04:23:11 UTC 2015 - crrodriguez@opensuse.org + +- spec, build: Respect optflags +- spec: buildrequire pkgconfig +- modsecurity-fixes.patch: mod_security fails at: + * building with optflags enabled due to undefined behaviour + and implicit declarations. + * It abuses it apr_allocator api, creating one allocator + per request and then destroying it, flooding the system + with mmap() , munmap requests, this is particularly nasty + with threaded mpms. it should instead use the allocator + from the request pool. + +------------------------------------------------------------------- +Sat Feb 14 17:51:49 UTC 2015 - thomas.worm@sicsec.de + +- Raised to version 2.9.0 +- Updated patch: apache2-mod_security2-no_rpath.diff + (adapted lines) + +------------------------------------------------------------------- +Mon Nov 3 09:41:02 UTC 2014 - pgajdos@suse.com + +- call spec-cleaner +- use apache rpm macros + +------------------------------------------------------------------- +Wed Aug 27 17:30:25 CEST 2014 - draht@suse.de + +- Portability: provide /etc/apache2/mod_security2.d/empty.conf + to avoid a non-match of the file-glob in the Include statement + from /etc/apache2/conf.d/mod_security2.conf . This restores + the Include back from the IncludeOptional, which is not portable. +- Source URL set to (expanded) + https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz + +------------------------------------------------------------------- +Mon Aug 25 19:33:11 UTC 2014 - thomas.worm@sicsec.de + +- Fixed spec file to work with older distribution versions. + Before openSuSE 13.1 aclocal doesn't work, instead autoreconf + has to be called. + +------------------------------------------------------------------- +Mon Jul 7 14:06:19 CEST 2014 - draht@suse.de + +- last changelog does not say that + apache2-mod_security2-libtool-fix.diff was obsoleted. + +------------------------------------------------------------------- +Mon Jun 16 19:04:00 CEST 2014 - draht@suse.de + +- BuildRequires: libtool missing + +------------------------------------------------------------------- +Mon Jun 16 18:17:26 CEST 2014 - draht@suse.de + +- apache2-mod_security2-libtool-fix.diff: initialize libtool. + +------------------------------------------------------------------- +Mon Jun 16 17:31:34 CEST 2014 - draht@suse.de + +- apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath + in autoconf m4 macros. Obsoletes patch + modsecurity-apache_2.8.0-build_fix_pcre.diff +- use automake for build, add autoconf and automake to + BuildRequires:. This fix is combined with [bnc#876878]. +- turn on --enable-htaccess-config +- use %{?_smp_mflags} for build + +------------------------------------------------------------------- +Thu Jun 12 12:33:49 CEST 2014 - draht@suse.de + +- OWASP rule set. [bnc#876878] + new in 2.8.0 (more complete changelog to add to last changelog): + * Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) + now support white and suspicious list + * New variables: FULL_REQUEST and FULL_REQUEST_LENGTH + * GPLv2 replaced by Apache License v2 + * rules are not part of the source tarball any longer, but + maintaned upstream externally, and included in this package. + * documentation was externalized to a wiki. Package contains + the FAQ and the reference manual in html form. + * renamed the term "Encryption" in directives that actually refer + to hashes. See CHANGES file for more details. + * byte conversion issues on s390x when logging fixed. + * many small issues fixed that were discovered by a Coverity scanner + * updated reference manual + * wrong time calculation when logging for some timezones fixed. + * replaced time-measuring mechanism with finer granularity for + measured request/answer phases. (Stopwatch remains for compat.) + * cookie parser memory leak fix + * parsing of quoted strings in multipart Content-Disposition + headers fixed. + +------------------------------------------------------------------- +Thu May 1 05:06:15 UTC 2014 - thomas.worm@sicsec.de + +- Raised to version 2.8.0. +- updated patches: + * modsecurity-apache_2.8.0-build_fix_pcre.diff + -> modsecurity-apache_2.7.7-build_fix_pcre.diff + +------------------------------------------------------------------- +Sat Jan 25 17:43:33 UTC 2014 - thomas.worm@sicsec.de + + - Raised to version 2.7.7. + - modified patches: + * modsecurity-apache_2.7.5-build_fix_pcre.diff, + renamed to modsecurity-apache_2.7.7-build_fix_pcre.diff. + +------------------------------------------------------------------- +Thu Jan 23 13:06:09 UTC 2014 - aj@ajaissle.de + +- Use correct source Url + +------------------------------------------------------------------- +Fri Aug 2 14:18:39 CEST 2013 - draht@suse.de + +- complete overhaul of this package, with update to 2.7.5. +- ruleset update to 2.2.8-0-g0f07cbb. +- new configuration framework private to mod_security2: + /etc/apache2/conf.d/mod_security2.conf loads + /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf, + then /etc/apache2/mod_security2.d/*.conf , as set up based on + advice in /etc/apache2/conf.d/mod_security2.conf + Your configuration starting point is + /etc/apache2/conf.d/mod_security2.conf +- !!! Please note that mod_unique_id is needed for mod_security2 to run! +- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous + linker parameter, preventing rpath in shared object. +- fixes contained for the following bugs: + * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling + * [bnc#768293] multi-part bypass, minor threat + * CVE-2013-1915 [bnc#813190] XML external entity vulnerability + * CVE-2012-4528 [bnc#789393] rule bypass + * CVE-2013-2765 [bnc#822664] null pointer dereference crash +- new from 2.5.9 to 2.7.5, only major changes: + * GPLv2 replaced by Apache License v2 + * rules are not part of the source tarball any longer, but + maintaned upstream externally, and included in this package. + * documentation was externalized to a wiki. Package contains + the FAQ and the reference manual in html form. + * renamed the term "Encryption" in directives that actually refer + to hashes. See CHANGES file for more details. + * new directive SecXmlExternalEntity, default off + * byte conversion issues on s390x when logging fixed. + * many small issues fixed that were discovered by a Coverity scanner + * updated reference manual + * wrong time calculation when logging for some timezones fixed. + * replaced time-measuring mechanism with finer granularity for + measured request/answer phases. (Stopwatch remains for compat.) + * cookie parser memory leak fix + * parsing of quoted strings in multipart Content-Disposition + headers fixed. + * SDBM deadlock fix + * @rsub memory leak fix + * cookie separator code improvements + * build failure fixes + * compile time option --enable-htaccess-config (set) + +------------------------------------------------------------------- +Mon Aug 27 11:43:47 UTC 2012 - cfarrell@suse.com + +- license update: Apache-2.0 and GPL-2.0 + Many of the files in the rules/ subdirectory are GPL-2.0 licensed + +------------------------------------------------------------------- +Mon Aug 6 20:59:45 UTC 2012 - crrodriguez@opensuse.org + +- Update to version 2.6.7, fixes build in apache 2.4 +- Update spec file macros. + +------------------------------------------------------------------- +Sat Sep 17 11:20:39 UTC 2011 - jengelh@medozas.de + +- Remove redundant tags/sections from specfile +- Use %_smp_mflags for parallel build + +------------------------------------------------------------------- +Wed Jul 6 04:33:49 CEST 2011 - draht@suse.de + +- update to version 2.6.1-rc1 for submission to SLE11-SP2 (fate#309433): + - SecUnicodeCodePage and SecUnicodeMapFile directives added + - fixed bug: SecRequestBodyLimit was truncating the real request + body + additional fixes from 2.6.0: + - buffering filter problems fixed + - memory leak fix when using MATCHED_VAR_NAMES + - SecWriteStateLimit added against slow DoS + additional fixes from 2.6.0 release candidates: + - optimizations + - bug in logging code fixed + - cleanup + - google safe browsing support + +------------------------------------------------------------------- +Thu May 14 18:05:26 CEST 2009 - mrueckert@suse.de + +- update to version 2.5.9 + - Fixed parsing multipart content with a missing part header name + which would crash Apache. Discovered by "Internet Security + Auditors" (isecauditors.com). + - Added ability to specify the config script directly using + --with-apr and --with-apu. + - Added macro expansion for append/prepend action. + - Fixed race condition in concurrent updates of persistent + counters. Updates are now atomic. + - Cleaned up build, adding an option for verbose configure output + and making the mlogc build more portable. +- additional changes from 2.5.8 + - Fixed PDF XSS issue where a non-GET request for a PDF file + would crash the Apache httpd process. Discovered by Steve + Grubb at Red Hat. + - Removed an invalid "Internal error: Issuing "%s" for + unspecified error." message that was logged when denying with + nolog/noauditlog set and causing the request to be audited. +- additional changes from 2.5.7 + - Fixed XML DTD/Schema validation which will now fail after + request body processing errors, even if the XML parser returns + a document tree. + - Added ctl:forceRequestBodyVariable=on|off which, when enabled, + will force the REQUEST_BODY variable to be set when a request + body processor is not set. Previously the REQUEST_BODY target + was only populated by the URLENCODED request body processor. + - Integrated mlogc source. + - Fixed logging the hostname in the error_log which was logging + the request hostname instead of the Apache resolved hostname. + - Allow for disabling request body limit checks in phase:1. + - Added transformations for processing parity for legacy + protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit, + t:parityZero7bit + - Added t:cssDecode transformation to decode CSS escapes. + - Now log XML parsing/validation warnings and errors to be in the + debug log at levels 3 and 4, respectivly. +- build and package mlogc +- remove --with-apxs from the configure args as it breaks the build + configure now finds our apxs2 + +------------------------------------------------------------------- +Fri Jan 23 16:56:55 CET 2009 - skh@suse.de + +- fix broken config [bnc#457200] + +------------------------------------------------------------------- +Mon Sep 15 14:05:05 CEST 2008 - skh@suse.de + +- update to version 2.5.6 +- initial submit to FACTORY + +------------------------------------------------------------------- +Mon May 12 05:25:07 CEST 2008 - jg@internetx.de + +-update to 2.1.7 + +------------------------------------------------------------------- +Thu Feb 3 05:44:12 CEST 2008 - jg@internetx.de + +-update to 2.1.6 + +------------------------------------------------------------------- +Wed Aug 8 05:36:42 CEST 2007 - mrueckert@suse.de + +- update to 2.1.2 + +------------------------------------------------------------------- +Mon Apr 16 10:34:05 CEST 2007 - mrueckert@suse.de + +- update to 2.1.1 +- switched to perl based patching instead of cmdline params for make + +------------------------------------------------------------------- +Fri Sep 22 08:31:51 CEST 2006 - poeml@suse.de + +- fix build (./install was vanished) + diff --git a/apache2-mod_security2.keyring b/apache2-mod_security2.keyring new file mode 100644 index 0000000..07821be --- /dev/null +++ b/apache2-mod_security2.keyring @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGW1M88BEACdOnF8zBA5RiSyv5V8vslhbqysNSkqsUmVvGnGoguI8kA0CRNU +YNdaxZ5E/WsZ0lbBNw/xjf9Wa52ZUCKHkGjR4DNxn0IZRjowYTYNxNWrSvdon9MY +XXAN6uomWtRFAbvLTo7VnV5NhrKnx8mXl0SgVDMveaQJ0NCa7onmFpVgNj+i1neU +fPiXqFl///dM6xNLL8DU3a2k42ZUUVYpcu94f78WFfGujePdgP1tHRP08JxfvvaZ +VnwpYHXJXjaoXCpiK4A6jj79BeZIgpEGLcYbI+mk+uIe7L81U4nRIOJgoYk8nIv8 +0no+lS8KDzW3hnBDyzFp6bfyP1K4lM4vc6k1DHVBkUZT3C9CDdxgAbbfD0deq8yI ++5/q38mPAJ6gyicnskji25PzzxnzCRt73wQHCZ/x4RAwnKVeStYLtNqsDSk/Zm0n +qqOwZKf0DpMuwJUCQ2I5xYL/R5FthElL/QAQ9E0C2GG1kj5+V/4spsBwwzQ3Ct2x +ntnME4CInxWPfhlAAVLw28Zb/paExLGO28VcQHM8uBMMZXP4T5L+INbb2ax1WB2n +h3NzBrxzL3H47woWFmTcM1beqcqya5k/Q2tfTl1x4AmifOWXOytGqUpgiM6J2lSS +/0N0rbykep9JftaIZbj2TTVk2VKOv7KQdLUgFXmtPWmb12fVOpkhAfweVQARAQAB +tClPV0FTUCBNb2RTZWN1cml0eSA8bW9kc2VjdXJpdHlAb3dhc3Aub3JnPokCTgQT +AQgAOBYhBAsroZJAZbRGkSAqKtKG4CIUnw9uBQJltTPPAhsDBQsJCAcCBhUKCQgL +AgQWAgMBAh4BAheAAAoJENKG4CIUnw9u2C0P/jVJB7sCyDMAgyp0KkYynt7Qgf2q +WQFDVz/KoPqj1qZaKOBjScZbprgDMuqkDELqpAP4MuzhWjcL9CDTbSuu+YQhwfBo +5mkbBBElFVw5n1rkhY/mpSe+uSZBLOGp37PCqrc17ihXm27Z/d9+mS1bX61ScpOy +50r5rm1r9KG3bXTZRKkK+3bkR25Blapo4rDW8k6LzfmlfucsZ0/VZIol/+GOl3HX +9IPWbUmW7LwS7+SYPms6c6XrPa57v2RgZDb/MOULqeayUjiOMX6bAAlVYJaoQ1yp +VOO5kafResYHhK2Vz6oYvpR4va1KqkVEwOPsBmMmR0qQGtAqeE+yvI7Dm4mUZtYc +jZdx8CDCqgLz8xuGcO2ewenhxy50CkLpoNKvYIMcZo+s+EfL4M9TG+eMDZlEmgGG +rPk96uplna9aWZWYXO2rgZ8kj8G9yOuf+vQAAGh9se2iQmSUw0ph9Sex04VjJAD/ +XQyDeS4Z1TT2TBhHf9+zxb8EsLiEjYzC1Rxj4wsr6uxJpXIdnSLusZ75z2ZpKtpU +O3aDcqMfosO+iocvKgy+TOWgF4SRjoVe/P5INHP/NMHrEX/ZAMqk0CE7jM2z9I/B +aZ2wK87djVaTRgk3x+i2run3hpGr3eKAm0P6lTKhS/zZ9NEa3L1XSzD7JwBEmRuS +70M0myS+bzhfB9VouQINBGW1M88BEACxgm1yOuZLy0IrMfW9DohAVDbspd3VjxjP ++uAF4ZPFuxyXP+Co9Rts3XsBZaPqyFOYknlvo0IBq6EPmsWpZ5jT2cbJyo9LZE4N +aGheccpin3kg1WN/sWdYPW2hlJhgOA/AKsyil0TDEYvGht1M1uz2Hf5d6kp1Ex5d +inVgKneVHTRyJp5jlvgzxYsJKlMX4S+5APo0IfXDiko6BA4ltmd0knQSn6owARkM +BOa4fxzknRZHmYmd24AhYzDShNCGVQHSFn1Pz+wD88FFOczDiPPiaEq8T2J8A15g +kxntWSa67d0R9k6arF3SEHA4YvSCzIQsdhXdnGJwgEl341qr6uant2PErAaWDIXT +XJ4e3oCMT73OW/lEawJvPSJYDDi03RgJBQcs4iN073zzwUIuaFV21RIUcGjRmwnX +mJ7ttyLGqYya88DgXT4zX3xm7un/ZkcRKL0KPNOWGoc2rl/XDMYChqgRvOOPaOlr +6oAF8jxTKnpWSI9edhg7PBAlpQtl3DPnJ8pg9KUvuledJnfIs6VjtbfsGwD7b7M+ +LDVErH218SYsEJ61nmPBzomlJpb9T7TxImBbuP9H6QUq0FKeTk1dbc4bx2Msw7dM +b3AwIGgpS3T1zoS2au9daieoiZxFrjlsyut2DnuZ2XeWJts/VPW/JsREH3nSucQQ +sQVp0ToZtQARAQABiQI2BBgBCAAgFiEECyuhkkBltEaRICoq0obgIhSfD24FAmW1 +M88CGwwACgkQ0obgIhSfD24gXQ//dsZRiGsiZ7rJ9MvFQvSMuKnjNVNhQYCzBO02 +7RQDUKL/pcdjXNaAkGMP+60e6ipPBJPV1dEz2C8no1IBQokF7bMkC3u22dGywH4j +9ddtkE8qeJQ/7Dc+rS7w5dno8EzLiVW9088wm00NXydJ4FuqEpEvUHyEIIqBGPja +UheL5WzzAmPkYPNGAHNKoPp55aPrpcJAr1Dknv+fhptnzcPtNSia+NHeC/aBjPXQ +YBpzcGXbEuj/Jn0ugmMhLhDYQDc8uKmeYSp6p9PjIjZxry6ISGtAKNVJe5+xBKvt +AdotNiOl2ida9Z7RpmgpNqblCyTwIWfji66XCnvZHQzCdMBXfeO5MRvg6diVtcA2 +CJYaiN6FvSWmolp47SRg1/bvRdNxe+IPBWPFufWmU/CrQOyfJy8/H3VjKuaHA0Ba +HyAgobm/kGjkQy2ZO/KMyjesqPcAL8CtKZ57Fzgus3UFIhANC+T6KtxQTIpj1nlN +OdWlYCl1FQXPc561Tgicv4oiJOXOOxiVlF0H3+ldBzijNviciaJcBCS+2clN2moY +GRQm4g0sSm1ItA57xD6dzjqdfN4X0lptKOoQyDfrTJZftuUUtU4xifnVIuWrtBsn +yNxo8FXdFKN9E5vHeAQsZRIXG66Ym0VqI+KhkMYzJpRN6SqZJNiFjdddmJhiCg7o +kKSFrwk= +=tFPe +-----END PGP PUBLIC KEY BLOCK----- diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec new file mode 100644 index 0000000..63a0fb0 --- /dev/null +++ b/apache2-mod_security2.spec @@ -0,0 +1,95 @@ +# +# spec file for package apache2-mod_security2 +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: apache2-mod_security2 +Version: 2.9.8 +Release: 0 +Summary: Web Application Firewall for Apache httpd +License: Apache-2.0 +Group: Productivity/Networking/Web/Servers +URL: https://www.modsecurity.org/ +Source0: https://github.com/owasp-modsecurity/ModSecurity/releases/download/v%{version}/modsecurity-v%{version}.tar.gz +Source1: https://github.com/owasp-modsecurity/ModSecurity/releases/download/v%{version}/modsecurity-v%{version}.tar.gz.asc +Source2: apache2-mod_security2.keyring +Source3: mod_security2.conf +Source4: README_SUSE +Patch0: apache2-mod_security2-no_rpath.diff +Patch1: modsecurity-fixes.patch +Patch2: apache2-mod_security2_tests_conf.patch +# https://github.com/SpiderLabs/ModSecurity/issues/2514 +Patch3: modsecurity-2.9.3-input_filtering_errors.patch +# fix build with gcc14 +Patch4: apache2-mod_security2-gcc14.patch +BuildRequires: apache-rpm-macros +BuildRequires: apache2-devel +BuildRequires: apache2-prefork +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: c++_compiler +BuildRequires: libcurl-devel +BuildRequires: libtool +BuildRequires: libxml2-devel +BuildRequires: lua53-devel +BuildRequires: pcre-devel +BuildRequires: perl-libwww-perl +BuildRequires: pkgconfig +Requires: %{apache_mmn} +Requires: %{apache_suse_maintenance_mmn} +Requires: apache2 +Recommends: owasp-modsecurity-crs-apache2 + +%description +ModSecurity is an intrusion detection and prevention +engine for web applications (or a web application firewall). Operating +as an Apache Web server module or standalone, the purpose of +ModSecurity is to increase web application security, protecting web +applications from known and unknown attacks. + +%prep +%autosetup -p1 -n modsecurity-v%{version} +cp %{SOURCE4} . + +%build +aclocal +automake +%configure --with-apxs=%{apache_apxs} --enable-request-early --enable-htaccess-config --disable-mlogc +CFLAGS="%{optflags}" make %{?_smp_mflags} + +%install +pushd apache2 + install -d -m 0755 %{buildroot}%{apache_libexecdir} + install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/mod_security2.so +popd +mkdir -p %{buildroot}%{apache_sysconfdir}/mod_security2.d +mkdir -p %{buildroot}%{apache_sysconfdir}/mod_security2.d/rules +mkdir -p %{buildroot}%{apache_sysconfdir}/conf.d/ +cp -a %{SOURCE3} %{buildroot}%{apache_sysconfdir}/conf.d/ + +%check +make test + +%files +%{apache_libexecdir}/mod_security2.so +%license LICENSE +%dir %{apache_sysconfdir}/mod_security2.d +%dir %{apache_sysconfdir}/mod_security2.d/rules +%dir %{apache_sysconfdir}/conf.d/ +%config(noreplace) %{apache_sysconfdir}/conf.d/mod_security2.conf +%doc README.md CHANGES NOTICE authors.txt README_SUSE + +%changelog diff --git a/apache2-mod_security2_tests_conf.patch b/apache2-mod_security2_tests_conf.patch new file mode 100644 index 0000000..f726c71 --- /dev/null +++ b/apache2-mod_security2_tests_conf.patch @@ -0,0 +1,14 @@ +Index: modsecurity-2.9.2/tests/regression/server_root/conf/httpd.conf.in +=================================================================== +--- modsecurity-2.9.2.orig/tests/regression/server_root/conf/httpd.conf.in ++++ modsecurity-2.9.2/tests/regression/server_root/conf/httpd.conf.in +@@ -14,9 +14,6 @@ LoadModule security2_module @MSC_BASE_DI + + LoadModule unixd_module @APXS_LIBEXECDIR@/mod_unixd.so + +- +- LoadModule mpm_worker_module @APXS_LIBEXECDIR@/mod_mpm_worker.so +- + LoadModule access_compat_module @APXS_LIBEXECDIR@/mod_access_compat.so + LoadModule authn_core_module @APXS_LIBEXECDIR@/mod_authn_core.so + LoadModule authz_core_module @APXS_LIBEXECDIR@/mod_authz_core.so diff --git a/empty.conf b/empty.conf new file mode 100644 index 0000000..7b57715 --- /dev/null +++ b/empty.conf @@ -0,0 +1,4 @@ +# This configuration file has been intentionally left empty to avoid errors +# resulting from an Include statement that matches no files. +# (IncludeOptional is available for apache > 2.4) +# diff --git a/mod_security2.conf b/mod_security2.conf new file mode 100644 index 0000000..5493fd5 --- /dev/null +++ b/mod_security2.conf @@ -0,0 +1,55 @@ + + # Default recommended configuration + SecRuleEngine On + SecRequestBodyAccess On + SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + SecRequestBodyLimit 13107200 + SecRequestBodyNoFilesLimit 131072 + SecRequestBodyInMemoryLimit 131072 + SecRequestBodyLimitAction Reject + SecRule REQBODY_ERROR "!@eq 0" \ + "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" + SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ + "id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \ + failed strict validation: \ + PE %{REQBODY_PROCESSOR_ERROR}, \ + BQ %{MULTIPART_BOUNDARY_QUOTED}, \ + BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ + DB %{MULTIPART_DATA_BEFORE}, \ + DA %{MULTIPART_DATA_AFTER}, \ + HF %{MULTIPART_HEADER_FOLDING}, \ + LF %{MULTIPART_LF_LINE}, \ + SM %{MULTIPART_MISSING_SEMICOLON}, \ + IQ %{MULTIPART_INVALID_QUOTING}, \ + IP %{MULTIPART_INVALID_PART}, \ + IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ + FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + + SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ + "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" + + SecPcreMatchLimit 1000 + SecPcreMatchLimitRecursion 1000 + + SecRule TX:/^MSC_/ "!@streq 0" \ + "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + + SecResponseBodyAccess Off + SecDebugLog /var/log/apache2/modsec_debug.log + SecDebugLogLevel 0 + SecAuditEngine RelevantOnly + SecAuditLogRelevantStatus "^(?:5|4(?!04))" + SecAuditLogParts ABIJDEFHZ + SecAuditLogType Serial + SecAuditLog /var/log/apache2/modsec_audit.log + SecArgumentSeparator & + SecCookieFormat 0 + SecTmpDir /var/lib/mod_security2 + SecDataDir /var/lib/mod_security2 + + IncludeOptional /etc/apache2/mod_security2.d/*.conf + IncludeOptional /etc/apache2/mod_security2.d/rules/*.conf + + + diff --git a/modsecurity-2.9.3-input_filtering_errors.patch b/modsecurity-2.9.3-input_filtering_errors.patch new file mode 100644 index 0000000..6587b89 --- /dev/null +++ b/modsecurity-2.9.3-input_filtering_errors.patch @@ -0,0 +1,82 @@ +Index: modsecurity-v2.9.8/apache2/apache2_io.c +=================================================================== +--- modsecurity-v2.9.8.orig/apache2/apache2_io.c ++++ modsecurity-v2.9.8/apache2/apache2_io.c +@@ -222,6 +222,10 @@ apr_status_t read_request_body(modsec_re + * too large and APR_EGENERAL when the client disconnects. + */ + switch(rc) { ++ case AP_FILTER_ERROR : ++ *error_msg = apr_pstrdup(msr->mp, "Error reading request body: filter error"); ++ return -8; ++ + case APR_INCOMPLETE : + *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); + return -7; +@@ -231,7 +235,7 @@ apr_status_t read_request_body(modsec_re + case APR_TIMEUP : + *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); + return -4; +- case AP_FILTER_ERROR : ++ case APR_ENOSPC: + *error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)"); + return -3; + case APR_EGENERAL : +Index: modsecurity-v2.9.8/apache2/mod_security2.c +=================================================================== +--- modsecurity-v2.9.8.orig/apache2/mod_security2.c ++++ modsecurity-v2.9.8/apache2/mod_security2.c +@@ -1032,7 +1032,7 @@ static int hook_request_late(request_rec + } + + rc = read_request_body(msr, &my_error_msg); +- if (rc < 0 && msr->txcfg->is_enabled == MODSEC_ENABLED) { ++ if (rc < 0) { + switch(rc) { + case -1 : + if (my_error_msg != NULL) { +@@ -1040,6 +1040,21 @@ static int hook_request_late(request_rec + } + return HTTP_INTERNAL_SERVER_ERROR; + break; ++ case -2 : /* Bad request. */ ++ case -6 : /* EOF when reading request body. */ ++ case -7 : /* Partial recieved */ ++ if (my_error_msg != NULL) { ++ msr_log(msr, 4, "%s", my_error_msg); ++ } ++ r->connection->keepalive = AP_CONN_CLOSE; ++ return HTTP_BAD_REQUEST; ++ break; ++ case -3 : /* Apache's LimitRequestBody. */ ++ if (my_error_msg != NULL) { ++ msr_log(msr, 1, "%s", my_error_msg); ++ } ++ return HTTP_REQUEST_ENTITY_TOO_LARGE; ++ break; + case -4 : /* Timeout. */ + if (my_error_msg != NULL) { + msr_log(msr, 4, "%s", my_error_msg); +@@ -1061,19 +1076,11 @@ static int hook_request_late(request_rec + } + } + break; +- case -6 : /* EOF when reading request body. */ +- if (my_error_msg != NULL) { +- msr_log(msr, 4, "%s", my_error_msg); +- } +- r->connection->keepalive = AP_CONN_CLOSE; +- return HTTP_BAD_REQUEST; +- break; +- case -7 : /* Partial recieved */ ++ case -8 : /* Filter error. */ + if (my_error_msg != NULL) { +- msr_log(msr, 4, "%s", my_error_msg); ++ msr_log(msr, 1, "%s", my_error_msg); + } +- r->connection->keepalive = AP_CONN_CLOSE; +- return HTTP_BAD_REQUEST; ++ return AP_FILTER_ERROR; + break; + default : + /* allow through */ diff --git a/modsecurity-2.9.7.tar.gz b/modsecurity-2.9.7.tar.gz new file mode 100644 index 0000000..155fd62 --- /dev/null +++ b/modsecurity-2.9.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839 +size 4320766 diff --git a/modsecurity-fixes.patch b/modsecurity-fixes.patch new file mode 100644 index 0000000..f62cf6b --- /dev/null +++ b/modsecurity-fixes.patch @@ -0,0 +1,37 @@ +Index: modsecurity-v2.9.8/apache2/msc_status_engine.c +=================================================================== +--- modsecurity-v2.9.8.orig/apache2/msc_status_engine.c ++++ modsecurity-v2.9.8/apache2/msc_status_engine.c +@@ -40,6 +40,8 @@ + #if (defined(__linux__) || defined(__gnu_linux__)) + #include + #include ++#include ++#include + #endif + #ifdef HAVE_SYS_UTSNAME_H + #include +Index: modsecurity-v2.9.8/apache2/msc_remote_rules.c +=================================================================== +--- modsecurity-v2.9.8.orig/apache2/msc_remote_rules.c ++++ modsecurity-v2.9.8/apache2/msc_remote_rules.c +@@ -797,6 +797,7 @@ next: + "compilation."; + return -1; + #endif ++ return -1; + } + + +Index: modsecurity-v2.9.8/apache2/msc_util.c +=================================================================== +--- modsecurity-v2.9.8.orig/apache2/msc_util.c ++++ modsecurity-v2.9.8/apache2/msc_util.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #include "msc_release.h" + #include "msc_util.h" diff --git a/modsecurity-v2.9.8.tar.gz b/modsecurity-v2.9.8.tar.gz new file mode 100644 index 0000000..f47d2e6 --- /dev/null +++ b/modsecurity-v2.9.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cd57bd37f6062dca39dc8fba8d3e8db7351c5095de1e9ce7c3aa3890bc95855f +size 4341347 diff --git a/modsecurity-v2.9.8.tar.gz.asc b/modsecurity-v2.9.8.tar.gz.asc new file mode 100644 index 0000000..638bc21 --- /dev/null +++ b/modsecurity-v2.9.8.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEECyuhkkBltEaRICoq0obgIhSfD24FAmbXB9IACgkQ0obgIhSf +D24nAA//aT21bY/w4MWg72yhXoi0GzcsZ6JU1HwWH3Y+NYfHcmgnwH1FkLdZSGM0 +P9iZE6HCphqSEctm7oHrKzzUAfvdJo+Qv1dKxFAYf7MT4IPfCH2JGXM5IfW6Nx9S +7dh37kR53x0a9oj9n2+m8jWVbCr8yW4t2bOsmLHH6eBqSKAMYNI01wOhH+4kexVH +d56CVIeZ2RmoT6t0KwnsBoLOFHFOr+sHCowlsjvHVB74r/c6bx5uDok6FVbCmEKI +ettqURJerKrqfR9L145pqjJXPuCZJuYDDm905CfsdnTmNs4v7Hgimo9n2BLARtHf +tG+SEpUxotMLEA2ZE6W+cd/AM2nIIJ/TvY/S3XBDb7mmQW33A6wopJ7tu2XZ5SJJ +Nw5n5v9x3K6UYU/NgjdHbgGxy9TVFqSYaAqSrVUVIz2GpM6Oj0wJ9f1Wtj+v9iim +FYO/dXta29D91RT/0SShX1GAfpt8220zDEX0T+6J71znKzPH5+5Cr+UoDLmIR35t +EVbKcGMZW/6hL1mUyHFbjJgKnhFtRoMPuXUSXPWRjfc3HekwrKQmT8oDfkhdqP+Y +WxNspOGyUjKchUvrnnSkZnlGZSPXamFQ7/DLWNFp3P/aT0NkRSa8S0mLvAmRxY51 +HiMAP+AQcsUcLAw0z5Lh7d52UJzYdMaBfs+p+j5GC05qflBpetY= +=oDiC +-----END PGP SIGNATURE-----