diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index 7363af9..c8025a5 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,89 @@ +------------------------------------------------------------------- +Tue Feb 23 07:49:57 UTC 2021 - pgajdos@suse.com + +- version update to 2.9.3 + * Enable optimization for large stream input by default on IIS + [Issue #1299 - @victorhora, @zimmerle] + * Allow 0 length JSON requests. + [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern] + * Include unanmed JSON values in unnamed ARGS + [Issue #1577, #1576 - @marcstern, @victorhora, @zimmerle] + * Fix buffer size for utf8toUnicode transformation + [Issue #1208 - @katef, @victorhora] + * Fix sanitizing JSON request bodies in native audit log format + [p0pr0ck5, @victorhora] + * IIS: Update Wix installer to bundle a supported CRS version (3.0) + [@victorhora, @zimmerle] + * IIS: Update dependencies for Windows build + [Issue #1848 - @victorhora, @hsluoyz] + * IIS: Set SecStreamInBodyInspection by default on IIS builds (#1299) + [Issue #1299 - @victorhora] + * IIS: Update modsecurity.conf + [Issue #788 - @victorhora, @brianclark] + * Add sanity check for a couple malloc() and make code more resilient + [Issue #979 - @dogbert2, @victorhora, @zimmerl] + * Fix NetBSD build by renaming the hmac function to avoid conflicts + [Issue #1241 - @victorhora, @joerg, @sevan] + * IIS: Windows build, fix duplicate YAJL dir in script + [Issue #1612 - @allanbomsft, @victorhora] + * IIS: Remove body prebuffering due to no locking in modsecProcessRequest + [Issue #1917 - @allanbomsft, @victorhora] + * Fix mpm-itk / mod_ruid2 compatibility + [Issue #712 - @ju5t , @derhansen, @meatlayer, @victorhora] + * Code cosmetics: checks if actionset is not null before use it + [Issue #1556 - @marcstern, @zimmerle, @victorhora] + * Only generate SecHashKey when SecHashEngine is On + [Issue #1671 - @dmuey, @monkburger, @zimmerle] + * Docs: Reformat README to Markdown and update dependencies + [Issue #1857 - @hsluoyz, @victorhora] + * IIS: no lock on ProcessRequest. No reload of config. + [Issue #1826 - @allanbomsft] + * IIS: buffer request body before taking lock + [Issue #1651 - @allanbomsft] + * good practices: Initialize variables before use it + [Issue #1889 - Marc Stern] + * Let body parsers observe SecRequestBodyNoFilesLimit + [Issue #1613 - @allanbomsft] + * potential off by one in parse_arguments + [Issue #1799 - @tinselcity, @zimmerle] + * Fix utf-8 character encoding conversion + [Issue #1794 - @tinselcity, @zimmerle] + * Fix ip tree lookup on netmask content + [Issue #1793 - @tinselcity, @zimmerle] + * IIS: set overrideModeDefault to Allow so that individual websites can + add to their web.config file + [Issue #1781 - @default-kramer] + * modsecurity.conf-recommended: Fix spelling + [Issue #1721 - @padraigdoran] + * build: fix when multiple lines for curl version + [Issue #1771 - @Artistan] + * Fix arabic charset in unicode_mapping file + [Issue #1619 - @alaa-ahmed-a] + * Optionally preallocates memory when SecStreamInBodyInspection is on + [Issue #1366 - @allanbomsft, @zimmerle] + * Fixed typo in build_yajl.bat + [Issue #1366 - @allanbomsft] + * Fixes SecConnWriteStateLimit + [Issue #1545 - @nicjansma] + * Added "empy chunk" check + [Issue #1347, #1446 - @gravagli, @bostrt, @zimmerle] + * Add capture action to @detectXSS operator + [Issue #1488, #1482 - @victorhora] + * Fix for wildcard operator when loading conf files on Nginx / IIS + [Issue #1486, #1285 - @victorhora and @thierry-f-78] + * Set of fixies to make windows build workable with the buildbots + [Commit 94fe3 - @zimmerle] + * Uses LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH + [Issue #1510 - @marcstern] + * Adds missing headers + [Issue #1454 - @devnexen] +- modified patches + % modsecurity-fixes.patch (fix crash caused by our patch) + [bsc#1180830] +- added patches + + modsecurity-2.9.3-input_filtering_errors.patch + [bsc#1180830] + ------------------------------------------------------------------- Wed Feb 12 10:26:15 UTC 2020 - pgajdos@suse.com diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index ab2ada2..9edf00e 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_security2 # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ %define tarballname modsecurity-%{version} %define usrsharedir %{_datadir}/%{name} Name: apache2-mod_security2 -Version: 2.9.2 +Version: 2.9.3 Release: 0 Summary: Web Application Firewall for apache httpd License: Apache-2.0 @@ -34,6 +34,8 @@ Source7: empty.conf Patch0: apache2-mod_security2-no_rpath.diff Patch1: modsecurity-fixes.patch Patch2: apache2-mod_security2_tests_conf.patch +# https://github.com/SpiderLabs/ModSecurity/issues/2514 +Patch3: modsecurity-2.9.3-input_filtering_errors.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel BuildRequires: apache2-prefork @@ -43,7 +45,7 @@ BuildRequires: c++_compiler BuildRequires: libcurl-devel BuildRequires: libtool BuildRequires: libxml2-devel -BuildRequires: lua-devel +BuildRequires: lua53-devel BuildRequires: pcre-devel BuildRequires: perl-libwww-perl BuildRequires: pkgconfig @@ -68,6 +70,7 @@ mv -v SpiderLabs* rules %patch0 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build # aclocal only works with newer distributions @@ -120,7 +123,7 @@ mv %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf.example \ %{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt %{apache_sysconfdir}/mod_security2.d/empty.conf %{usrsharedir} -%doc README.TXT CHANGES LICENSE NOTICE authors.txt +%doc README.md CHANGES LICENSE NOTICE authors.txt %doc doc/README.txt %doc doc/README-SUSE-mod_security2.txt %doc rules/util/regression-tests diff --git a/modsecurity-2.9.2.tar.gz b/modsecurity-2.9.2.tar.gz deleted file mode 100644 index 5ebb417..0000000 --- a/modsecurity-2.9.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:41a8f73476ec891f3a9e8736b98b64ea5c2105f1ce15ea57a1f05b4bf2ffaeb5 -size 4298993 diff --git a/modsecurity-2.9.3-input_filtering_errors.patch b/modsecurity-2.9.3-input_filtering_errors.patch new file mode 100644 index 0000000..1dca8e9 --- /dev/null +++ b/modsecurity-2.9.3-input_filtering_errors.patch @@ -0,0 +1,80 @@ +diff -ru modsecurity-2.9.3.old/apache2/apache2_io.c modsecurity-2.9.3.new/apache2/apache2_io.c +--- modsecurity-2.9.3.old/apache2/apache2_io.c 2018-12-04 19:49:37.000000000 +0100 ++++ modsecurity-2.9.3.new/apache2/apache2_io.c 2021-02-12 13:28:27.739749566 +0100 +@@ -209,6 +209,10 @@ + * too large and APR_EGENERAL when the client disconnects. + */ + switch(rc) { ++ case AP_FILTER_ERROR : ++ *error_msg = apr_pstrdup(msr->mp, "Error reading request body: filter error"); ++ return -8; ++ + case APR_INCOMPLETE : + *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); + return -7; +@@ -218,7 +222,7 @@ + case APR_TIMEUP : + *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); + return -4; +- case AP_FILTER_ERROR : ++ case APR_ENOSPC: + *error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)"); + return -3; + case APR_EGENERAL : +diff -ru modsecurity-2.9.3.old/apache2/mod_security2.c modsecurity-2.9.3.new/apache2/mod_security2.c +--- modsecurity-2.9.3.old/apache2/mod_security2.c 2018-12-04 19:49:37.000000000 +0100 ++++ modsecurity-2.9.3.new/apache2/mod_security2.c 2021-02-12 13:34:22.940428406 +0100 +@@ -1013,7 +1013,7 @@ + } + + rc = read_request_body(msr, &my_error_msg); +- if (rc < 0 && msr->txcfg->is_enabled == MODSEC_ENABLED) { ++ if (rc < 0) { + switch(rc) { + case -1 : + if (my_error_msg != NULL) { +@@ -1021,6 +1021,21 @@ + } + return HTTP_INTERNAL_SERVER_ERROR; + break; ++ case -2 : /* Bad request. */ ++ case -6 : /* EOF when reading request body. */ ++ case -7 : /* Partial recieved */ ++ if (my_error_msg != NULL) { ++ msr_log(msr, 4, "%s", my_error_msg); ++ } ++ r->connection->keepalive = AP_CONN_CLOSE; ++ return HTTP_BAD_REQUEST; ++ break; ++ case -3 : /* Apache's LimitRequestBody. */ ++ if (my_error_msg != NULL) { ++ msr_log(msr, 1, "%s", my_error_msg); ++ } ++ return HTTP_REQUEST_ENTITY_TOO_LARGE; ++ break; + case -4 : /* Timeout. */ + if (my_error_msg != NULL) { + msr_log(msr, 4, "%s", my_error_msg); +@@ -1042,19 +1057,11 @@ + } + } + break; +- case -6 : /* EOF when reading request body. */ +- if (my_error_msg != NULL) { +- msr_log(msr, 4, "%s", my_error_msg); +- } +- r->connection->keepalive = AP_CONN_CLOSE; +- return HTTP_BAD_REQUEST; +- break; +- case -7 : /* Partial recieved */ ++ case -8 : /* Filter error. */ + if (my_error_msg != NULL) { +- msr_log(msr, 4, "%s", my_error_msg); ++ msr_log(msr, 1, "%s", my_error_msg); + } +- r->connection->keepalive = AP_CONN_CLOSE; +- return HTTP_BAD_REQUEST; ++ return AP_FILTER_ERROR; + break; + default : + /* allow through */ diff --git a/modsecurity-2.9.3.tar.gz b/modsecurity-2.9.3.tar.gz new file mode 100644 index 0000000..7aeccc3 --- /dev/null +++ b/modsecurity-2.9.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4192019d169d3f1dd82cc4714db6986df54c6ceb4ee1c8f253de78d1a6b62118 +size 4307670 diff --git a/modsecurity-fixes.patch b/modsecurity-fixes.patch index 0251c27..d66db1a 100644 --- a/modsecurity-fixes.patch +++ b/modsecurity-fixes.patch @@ -1,39 +1,3 @@ -Index: modsecurity-2.9.0/apache2/mod_security2.c -=================================================================== ---- modsecurity-2.9.0.orig/apache2/mod_security2.c -+++ modsecurity-2.9.0/apache2/mod_security2.c -@@ -457,17 +457,13 @@ static void store_tx_context(modsec_rec - * Creates a new transaction context. - */ - static modsec_rec *create_tx_context(request_rec *r) { -- apr_allocator_t *allocator = NULL; - modsec_rec *msr = NULL; - - msr = (modsec_rec *)apr_pcalloc(r->pool, sizeof(modsec_rec)); - if (msr == NULL) return NULL; - -- apr_allocator_create(&allocator); -- apr_allocator_max_free_set(allocator, 1024); -- apr_pool_create_ex(&msr->mp, r->pool, NULL, allocator); -+ apr_pool_create(&msr->mp, r->pool); - if (msr->mp == NULL) return NULL; -- apr_allocator_owner_set(allocator, msr->mp); - - msr->modsecurity = modsecurity; - msr->r = r; -Index: modsecurity-2.9.0/apache2/msc_reqbody.c -=================================================================== ---- modsecurity-2.9.0.orig/apache2/msc_reqbody.c -+++ modsecurity-2.9.0/apache2/msc_reqbody.c -@@ -88,7 +88,7 @@ apr_status_t modsecurity_request_body_st - * to allocate structures from (not data, which is allocated - * via malloc). - */ -- apr_pool_create(&msr->msc_reqbody_mp, NULL); -+ apr_pool_create(&msr->msc_reqbody_mp, msr->mp); - - /* Initialise request body processors, if any. */ - Index: modsecurity-2.9.0/apache2/msc_status_engine.c =================================================================== --- modsecurity-2.9.0.orig/apache2/msc_status_engine.c