pool/apache2-mod_security2
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1240477 from Apache:Modules

Browse Source 
- package cleanup, coordinated with owasp-modsecurity-crs cleanup
- version update to 2.9.8 (changed upstream: Trustwave -> OWASP)
  * Fixed ap_log_perror() usage
  * Memory leaks + enhanced logging
  * CI improvement: First check syntax & always display error/audit logs
  * Fixed assert() usage
  * Removed useless code
  * feat: Check if the MP header contains invalid character
  * Use standard httpd logging format in error log
  * fix msc_regexec() != PCRE_ERROR_NOMATCH strict check
  * Move xmlFree() call to the right place
  * Add collection size in log in case of writing error
  * Passing address of lock instead of lock in acquire_global_lock()
  * Invalid pointer access in case rule id == NOT_SET_P
  * Show error.log after httpd start in CI
  * chore: add pull request template
  * chore: add gitignore file
  * Possible double free
  * Set 'jit' variable's initial value
  * Missing null byte + optimization
  * fix: remove usage of insecure tmpname
  * docs: update copyright
  * Enhanced logging [Issue #3107]
  * Check for null pointer dereference (almost) everywhere
  * Fix possible segfault in collection_unpack
  * fix: Replace obsolete macros
  * chore: update bug-report-for-version-2-x.md
  * feat: Add more steps: install built module and restart the server
  * Add new flag: --without-lua
  * Initial release of CI worklow (forwarded request 1239893 from pgajdos)

OBS-URL: https://build.opensuse.org/request/show/1240477
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=32
This commit is contained in:
Ana Guerrero 2025-01-27 19:55:30 +00:00 committed by Git OBS Bridge
commit d91a19e9f0
14 changed files with 266 additions and 389 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
README-SUSE-mod_security2.txt
View File

@ -1,13 +0,0 @@
#
# Dear Administrator,
#
# mod_security2 is not activated by default upon installation of the
# apache module.
#
# Your starting point for the configuration of mod_security2 is
# /etc/apache2/conf.d/mod_security2.conf .
# Please see that file for comments on how to activate the module
# and on how to assign rules.
#

23
README_SUSE Normal file
View File

@ -0,0 +1,23 @@
# mod_security2 is not activated by default upon installation of the
# apache module.
#
# Use
# # a2enmod unique_id
# # a2enmod security2
#
# to activate security2 module.
#
# Configuration directories:
# /etc/apache2/mod_security2.d is read first
# /etc/apache2/mod_security2.d/rules is read second
#
# owasp-modsecurity-crs and owasp-modsecurity-crs-apache2 can be installed.
# To test:
W
# curl 'http://localhost/?foo=/etc/passwd&bar=/bin/sh'
#
# sholud give 403 with appropriate entry in /var/log/apache2/modsec_audit.log
# and /var/log/apache2/error_log.
#
# See https://coreruleset.org/docs/1-getting-started/1-1-crs-installation/
# for details.

3
SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:637b53696e96f3855f8d4bc678dd67dc8a4ba1ce7da418dafc74524cbf36c92a
size 291337

28
apache2-mod_security2-no_rpath.diff
View File

@ -1,8 +1,8 @@
Index: apache2/Makefile.am
Index: modsecurity-v2.9.8/apache2/Makefile.am
===================================================================
--- a/apache2/Makefile.am.orig
+++ b/apache2/Makefile.am
@@ -118,7 +118,7 @@ mod_security2_la_LDFLAGS = -module -avoi
--- modsecurity-v2.9.8.orig/apache2/Makefile.am
+++ modsecurity-v2.9.8/apache2/Makefile.am
@@ -125,7 +125,7 @@ mod_security2_la_LDFLAGS = -module -avoi
endif
if LINUX
@ -11,11 +11,11 @@ Index: apache2/Makefile.am
@APR_LDFLAGS@ \
@APU_LDFLAGS@ \
@APXS_LDFLAGS@ \
Index: apache2/Makefile.in
Index: modsecurity-v2.9.8/apache2/Makefile.in
===================================================================
--- a/apache2/Makefile.in.orig
+++ b/apache2/Makefile.in
@@ -691,7 +691,7 @@ libinjection/mod_security2_la-libinjecti
--- modsecurity-v2.9.8.orig/apache2/Makefile.in
+++ modsecurity-v2.9.8/apache2/Makefile.in
@@ -743,7 +743,7 @@ libinjection/mod_security2_la-libinjecti
libinjection/$(DEPDIR)/$(am__dirstamp)
mod_security2.la: $(mod_security2_la_OBJECTS) $(mod_security2_la_DEPENDENCIES) $(EXTRA_mod_security2_la_DEPENDENCIES)
@ -24,11 +24,11 @@ Index: apache2/Makefile.in
mostlyclean-compile:
-rm -f *.$(OBJEXT)
Index: build/libtool.m4
Index: modsecurity-v2.9.8/build/libtool.m4
===================================================================
--- a/build/libtool.m4.orig
+++ b/build/libtool.m4
@@ -5053,7 +5053,7 @@ dnl Note also adjust exclude_expsyms for
--- modsecurity-v2.9.8.orig/build/libtool.m4
+++ modsecurity-v2.9.8/build/libtool.m4
@@ -5079,7 +5079,7 @@ dnl Note also adjust exclude_expsyms for
# are reset later if shared libraries are not supported. Putting them
# here allows them to be overridden if necessary.
runpath_var=LD_RUN_PATH
@ -37,7 +37,7 @@ Index: build/libtool.m4
_LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic'
# ancient GNU ld didn't support --whole-archive et. al.
if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
@@ -5322,7 +5322,7 @@ _LT_EOF
@@ -5350,7 +5350,7 @@ _LT_EOF
# DT_RUNPATH tag from executables and libraries. But doing so
# requires that you compile everything twice, which is a pain.
if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
@ -46,7 +46,7 @@ Index: build/libtool.m4
_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
else
@@ -6409,7 +6409,7 @@ if test yes != "$_lt_caught_CXX_error";
@@ -6439,7 +6439,7 @@ if test yes != "$_lt_caught_CXX_error";
_LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib'
_LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'

64
apache2-mod_security2.changes
View File

@ -1,3 +1,67 @@
-------------------------------------------------------------------
Tue Jan 21 13:28:24 UTC 2025 - pgajdos@suse.com
- package cleanup, coordinated with owasp-modsecurity-crs cleanup
- version update to 2.9.8 (changed upstream: Trustwave -> OWASP)
* Fixed ap_log_perror() usage
* Memory leaks + enhanced logging
* CI improvement: First check syntax & always display error/audit logs
* Fixed assert() usage
* Removed useless code
* feat: Check if the MP header contains invalid character
* Use standard httpd logging format in error log
* fix msc_regexec() != PCRE_ERROR_NOMATCH strict check
* Move xmlFree() call to the right place
* Add collection size in log in case of writing error
* Passing address of lock instead of lock in acquire_global_lock()
* Invalid pointer access in case rule id == NOT_SET_P
* Show error.log after httpd start in CI
* chore: add pull request template
* chore: add gitignore file
* Possible double free
* Set 'jit' variable's initial value
* Missing null byte + optimization
* fix: remove usage of insecure tmpname
* docs: update copyright
* Enhanced logging [Issue #3107]
* Check for null pointer dereference (almost) everywhere
* Fix possible segfault in collection_unpack
* fix: Replace obsolete macros
* chore: update bug-report-for-version-2-x.md
* feat: Add more steps: install built module and restart the server
* Add new flag: --without-lua
* Initial release of CI worklow
* V2/fixbuildissue
* ; incorrectly replaced by space in cmdline
* Detailed error message when writing collections
* docs: Fix organization name in references and security e-mail (v2)
* ctl:ruleRemoveByTag isn't executed if no rule id is present in the rule
* Suppress useless loop on tag matching
* Optimization: Avoid last loop and storing an empty value in case nothing
after last %{..} macro
* Ignore (consistently) empty actions
* Add context info to error message
* Implement msre_action_phase_validate()
* Avoid some useless code and memory allocation in case no macro is present
* 'jit' variable not initialized when WITH_PCRE2 is defined
* Configure: do not check for pcre1 if pcre2 requested
* Double memory allocation
* Fix for DEBUG_CONF compile flag
* Enhance logging
* Fix possible segfault in collection_unpack
* Set the minimum security protocol version for SecRemoteRules
* Allow lua version 5.4
* Configure: do not check for pcre1 if pcre2 requested
* Check return code of apr_procattr_io_set()
* Do not escape special chars in rx pattern with macro
* Substitute two equals-equals operators in build
- modified patches
% apache2-mod_security2-no_rpath.diff (refreshed)
% modsecurity-2.9.3-input_filtering_errors.patch (refreshed)
% modsecurity-fixes.patch (refreshed)
- added sources
+ apache2-mod_security2.keyring
-------------------------------------------------------------------
Tue Jun 4 12:14:51 UTC 2024 - pgajdos@suse.com

52
apache2-mod_security2.keyring Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGW1M88BEACdOnF8zBA5RiSyv5V8vslhbqysNSkqsUmVvGnGoguI8kA0CRNU
YNdaxZ5E/WsZ0lbBNw/xjf9Wa52ZUCKHkGjR4DNxn0IZRjowYTYNxNWrSvdon9MY
XXAN6uomWtRFAbvLTo7VnV5NhrKnx8mXl0SgVDMveaQJ0NCa7onmFpVgNj+i1neU
fPiXqFl///dM6xNLL8DU3a2k42ZUUVYpcu94f78WFfGujePdgP1tHRP08JxfvvaZ
VnwpYHXJXjaoXCpiK4A6jj79BeZIgpEGLcYbI+mk+uIe7L81U4nRIOJgoYk8nIv8
0no+lS8KDzW3hnBDyzFp6bfyP1K4lM4vc6k1DHVBkUZT3C9CDdxgAbbfD0deq8yI
+5/q38mPAJ6gyicnskji25PzzxnzCRt73wQHCZ/x4RAwnKVeStYLtNqsDSk/Zm0n
qqOwZKf0DpMuwJUCQ2I5xYL/R5FthElL/QAQ9E0C2GG1kj5+V/4spsBwwzQ3Ct2x
ntnME4CInxWPfhlAAVLw28Zb/paExLGO28VcQHM8uBMMZXP4T5L+INbb2ax1WB2n
h3NzBrxzL3H47woWFmTcM1beqcqya5k/Q2tfTl1x4AmifOWXOytGqUpgiM6J2lSS
/0N0rbykep9JftaIZbj2TTVk2VKOv7KQdLUgFXmtPWmb12fVOpkhAfweVQARAQAB
tClPV0FTUCBNb2RTZWN1cml0eSA8bW9kc2VjdXJpdHlAb3dhc3Aub3JnPokCTgQT
AQgAOBYhBAsroZJAZbRGkSAqKtKG4CIUnw9uBQJltTPPAhsDBQsJCAcCBhUKCQgL
AgQWAgMBAh4BAheAAAoJENKG4CIUnw9u2C0P/jVJB7sCyDMAgyp0KkYynt7Qgf2q
WQFDVz/KoPqj1qZaKOBjScZbprgDMuqkDELqpAP4MuzhWjcL9CDTbSuu+YQhwfBo
5mkbBBElFVw5n1rkhY/mpSe+uSZBLOGp37PCqrc17ihXm27Z/d9+mS1bX61ScpOy
50r5rm1r9KG3bXTZRKkK+3bkR25Blapo4rDW8k6LzfmlfucsZ0/VZIol/+GOl3HX
9IPWbUmW7LwS7+SYPms6c6XrPa57v2RgZDb/MOULqeayUjiOMX6bAAlVYJaoQ1yp
VOO5kafResYHhK2Vz6oYvpR4va1KqkVEwOPsBmMmR0qQGtAqeE+yvI7Dm4mUZtYc
jZdx8CDCqgLz8xuGcO2ewenhxy50CkLpoNKvYIMcZo+s+EfL4M9TG+eMDZlEmgGG
rPk96uplna9aWZWYXO2rgZ8kj8G9yOuf+vQAAGh9se2iQmSUw0ph9Sex04VjJAD/
XQyDeS4Z1TT2TBhHf9+zxb8EsLiEjYzC1Rxj4wsr6uxJpXIdnSLusZ75z2ZpKtpU
O3aDcqMfosO+iocvKgy+TOWgF4SRjoVe/P5INHP/NMHrEX/ZAMqk0CE7jM2z9I/B
aZ2wK87djVaTRgk3x+i2run3hpGr3eKAm0P6lTKhS/zZ9NEa3L1XSzD7JwBEmRuS
70M0myS+bzhfB9VouQINBGW1M88BEACxgm1yOuZLy0IrMfW9DohAVDbspd3VjxjP
+uAF4ZPFuxyXP+Co9Rts3XsBZaPqyFOYknlvo0IBq6EPmsWpZ5jT2cbJyo9LZE4N
aGheccpin3kg1WN/sWdYPW2hlJhgOA/AKsyil0TDEYvGht1M1uz2Hf5d6kp1Ex5d
inVgKneVHTRyJp5jlvgzxYsJKlMX4S+5APo0IfXDiko6BA4ltmd0knQSn6owARkM
BOa4fxzknRZHmYmd24AhYzDShNCGVQHSFn1Pz+wD88FFOczDiPPiaEq8T2J8A15g
kxntWSa67d0R9k6arF3SEHA4YvSCzIQsdhXdnGJwgEl341qr6uant2PErAaWDIXT
XJ4e3oCMT73OW/lEawJvPSJYDDi03RgJBQcs4iN073zzwUIuaFV21RIUcGjRmwnX
mJ7ttyLGqYya88DgXT4zX3xm7un/ZkcRKL0KPNOWGoc2rl/XDMYChqgRvOOPaOlr
6oAF8jxTKnpWSI9edhg7PBAlpQtl3DPnJ8pg9KUvuledJnfIs6VjtbfsGwD7b7M+
LDVErH218SYsEJ61nmPBzomlJpb9T7TxImBbuP9H6QUq0FKeTk1dbc4bx2Msw7dM
b3AwIGgpS3T1zoS2au9daieoiZxFrjlsyut2DnuZ2XeWJts/VPW/JsREH3nSucQQ
sQVp0ToZtQARAQABiQI2BBgBCAAgFiEECyuhkkBltEaRICoq0obgIhSfD24FAmW1
M88CGwwACgkQ0obgIhSfD24gXQ//dsZRiGsiZ7rJ9MvFQvSMuKnjNVNhQYCzBO02
7RQDUKL/pcdjXNaAkGMP+60e6ipPBJPV1dEz2C8no1IBQokF7bMkC3u22dGywH4j
9ddtkE8qeJQ/7Dc+rS7w5dno8EzLiVW9088wm00NXydJ4FuqEpEvUHyEIIqBGPja
UheL5WzzAmPkYPNGAHNKoPp55aPrpcJAr1Dknv+fhptnzcPtNSia+NHeC/aBjPXQ
YBpzcGXbEuj/Jn0ugmMhLhDYQDc8uKmeYSp6p9PjIjZxry6ISGtAKNVJe5+xBKvt
AdotNiOl2ida9Z7RpmgpNqblCyTwIWfji66XCnvZHQzCdMBXfeO5MRvg6diVtcA2
CJYaiN6FvSWmolp47SRg1/bvRdNxe+IPBWPFufWmU/CrQOyfJy8/H3VjKuaHA0Ba
HyAgobm/kGjkQy2ZO/KMyjesqPcAL8CtKZ57Fzgus3UFIhANC+T6KtxQTIpj1nlN
OdWlYCl1FQXPc561Tgicv4oiJOXOOxiVlF0H3+ldBzijNviciaJcBCS+2clN2moY
GRQm4g0sSm1ItA57xD6dzjqdfN4X0lptKOoQyDfrTJZftuUUtU4xifnVIuWrtBsn
yNxo8FXdFKN9E5vHeAQsZRIXG66Ym0VqI+KhkMYzJpRN6SqZJNiFjdddmJhiCg7o
kKSFrwk=
=tFPe
-----END PGP PUBLIC KEY BLOCK-----

66
apache2-mod_security2.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_security2
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -16,21 +16,18 @@
#
%define modname mod_security2
%define tarballname modsecurity-%{version}
%define usrsharedir %{_datadir}/%{name}
Name: apache2-mod_security2
Version: 2.9.7
Version: 2.9.8
Release: 0
Summary: Web Application Firewall for apache httpd
Summary: Web Application Firewall for Apache httpd
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
URL: https://www.modsecurity.org/
Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/modsecurity-%{version}.tar.gz
Source1: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz
Source2: mod_security2.conf
Source6: README-SUSE-mod_security2.txt
Source7: empty.conf
Source0: https://github.com/owasp-modsecurity/ModSecurity/releases/download/v%{version}/modsecurity-v%{version}.tar.gz
Source1: https://github.com/owasp-modsecurity/ModSecurity/releases/download/v%{version}/modsecurity-v%{version}.tar.gz.asc
Source2: apache2-mod_security2.keyring
Source3: mod_security2.conf
Source4: README_SUSE
Patch0: apache2-mod_security2-no_rpath.diff
Patch1: modsecurity-fixes.patch
Patch2: apache2-mod_security2_tests_conf.patch
@ -54,6 +51,7 @@ BuildRequires: pkgconfig
Requires: %{apache_mmn}
Requires: %{apache_suse_maintenance_mmn}
Requires: apache2
Recommends: owasp-modsecurity-crs-apache2
%description
ModSecurity is an intrusion detection and prevention
@ -63,10 +61,8 @@ ModSecurity is to increase web application security, protecting web
applications from known and unknown attacks.
%prep
%setup -q -n %{tarballname}
%setup -q -D -T -a 1 -n %{tarballname}
mv -v SpiderLabs* rules
%autopatch -p1
%autosetup -p1 -n modsecurity-v%{version}
cp %{SOURCE4} .
%build
aclocal
@ -77,41 +73,23 @@ CFLAGS="%{optflags}" make %{?_smp_mflags}
%install
pushd apache2
install -d -m 0755 %{buildroot}%{apache_libexecdir}
install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so
install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/mod_security2.so
popd
install -D -m 0644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf
install -d -m 0755 %{buildroot}%{apache_sysconfdir}/mod_security2.d
install -D -m 0644 %{SOURCE6} %{buildroot}%{apache_sysconfdir}/mod_security2.d
install -D -m 0644 %{SOURCE7} %{buildroot}%{apache_sysconfdir}/mod_security2.d
cp -a %{SOURCE6} doc
install -d -m 0755 %{buildroot}/%{usrsharedir}
install -d -m 0755 %{buildroot}/%{usrsharedir}/tools
rm -f rules/.gitignore rules/LICENSE
cp -a rules/util/README %{buildroot}/%{usrsharedir}/tools/README-rules-updater.txt
cp -a tools/rules-updater.pl tools/rules-updater-example.conf %{buildroot}/%{usrsharedir}/tools
find rules -type f -exec chmod 644 {} +
cp -a rules %{buildroot}/%{usrsharedir}
rm -rf %{buildroot}/%{usrsharedir}/rules/util
rm -rf %{buildroot}/%{usrsharedir}/rules/lua
rm -f %{buildroot}/%{usrsharedir}/rules/READM*
rm -f %{buildroot}/%{usrsharedir}/rules/INSTALL %{buildroot}/%{usrsharedir}/rules/CHANGELOG
mkdir -p %{buildroot}%{apache_sysconfdir}/mod_security2.d
mkdir -p %{buildroot}%{apache_sysconfdir}/mod_security2.d/rules
mkdir -p %{buildroot}%{apache_sysconfdir}/conf.d/
cp -a %{SOURCE3} %{buildroot}%{apache_sysconfdir}/conf.d/
# Temporarily disable test suite as there are some failures that need to be solved
%check
make test
# make test-regression
%files
%{apache_libexecdir}/%{modname}.so
%config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf
%dir %{apache_sysconfdir}/mod_security2.d
%{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt
%{apache_sysconfdir}/mod_security2.d/empty.conf
%{usrsharedir}
%{apache_libexecdir}/mod_security2.so
%license LICENSE
%doc README.md CHANGES NOTICE authors.txt
%doc doc/README.txt
%doc doc/README-SUSE-mod_security2.txt
%doc rules/util/regression-tests
%dir %{apache_sysconfdir}/mod_security2.d
%dir %{apache_sysconfdir}/mod_security2.d/rules
%dir %{apache_sysconfdir}/conf.d/
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_security2.conf
%doc README.md CHANGES NOTICE authors.txt README_SUSE
%changelog

4
empty.conf
View File

@ -1,4 +0,0 @@
# This configuration file has been intentionally left empty to avoid errors
# resulting from an Include statement that matches no files.
# (IncludeOptional is available for apache > 2.4)
#

328
mod_security2.conf
View File

@ -1,293 +1,55 @@
# Dear administrator/webmaster,
#
# Welcome to /etc/apache2/conf.d/mod_security2.conf, the starting point for
# the configuration of mod_security2.
# Please read this text down to line 63 for information about activation
# and configuration of the mod_security2 apache module.
#
# To activate mod_security2, its apache module must be configured to be
# loaded when apache starts. The mod_security2 apache module depends on
# the module mod_unique_id to be able to run. This means that both apache
# modules must be activated/loaded when apache starts.
# Change the configuration to load these two modules by adding the two
# module names "security2" and "unique_id" to the variable APACHE_MODULES
# in /etc/sysconfig/apache2 . You can do that manually, or use the tools
# a2enmod (enable apache module) and a2dismod (disable apache module).
# These two tools expect the name of the module without the leading
# "mod_" as an argument!
#
# note: /etc/sysconfig/apache2 is evaluated upon apache start by the apache
# start script /usr/sbin/start_apache2 . Changes in APACHE_MODULES are then
# visible in /etc/apache2/sysconfig.d/loadmodule.conf, changed by the start
# script.
#
# example for the use of a2enmod/a2dismod:
#
# a2enmod security2 # enable module security2
# a2enmod unique_id # enable module unique_id
#
# a2dismod security2 # disable
# a2dismod unique_id # %
#
# This file /etc/apache2/conf.d/mod_security2.conf makes some basic
# configuration settings, then loads
# /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
# which is the baseline for the rules that can be loaded later.
#
# Afterwards, all files named *.conf in /etc/apache2/mod_security2.d are read.
# For the rules you wish to apply, place a symlink to the rules file there.
#
# About the rules; The OWASP ModSecurity Core Rule Set version 2.2.9
# is contained in this package, a splendid set of rules made to provide for a
# decent basic and even advanced protection. The rules files are contained
# in the directory /usr/share/apache2-mod_security2/rules/.
#
# Example (use all of the basic rules that come with the package):
#
# cd /etc/apache2/mod_security2.d
# for i in /usr/share/apache2-mod_security2/rules/base_rules/mod*; do
# ln -s $i .
# done
#
# At last, simply restart apache:
# rcapache2 restart
#
# In doubt, please consult the valuable online documentation on the project's
# website, which is the authoritative source for documentation.
# For offline reading, the webpages for the Reference Guide and the FAQ are
# located in the package's documentation directory, in the state of 2013/01:
# /usr/share/doc/packages/apache2-mod_security2
#
# Roman Drahtmueller <draht@suse.de>, SUSE, 20140610.
#
<IfModule mod_security2.c>
# -- Rule engine initialization ----------------------------------------------
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine DetectionOnly
# -- Request body handling ---------------------------------------------------
# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On
# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
# Store up to 128 KB of request body data in memory. When the multipart
# parser reachers this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit 131072
# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction Reject
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Did we see anything that might be a boundary?
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/apache2/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security2
SecDataDir /var/lib/mod_security2
# -- Response body handling --------------------------------------------------
# Allow ModSecurity to access response bodies.
# You should have this directive enabled in order to identify errors
# and data leakage issues.
#
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
SecResponseBodyAccess On
# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml
# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288
# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial
# -- Filesystem configuration ------------------------------------------------
# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
#
# This default setting is chosen due to all systems have /tmp available however,
# this is less than ideal. It is recommended that you specify a location that's private.
#
SecTmpDir /tmp/
# The location where ModSecurity will keep its persistent data. This default setting
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir /tmp/
# -- File uploads handling configuration -------------------------------------
# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir /opt/modsecurity/var/upload/
# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly
# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600
# -- Debug log configuration -------------------------------------------------
# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
#SecDebugLog /var/log/apache2/modsec_debug.log
#SecDebugLogLevel 3
# -- Audit log configuration -------------------------------------------------
# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/
# -- Miscellaneous -----------------------------------------------------------
# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &
# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat 0
# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
#SecUnicodeCodePage 20127
#SecUnicodeMapFile unicode.mapping
Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
# as set up with symlinks for files that are placed here:
Include /etc/apache2/mod_security2.d/*.conf
IncludeOptional /etc/apache2/mod_security2.d/*.conf
IncludeOptional /etc/apache2/mod_security2.d/rules/*.conf
</IfModule>

24
modsecurity-2.9.3-input_filtering_errors.patch
View File

@ -1,7 +1,8 @@
diff -ru modsecurity-2.9.3.old/apache2/apache2_io.c modsecurity-2.9.3.new/apache2/apache2_io.c
--- modsecurity-2.9.3.old/apache2/apache2_io.c 2018-12-04 19:49:37.000000000 +0100
+++ modsecurity-2.9.3.new/apache2/apache2_io.c 2021-02-12 13:28:27.739749566 +0100
@@ -209,6 +209,10 @@
Index: modsecurity-v2.9.8/apache2/apache2_io.c
===================================================================
--- modsecurity-v2.9.8.orig/apache2/apache2_io.c
+++ modsecurity-v2.9.8/apache2/apache2_io.c
@@ -222,6 +222,10 @@ apr_status_t read_request_body(modsec_re
* too large and APR_EGENERAL when the client disconnects.
*/
switch(rc) {
@ -12,7 +13,7 @@ diff -ru modsecurity-2.9.3.old/apache2/apache2_io.c modsecurity-2.9.3.new/apache
case APR_INCOMPLETE :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
return -7;
@@ -218,7 +222,7 @@
@@ -231,7 +235,7 @@ apr_status_t read_request_body(modsec_re
case APR_TIMEUP :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
return -4;
@ -21,10 +22,11 @@ diff -ru modsecurity-2.9.3.old/apache2/apache2_io.c modsecurity-2.9.3.new/apache
*error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)");
return -3;
case APR_EGENERAL :
diff -ru modsecurity-2.9.3.old/apache2/mod_security2.c modsecurity-2.9.3.new/apache2/mod_security2.c
--- modsecurity-2.9.3.old/apache2/mod_security2.c 2018-12-04 19:49:37.000000000 +0100
+++ modsecurity-2.9.3.new/apache2/mod_security2.c 2021-02-12 13:34:22.940428406 +0100
@@ -1013,7 +1013,7 @@
Index: modsecurity-v2.9.8/apache2/mod_security2.c
===================================================================
--- modsecurity-v2.9.8.orig/apache2/mod_security2.c
+++ modsecurity-v2.9.8/apache2/mod_security2.c
@@ -1032,7 +1032,7 @@ static int hook_request_late(request_rec
}
rc = read_request_body(msr, &my_error_msg);
@ -33,7 +35,7 @@ diff -ru modsecurity-2.9.3.old/apache2/mod_security2.c modsecurity-2.9.3.new/apa
switch(rc) {
case -1 :
if (my_error_msg != NULL) {
@@ -1021,6 +1021,21 @@
@@ -1040,6 +1040,21 @@ static int hook_request_late(request_rec
}
return HTTP_INTERNAL_SERVER_ERROR;
break;
@ -55,7 +57,7 @@ diff -ru modsecurity-2.9.3.old/apache2/mod_security2.c modsecurity-2.9.3.new/apa
case -4 : /* Timeout. */
if (my_error_msg != NULL) {
msr_log(msr, 4, "%s", my_error_msg);
@@ -1042,19 +1057,11 @@
@@ -1061,19 +1076,11 @@ static int hook_request_late(request_rec
}
}
break;

3
modsecurity-2.9.7.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839
size 4320766

22
modsecurity-fixes.patch
View File

@ -1,8 +1,8 @@
Index: modsecurity-2.9.0/apache2/msc_status_engine.c
Index: modsecurity-v2.9.8/apache2/msc_status_engine.c
===================================================================
--- modsecurity-2.9.0.orig/apache2/msc_status_engine.c
+++ modsecurity-2.9.0/apache2/msc_status_engine.c
@@ -37,6 +37,8 @@
--- modsecurity-v2.9.8.orig/apache2/msc_status_engine.c
+++ modsecurity-v2.9.8/apache2/msc_status_engine.c
@@ -40,6 +40,8 @@
#if (defined(__linux__) || defined(__gnu_linux__))
#include <linux/if.h>
#include <linux/sockios.h>
@ -11,11 +11,11 @@ Index: modsecurity-2.9.0/apache2/msc_status_engine.c
#endif
#ifdef HAVE_SYS_UTSNAME_H
#include <sys/utsname.h>
Index: modsecurity-2.9.0/apache2/msc_remote_rules.c
Index: modsecurity-v2.9.8/apache2/msc_remote_rules.c
===================================================================
--- modsecurity-2.9.0.orig/apache2/msc_remote_rules.c
+++ modsecurity-2.9.0/apache2/msc_remote_rules.c
@@ -792,6 +792,7 @@ next:
--- modsecurity-v2.9.8.orig/apache2/msc_remote_rules.c
+++ modsecurity-v2.9.8/apache2/msc_remote_rules.c
@@ -797,6 +797,7 @@ next:
"compilation.";
return -1;
#endif
@ -23,10 +23,10 @@ Index: modsecurity-2.9.0/apache2/msc_remote_rules.c
}
Index: modsecurity-2.9.0/apache2/msc_util.c
Index: modsecurity-v2.9.8/apache2/msc_util.c
===================================================================
--- modsecurity-2.9.0.orig/apache2/msc_util.c
+++ modsecurity-2.9.0/apache2/msc_util.c
--- modsecurity-v2.9.8.orig/apache2/msc_util.c
+++ modsecurity-v2.9.8/apache2/msc_util.c
@@ -18,6 +18,7 @@
#include <stdlib.h>
#include <sys/types.h>

3
modsecurity-v2.9.8.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cd57bd37f6062dca39dc8fba8d3e8db7351c5095de1e9ce7c3aa3890bc95855f
size 4341347

16
modsecurity-v2.9.8.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEECyuhkkBltEaRICoq0obgIhSfD24FAmbXB9IACgkQ0obgIhSf
D24nAA//aT21bY/w4MWg72yhXoi0GzcsZ6JU1HwWH3Y+NYfHcmgnwH1FkLdZSGM0
P9iZE6HCphqSEctm7oHrKzzUAfvdJo+Qv1dKxFAYf7MT4IPfCH2JGXM5IfW6Nx9S
7dh37kR53x0a9oj9n2+m8jWVbCr8yW4t2bOsmLHH6eBqSKAMYNI01wOhH+4kexVH
d56CVIeZ2RmoT6t0KwnsBoLOFHFOr+sHCowlsjvHVB74r/c6bx5uDok6FVbCmEKI
ettqURJerKrqfR9L145pqjJXPuCZJuYDDm905CfsdnTmNs4v7Hgimo9n2BLARtHf
tG+SEpUxotMLEA2ZE6W+cd/AM2nIIJ/TvY/S3XBDb7mmQW33A6wopJ7tu2XZ5SJJ
Nw5n5v9x3K6UYU/NgjdHbgGxy9TVFqSYaAqSrVUVIz2GpM6Oj0wJ9f1Wtj+v9iim
FYO/dXta29D91RT/0SShX1GAfpt8220zDEX0T+6J71znKzPH5+5Cr+UoDLmIR35t
EVbKcGMZW/6hL1mUyHFbjJgKnhFtRoMPuXUSXPWRjfc3HekwrKQmT8oDfkhdqP+Y
WxNspOGyUjKchUvrnnSkZnlGZSPXamFQ7/DLWNFp3P/aT0NkRSa8S0mLvAmRxY51
HiMAP+AQcsUcLAw0z5Lh7d52UJzYdMaBfs+p+j5GC05qflBpetY=
=oDiC
-----END PGP SIGNATURE-----