pool/apache2-mod_security2
SHA256
11
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

base: pool:devel
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main pool:devel
..
compare: pool:slfo-1.2
Branches Tags
pool:slfo-1.2 pool:factory pool:slfo-main pool:devel

73 Commits
devel ... slfo-1.2

Author SHA256 Message Date
Petr Gajdos
9292575705 add apache2-mod_security2-CVE-2025-54571.patch 2025-08-28 11:27:42 +02:00
Petr Gajdos
5f6ed1e7cc -CVE-2025-54571 2025-08-22 13:04:02 +02:00
Ana Guerrero
e44551e136 Accepting request 1290193 from Apache:Modules 
- version update to 2.9.11 [bsc#1245620] (CVE-2025-52891)
  * fix: prevent segmentation fault if the XML node is empty
  * Plug memory leak when msre_op_validateSchema_execute() exits normally (validateSchema)
  * chore: bump version in MSI installer.wxs
  * Fix resource leaks in `msc_status_engine_mac_address`
- modified patches
  % apache2-mod_security2-no_rpath.diff (refreshed)
  % modsecurity-fixes.patch (refreshed)

OBS-URL: https://build.opensuse.org/request/show/1290193
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=36
 2025-07-06 15:07:05 +00:00
Ana Guerrero
6e6f94d3d8 Accepting request 1282334 from Apache:Modules 
apache2-mod_security2 2.9.10
CVE-2025-48866 (boo#1243976)
CVE-2025-47947 (boo#1243978) (forwarded request 1282154 from AndreasStieger)

OBS-URL: https://build.opensuse.org/request/show/1282334
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=35
 2025-06-03 15:57:14 +00:00
Petr Gajdos
3a561b5cff apache2-mod_security2 2.9.10 
CVE-2025-48866 (boo#1243976)
CVE-2025-47947 (boo#1243978)

OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=103
 2025-06-03 13:20:19 +00:00
Ana Guerrero
6c5b4c8a62 Accepting request 1265135 from Apache:Modules 
- build with pcre2 (test suite disabled temporarily) (forwarded request 1253263 from AndreasStieger)

OBS-URL: https://build.opensuse.org/request/show/1265135
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=34
 2025-03-31 09:39:41 +00:00
Petr Gajdos
ee595a5847 - build with pcre2 (test suite disabled temporarily) 
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=101
 2025-03-28 09:59:34 +00:00
Ana Guerrero
86e3cb04e5 Accepting request 1240740 from Apache:Modules 
- fixes CVE-2022-48279 [bsc#1207378], CVE-2023-24021 [bsc#1207379]

OBS-URL: https://build.opensuse.org/request/show/1240740
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=33
 2025-01-28 13:59:43 +00:00
Petr Gajdos
d41eeb0bce - fixes CVE-2022-48279 [bsc#1207378], CVE-2023-24021 [bsc#1207379] 
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=99
 2025-01-28 09:25:37 +00:00
Ana Guerrero
d91a19e9f0 Accepting request 1240477 from Apache:Modules 
- package cleanup, coordinated with owasp-modsecurity-crs cleanup
- version update to 2.9.8 (changed upstream: Trustwave -> OWASP)
  * Fixed ap_log_perror() usage
  * Memory leaks + enhanced logging
  * CI improvement: First check syntax & always display error/audit logs
  * Fixed assert() usage
  * Removed useless code
  * feat: Check if the MP header contains invalid character
  * Use standard httpd logging format in error log
  * fix msc_regexec() != PCRE_ERROR_NOMATCH strict check
  * Move xmlFree() call to the right place
  * Add collection size in log in case of writing error
  * Passing address of lock instead of lock in acquire_global_lock()
  * Invalid pointer access in case rule id == NOT_SET_P
  * Show error.log after httpd start in CI
  * chore: add pull request template
  * chore: add gitignore file
  * Possible double free
  * Set 'jit' variable's initial value
  * Missing null byte + optimization
  * fix: remove usage of insecure tmpname
  * docs: update copyright
  * Enhanced logging [Issue #3107]
  * Check for null pointer dereference (almost) everywhere
  * Fix possible segfault in collection_unpack
  * fix: Replace obsolete macros
  * chore: update bug-report-for-version-2-x.md
  * feat: Add more steps: install built module and restart the server
  * Add new flag: --without-lua
  * Initial release of CI worklow (forwarded request 1239893 from pgajdos)

OBS-URL: https://build.opensuse.org/request/show/1240477
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=32
 2025-01-27 19:55:30 +00:00
Petr Gajdos
7312016b17 - package cleanup, coordinated with owasp-modsecurity-crs cleanup 
- version update to 2.9.8 (changed upstream: Trustwave -> OWASP)
  * Fixed ap_log_perror() usage
  * Memory leaks + enhanced logging
  * CI improvement: First check syntax & always display error/audit logs
  * Fixed assert() usage
  * Removed useless code
  * feat: Check if the MP header contains invalid character
  * Use standard httpd logging format in error log
  * fix msc_regexec() != PCRE_ERROR_NOMATCH strict check
  * Move xmlFree() call to the right place
  * Add collection size in log in case of writing error
  * Passing address of lock instead of lock in acquire_global_lock()
  * Invalid pointer access in case rule id == NOT_SET_P
  * Show error.log after httpd start in CI
  * chore: add pull request template
  * chore: add gitignore file
  * Possible double free
  * Set 'jit' variable's initial value
  * Missing null byte + optimization
  * fix: remove usage of insecure tmpname
  * docs: update copyright
  * Enhanced logging [Issue #3107]
  * Check for null pointer dereference (almost) everywhere
  * Fix possible segfault in collection_unpack
  * fix: Replace obsolete macros
  * chore: update bug-report-for-version-2-x.md
  * feat: Add more steps: install built module and restart the server
  * Add new flag: --without-lua
  * Initial release of CI worklow

OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=97
 2025-01-27 09:41:24 +00:00
Ana Guerrero
f10c880c82 Accepting request 1178493 from Apache:Modules 
- %autopatch instead of %patchN
- modified patches
  % apache2-mod_security2-no_rpath.diff (refreshed)

- Fix patch application syntax: Use %patch -P N instead of
  deprecated %patchN.

OBS-URL: https://build.opensuse.org/request/show/1178493
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=31
 2024-06-05 15:39:46 +00:00
Petr Gajdos
d07185cefe checkin 
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=95
 2024-06-04 12:15:05 +00:00
Petr Gajdos
4f58a94cd5 Accepting request 1178487 from home:dimstar:Factory 
- Fix patch application syntax: Use %patch -P N instead of
  deprecated %patchN.

OBS-URL: https://build.opensuse.org/request/show/1178487
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=94
 2024-06-04 12:11:39 +00:00
Ana Guerrero
22a2f6eab5 Accepting request 1173611 from Apache:Modules 
- added patches
  fix fix build with gcc14
  + apache2-mod_security2-gcc14.patch (forwarded request 1172451 from pgajdos)

OBS-URL: https://build.opensuse.org/request/show/1173611
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=30
 2024-05-13 15:58:23 +00:00
Petr Gajdos
deb0e0b6c9 Accepting request 1172451 from home:pgajdos 
- added patches
  fix fix build with gcc14
  + apache2-mod_security2-gcc14.patch

OBS-URL: https://build.opensuse.org/request/show/1172451
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=92
 2024-05-13 09:19:16 +00:00
Ana Guerrero
768d5ed2e7 Accepting request 1149082 from Apache:Modules 
Prepare for RPM 4.20 (forwarded request 1147828 from dimstar)

OBS-URL: https://build.opensuse.org/request/show/1149082
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=29
 2024-02-22 19:59:10 +00:00
Petr Gajdos
933e8d6dbd Accepting request 1147828 from home:dimstar:rpm4.20:a 
Prepare for RPM 4.20

OBS-URL: https://build.opensuse.org/request/show/1147828
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=90
 2024-02-22 08:23:14 +00:00
Danilo Spinella
196d82d91e Accepting request 1101664 from Apache:Modules 
revert to 87

OBS-URL: https://build.opensuse.org/request/show/1101664
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=89
 2023-08-01 09:41:33 +00:00
Danilo Spinella
b365d4d203 Accepting request 1099113 from home:dirkmueller:Factory 
- reenable tests
- switch to SpiderLabs owasp 3.2.0 release (final release, upstream
  archived the project, please switch to coreruleset instead):
  * Various security fixes, see 
  * https://raw.githubusercontent.com/SpiderLabs/owasp-modsecurity-crs/v3.2.0/CHANGES
- introduce supply chain security by adding gpg signature and keyring

OBS-URL: https://build.opensuse.org/request/show/1099113
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=88
 2023-08-01 09:14:57 +00:00
Danilo Spinella
ca6551fe3a Accepting request 1098838 from home:dirkmueller:Factory 
- update to 2.9.7:
  * Fix: FILES_TMP_CONTENT may sometimes lack complete content
  * Support configurable limit on number of arguments processed
  * Silence compiler warning about discarded const
  * Support for JIT option for PCRE2
  * Use uid for user if apr_uid_name_get() fails
  * Fix: handle error with SecConnReadStateLimit configuration
  * Only check for pcre2 install if required
  * Adjustment of previous fix for log messages
  * Mark apache error log messages as from mod_security2
  * Use pkg-config to find libxml2 first
  * Support for PCRE2 in mlogc
  * Support for PCRE2
  * Adjust parser activation rules in modsecurity.conf-
    recommended
  * Multipart parsing fixes and new MULTIPART_PART_HEADERS
    collection
  * Limit rsub null termination to where necessary
  * IIS: Update dependencies for next planned release
  * XML parser cleanup: NULL duplicate pointer
  * Properly cleanup XML parser contexts upon completion
  * Fix memory leak in streams
  * Fix: negative usec on log line when data type long is 32b
  * mlogc log-line parsing fails due to enhanced timestamp
  * Allow no-key, single-value JSON body
  * Set SecStatusEngine Off in modsecurity.conf-recommended
  * Fix memory leak that occurs on JSON parsing error
  * Multipart names/filenames may include single quote if double-
    quote enclosed
  * Add SecRequestBodyJsonDepthLimit to modsecurity.conf-

OBS-URL: https://build.opensuse.org/request/show/1098838
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=87
 2023-07-17 08:33:54 +00:00
Dominique Leuenberger
e21ae5f2cf Accepting request 907289 from Apache:Modules 
OBS-URL: https://build.opensuse.org/request/show/907289
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=28
 2021-07-20 13:39:41 +00:00
Danilo Spinella
1dd8c36c28 Accepting request 907288 from home:dspinella:branches:Apache:Modules 
OBS-URL: https://build.opensuse.org/request/show/907288
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=86
 2021-07-20 09:51:27 +00:00
Danilo Spinella
2bc003e915 Accepting request 907282 from home:dspinella:branches:Apache:Modules 
- Update to 2.9.4:
  * Add microsec timestamp resolution to the formatted log timestamp
  * Added missing Geo Countries
  * Store temporaries in the request pool for regexes compiled per-request.
  * Fix other usage of the global pool for request temporaries in re_operators.c
  * Adds a sanity check before use ctl:ruleRemoveTargetById and ctl:ruleRemoveTargetByMsg.
  * Fix the order of error_msg validation
  * When the input filter finishes, check whether we returned data
  * fix: care non-null terminated chunk data
  * Fix for apr_global_mutex_create() crashes with mod_security
  * Fix inet addr handling on 64 bit big endian systems
- Run spec-cleaner
- Remove if/else for older version of SUSE distribution

OBS-URL: https://build.opensuse.org/request/show/907282
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=85
 2021-07-20 09:36:03 +00:00
Dominique Leuenberger
bdf2c9008a Accepting request 874491 from Apache:Modules 
- version update to 2.9.3
 * Enable optimization for large stream input by default on IIS
   [Issue #1299 - @victorhora, @zimmerle]
 * Allow 0 length JSON requests.
   [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern]
 * Include unanmed JSON values in unnamed ARGS
   [Issue #1577, #1576 - @marcstern, @victorhora, @zimmerle]
 * Fix buffer size for utf8toUnicode transformation
   [Issue #1208 - @katef, @victorhora]
 * Fix sanitizing JSON request bodies in native audit log format
   [p0pr0ck5, @victorhora]
 * IIS: Update Wix installer to bundle a supported CRS version (3.0)
   [@victorhora, @zimmerle]
 * IIS: Update dependencies for Windows build
   [Issue #1848 - @victorhora, @hsluoyz]
 * IIS: Set SecStreamInBodyInspection by default on IIS builds (#1299)
   [Issue #1299 - @victorhora]
 * IIS: Update modsecurity.conf
   [Issue #788 - @victorhora, @brianclark]
 * Add sanity check for a couple malloc() and make code more resilient
   [Issue #979 - @dogbert2, @victorhora, @zimmerl]
 * Fix NetBSD build by renaming the hmac function to avoid conflicts
   [Issue #1241 - @victorhora, @joerg, @sevan]
 * IIS: Windows build, fix duplicate YAJL dir in script
   [Issue #1612 - @allanbomsft, @victorhora]
 * IIS: Remove body prebuffering due to no locking in modsecProcessRequest
   [Issue #1917 - @allanbomsft, @victorhora]
 * Fix mpm-itk / mod_ruid2 compatibility
   [Issue #712 - @ju5t , @derhansen, @meatlayer, @victorhora]
 * Code cosmetics: checks if actionset is not null before use it

OBS-URL: https://build.opensuse.org/request/show/874491
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=27
 2021-02-23 19:21:41 +00:00
Petr Gajdos
1f5c2cdf32 - version update to 2.9.3 
* Enable optimization for large stream input by default on IIS
   [Issue #1299 - @victorhora, @zimmerle]
 * Allow 0 length JSON requests.
   [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern]
 * Include unanmed JSON values in unnamed ARGS
   [Issue #1577, #1576 - @marcstern, @victorhora, @zimmerle]
 * Fix buffer size for utf8toUnicode transformation
   [Issue #1208 - @katef, @victorhora]
 * Fix sanitizing JSON request bodies in native audit log format
   [p0pr0ck5, @victorhora]
 * IIS: Update Wix installer to bundle a supported CRS version (3.0)
   [@victorhora, @zimmerle]
 * IIS: Update dependencies for Windows build
   [Issue #1848 - @victorhora, @hsluoyz]
 * IIS: Set SecStreamInBodyInspection by default on IIS builds (#1299)
   [Issue #1299 - @victorhora]
 * IIS: Update modsecurity.conf
   [Issue #788 - @victorhora, @brianclark]
 * Add sanity check for a couple malloc() and make code more resilient
   [Issue #979 - @dogbert2, @victorhora, @zimmerl]
 * Fix NetBSD build by renaming the hmac function to avoid conflicts
   [Issue #1241 - @victorhora, @joerg, @sevan]
 * IIS: Windows build, fix duplicate YAJL dir in script
   [Issue #1612 - @allanbomsft, @victorhora]
 * IIS: Remove body prebuffering due to no locking in modsecProcessRequest
   [Issue #1917 - @allanbomsft, @victorhora]
 * Fix mpm-itk / mod_ruid2 compatibility
   [Issue #712 - @ju5t , @derhansen, @meatlayer, @victorhora]
 * Code cosmetics: checks if actionset is not null before use it

OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=83
 2021-02-23 07:55:22 +00:00
Dominique Leuenberger
fa79cf847b Accepting request 777581 from Apache:Modules 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/777581
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=26
 2020-02-20 13:57:56 +00:00
Petr Gajdos
edc44d368e - removing %apache_test_* macros, do not test module just by 
loading the module

OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=81
 2020-02-13 07:56:49 +00:00
Petr Gajdos
4374cdecf2 Accepting request 741022 from openSUSE:Factory 
revert

OBS-URL: https://build.opensuse.org/request/show/741022
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=80
 2019-10-18 09:16:43 +00:00
Petr Gajdos
45ffd97882 Accepting request 739567 from home:RBrownSUSE:branches:Apache:Modules 
Remove obsolete Groups tag (fate#326485)

OBS-URL: https://build.opensuse.org/request/show/739567
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=79
 2019-10-17 13:42:44 +00:00
Dominique Leuenberger
9dd6e62366 Accepting request 561619 from Apache:Modules 
OBS-URL: https://build.opensuse.org/request/show/561619
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=25
 2018-01-09 13:52:25 +00:00
Kristyna Streitova
11811bcb4e Accepting request 560465 from home:jengelh:branches:Apache:Modules 
* (TM) ought not to be used according to openSUSE's license guidelines (when I last looked at it)
* simplify the find line

OBS-URL: https://build.opensuse.org/request/show/560465
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=77
 2018-01-04 12:36:56 +00:00
Petr Gajdos
0cf4ea6d08 - fix build for SLE_11_SP4: BuildRoot and %deffattr have to be 
present

OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=76
 2017-12-20 09:21:12 +00:00
Kristyna Streitova
8a706f0f57 Accepting request 556963 from home:kstreitova:branches:Apache:Modules 
- update to 2.9.2
  * release notes
    https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2
  * refresh apache2-mod_security2-no_rpath.diff
  * remove apache2-mod_security2-lua-5.3.patch that was applied
    upstream
- remove outdated html pages and diagram (they can be accessed
  online at https://github.com/SpiderLabs/ModSecurity/wiki)
  * Reference-Manual.html.bz2
  * ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2
  * modsecurity_diagram_apache_request_cycle.jpg
- don't pack the whole doc directory as it contains also Makefiles
  or doxygen configuration files
- disable mlogc as we don't pack it and it also can't be built for
  curl <=7.34
- add basic and regression test suite (but disabled for now)
  * add apache2-mod_security2_tests_conf.patch for apache2
    configuration file used for tests that was trying to load
    mpm_worker_module (it's static for our apache2 package)
  * add "BuildRequires: perl-libwww-perl" needed for the test suite

OBS-URL: https://build.opensuse.org/request/show/556963
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=75
 2017-12-18 09:36:29 +00:00
Dominique Leuenberger
805deb3424 Accepting request 505810 from Apache:Modules 
Fix build in TW (forwarded request 505247 from dimstar)

OBS-URL: https://build.opensuse.org/request/show/505810
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=24
 2017-06-26 13:52:32 +00:00
Petr Gajdos
57568dbaa7 Accepting request 505247 from home:dimstar:Factory 
Fix build in TW

OBS-URL: https://build.opensuse.org/request/show/505247
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=73
 2017-06-23 06:38:29 +00:00
Yuchen Lin
efb9e595f9 Accepting request 482450 from Apache:Modules 
1

OBS-URL: https://build.opensuse.org/request/show/482450
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=23
 2017-03-31 13:08:39 +00:00
Kristyna Streitova
70673e6619 Accepting request 482327 from home:kstreitova:branches:Apache:Modules 
- cleanup with spec-cleaner

OBS-URL: https://build.opensuse.org/request/show/482327
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=71
 2017-03-24 09:57:51 +00:00
Petr Gajdos
edc5905530 Accepting request 331626 from home:pgajdos:apache2 
OBS-URL: https://build.opensuse.org/request/show/331626
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=70
 2015-09-18 11:51:55 +00:00
Stephan Kulow
4a7d4333c1 Accepting request 319208 from Apache:Modules 
+ apache2-mod_security2-lua-5.3.patch (forwarded request 319207 from pgajdos)

OBS-URL: https://build.opensuse.org/request/show/319208
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=22
 2015-08-05 04:50:58 +00:00
Petr Gajdos
f42c808926 Accepting request 319207 from home:pgajdos:apache2 
+ apache2-mod_security2-lua-5.3.patch

OBS-URL: https://build.opensuse.org/request/show/319207
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=68
 2015-07-29 07:23:29 +00:00
Petr Gajdos
404e95423a Accepting request 319200 from home:pgajdos:apache2 
- fix build for lua 5.3

OBS-URL: https://build.opensuse.org/request/show/319200
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=67
 2015-07-29 07:02:10 +00:00
Stephan Kulow
ec7a0121c1 Accepting request 317182 from Apache:Modules 
1

OBS-URL: https://build.opensuse.org/request/show/317182
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=21
 2015-07-20 09:21:07 +00:00
Kristyna Streitova
73cc1b8056 Accepting request 317137 from home:pgajdos:apache2 
require %{apache_suse_maintenance_mmn}

OBS-URL: https://build.opensuse.org/request/show/317137
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=65
 2015-07-16 17:01:10 +00:00
Dominique Leuenberger
b358fcf6e0 Accepting request 290126 from Apache:Modules 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/290126
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=20
 2015-03-11 08:58:49 +00:00
Dominique Leuenberger
b5854b719c Accepting request 288294 from Apache:Modules 
1

OBS-URL: https://build.opensuse.org/request/show/288294
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=19
 2015-03-03 10:14:44 +00:00
Tomáš Chvátal
9215730c17 - Remove useless comment lines/whitespace 
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=62
 2015-03-02 14:46:30 +00:00
Tomáš Chvátal
c648fa3d5c Accepting request 287448 from home:elvigia:branches:Apache:Modules 
- spec, build: Respect optflags
- spec: buildrequire pkgconfig
- modsecurity-fixes.patch: mod_security fails at:
  * building with optflags enabled due to undefined behaviour
    and implicit declarations.
  * It abuses it apr_allocator api, creating one allocator
    per request and then destroying it, flooding the system
    with mmap() , munmap requests, this is particularly nasty
    with threaded mpms. it should instead use the allocator
    from the request pool.

OBS-URL: https://build.opensuse.org/request/show/287448
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=61
 2015-03-01 11:04:28 +00:00
Stephan Kulow
4e9b646600 Accepting request 286232 from Apache:Modules 
1

OBS-URL: https://build.opensuse.org/request/show/286232
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=18
 2015-02-16 21:11:53 +00:00
Cristian Rodríguez
fbf8e83717 Accepting request 286140 from home:thomas-worm-sicsec:release:mod_security 
Raised to version 2.9

OBS-URL: https://build.opensuse.org/request/show/286140
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=59
 2015-02-15 17:09:07 +00:00
Dominique Leuenberger
ad8d318371 Accepting request 260854 from Apache:Modules 
1

OBS-URL: https://build.opensuse.org/request/show/260854
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=17
 2014-11-11 23:21:58 +00:00
Tomáš Chvátal
7f3314325c Accepting request 259451 from home:pgajdos:apache2 
- call spec-cleaner
- use apache rpm macros

OBS-URL: https://build.opensuse.org/request/show/259451
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=57
 2014-11-11 12:00:42 +00:00
Stephan Kulow
6dbfb577bd Accepting request 246670 from Apache:Modules 
- Portability: provide /etc/apache2/mod_security2.d/empty.conf
  to avoid a non-match of the file-glob in the Include statement
  from /etc/apache2/conf.d/mod_security2.conf . This restores
  the Include back from the IncludeOptional, which is not portable.
- Source URL set to (expanded)
  https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz

- Fixed spec file to work with older distribution versions.
  Before openSuSE 13.1 aclocal doesn't work, instead autoreconf
  has to be called.

- last changelog does not say that 
  apache2-mod_security2-libtool-fix.diff was obsoleted.

- BuildRequires: libtool missing

- apache2-mod_security2-libtool-fix.diff: initialize libtool.

- apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath
  in autoconf m4 macros. Obsoletes patch
  modsecurity-apache_2.8.0-build_fix_pcre.diff
- use automake for build, add autoconf and automake to
  BuildRequires:. This fix is combined with [bnc#876878].
- turn on --enable-htaccess-config
- use %{?_smp_mflags} for build

- OWASP rule set. [bnc#876878]
  new in 2.8.0 (more complete changelog to add to last changelog):
  * Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit)
    now support white and suspicious list

OBS-URL: https://build.opensuse.org/request/show/246670
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=16
 2014-09-03 16:22:03 +00:00
Roman Drahtmueller
6145a7eaa6 - Source URL set to (expanded) 
https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz

OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=55
 2014-08-27 16:57:19 +00:00
Roman Drahtmueller
d204f2d2ca OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=54 2014-08-27 16:54:45 +00:00
Roman Drahtmueller
b518d3bbc3 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=53 2014-08-27 16:51:13 +00:00
Roman Drahtmueller
683b922885 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=52 2014-08-27 16:32:34 +00:00
Roman Drahtmueller
8897dd4991 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=51 2014-08-27 15:32:56 +00:00
Roman Drahtmueller
0d2701922b - Portability: provide /etc/apache2/mod_security2.d/empty.conf 
to avoid a non-match of the file-glob in the Include statement
  from /etc/apache2/conf.d/mod_security2.conf . This restores
  the Include back from the IncludeOptional, which is not portable.

OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=50
 2014-08-27 15:30:58 +00:00
Roman Drahtmueller
fc3d6dbc4e Accepting request 246404 from home:thomas-worm-sicsec:dev:mod_security 
Added backward compatibility for SLE 11 (aclocal fails on older distributions than openSuSE 13.1). Please forward to updates.

OBS-URL: https://build.opensuse.org/request/show/246404
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=49
 2014-08-27 15:27:01 +00:00
Roman Drahtmueller
f458f3c6eb - last changelog does not say that 
apache2-mod_security2-libtool-fix.diff was obsoleted.

OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=48
 2014-07-07 12:07:15 +00:00
Roman Drahtmueller
fce1311a9b - BuildRequires: libtool missing 
- apache2-mod_security2-libtool-fix.diff: initialize libtool.

OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=47
 2014-06-16 17:03:44 +00:00
Roman Drahtmueller
7ec8988758 - apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath 
in autoconf m4 macros. Obsoletes patch
  modsecurity-apache_2.8.0-build_fix_pcre.diff
- use automake for build, add autoconf and automake to
  BuildRequires:. This fix is combined with [bnc#876878].
- turn on --enable-htaccess-config
- use %{?_smp_mflags} for build

- OWASP rule set. [bnc#876878]
  new in 2.8.0 (more complete changelog to add to last changelog):
  * Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit)
    now support white and suspicious list
  * New variables: FULL_REQUEST and FULL_REQUEST_LENGTH
  * GPLv2 replaced by Apache License v2
  * rules are not part of the source tarball any longer, but
    maintaned upstream externally, and included in this package.
  * documentation was externalized to a wiki. Package contains
    the FAQ and the reference manual in html form.
  * renamed the term "Encryption" in directives that actually refer
    to hashes. See CHANGES file for more details.
  * byte conversion issues on s390x when logging fixed.
  * many small issues fixed that were discovered by a Coverity scanner
  * updated reference manual
  * wrong time calculation when logging for some timezones fixed.
  * replaced time-measuring mechanism with finer granularity for
    measured request/answer phases. (Stopwatch remains for compat.)
  * cookie parser memory leak fix
  * parsing of quoted strings in multipart Content-Disposition
    headers fixed.

OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=46
 2014-06-16 15:37:59 +00:00
Cristian Rodríguez
2052f24a65 Accepting request 232296 from home:thomas-worm-sicsec:dev:mod_security 
- Raised to version 2.8.0.
- updated patches:
  * modsecurity-apache_2.8.0-build_fix_pcre.diff
    -> modsecurity-apache_2.7.7-build_fix_pcre.diff

OBS-URL: https://build.opensuse.org/request/show/232296
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=45
 2014-05-01 19:12:22 +00:00
Tomáš Chvátal
70581c9f39 Accepting request 215135 from home:thomas-worm-sicsec:dev:mod_security 
- Raised to version 2.7.7.
 - modified patches:
  * modsecurity-apache_2.7.5-build_fix_pcre.diff,
    renamed to modsecurity-apache_2.7.7-build_fix_pcre.diff.

OBS-URL: https://build.opensuse.org/request/show/215135
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=44
 2014-03-19 10:06:20 +00:00
Roman Drahtmueller
43623123c6 Accepting request 214773 from home:aeneas_jaissle:branches:Apache:Modules 
Use correct source Url

OBS-URL: https://build.opensuse.org/request/show/214773
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=43
 2014-01-23 13:15:05 +00:00
Roman Drahtmueller
fdf6dd2bf3 Accepting request 206042 from home:draht:branches:Apache:Modules 
- complete overhaul of this package, with update to 2.7.5.
- ruleset update to 2.2.8-0-g0f07cbb.
- new configuration framework private to mod_security2:
  /etc/apache2/conf.d/mod_security2.conf loads
  /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf,
  then /etc/apache2/mod_security2.d/*.conf , as set up based on
  advice in /etc/apache2/conf.d/mod_security2.conf
  Your configuration starting point is
  /etc/apache2/conf.d/mod_security2.conf
- !!! Please note that mod_unique_id is needed for mod_security2 to run!
- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous
  linker parameter, preventing rpath in shared object.
- fixes contained for the following bugs:
  * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling
  * [bnc#768293] multi-part bypass, minor threat
  * CVE-2013-1915 [bnc#813190] XML external entity vulnerability
  * CVE-2012-4528 [bnc#789393] rule bypass
  * CVE-2013-2765 [bnc#822664] null pointer dereference crash
- new from 2.5.9 to 2.7.5, only major changes:
  * GPLv2 replaced by Apache License v2
  * rules are not part of the source tarball any longer, but
    maintaned upstream externally, and included in this package.
  * documentation was externalized to a wiki. Package contains
    the FAQ and the reference manual in html form.
  * renamed the term "Encryption" in directives that actually refer
    to hashes. See CHANGES file for more details.
  * new directive SecXmlExternalEntity, default off
  * byte conversion issues on s390x when logging fixed.
  * many small issues fixed that were discovered by a Coverity scanner
  * updated reference manual

OBS-URL: https://build.opensuse.org/request/show/206042
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=42
 2013-11-06 23:16:14 +00:00
Stephan Kulow
6341f03002 Accepting request 131757 from Apache:Modules 
license update: Apache-2.0 and GPL-2.0
Many of the files in the rules/ subdirectory are GPL-2.0 licensed (forwarded request 131755 from babelworx)

OBS-URL: https://build.opensuse.org/request/show/131757
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=12
 2012-08-27 13:45:37 +00:00
OBS User autobuild
d18096df00 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=6 2010-03-18 14:34:53 +00:00
OBS User unknown
630c208028 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=4 2009-06-17 17:12:51 +00:00
OBS User unknown
4263c40609 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=3 2009-05-19 00:53:20 +00:00
OBS User unknown
492d69c20d OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=2 2009-01-23 22:43:58 +00:00
OBS User unknown
b08c840c20 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=1 2008-09-24 13:02:28 +00:00
12 changed files with 246 additions and 96 deletions
Expand all files Collapse all files

13
README-SUSE-mod_security2.txt
View File

@@ -1,13 +0,0 @@
#
# Dear Administrator,
#
# mod_security2 is not activated by default upon installation of the
# apache module.
#
# Your starting point for the configuration of mod_security2 is
# /etc/apache2/conf.d/mod_security2.conf .
# Please see that file for comments on how to activate the module
# and on how to assign rules.
#

3
SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:637b53696e96f3855f8d4bc678dd67dc8a4ba1ce7da418dafc74524cbf36c92a
size 291337

236
apache2-mod_security2-CVE-2025-54571.patch Normal file
View File

@@ -0,0 +1,236 @@
From dfbde557acc41d858dbe04d4b6eaec64478347ff Mon Sep 17 00:00:00 2001
From: Ervin Hegedus <airween@gmail.com>
Date: Wed, 30 Jul 2025 10:55:33 +0200
Subject: [PATCH] Fix invalid request handling
---
apache2/apache2_io.c | 48 +++++++++++++++++-----------------
apache2/mod_security2.c | 57 ++++++-----------------------------------
2 files changed, 32 insertions(+), 73 deletions(-)
Index: modsecurity-v2.9.11/apache2/apache2_io.c
===================================================================
--- modsecurity-v2.9.11.orig/apache2/apache2_io.c
+++ modsecurity-v2.9.11/apache2/apache2_io.c
@@ -192,27 +192,29 @@ apr_status_t read_request_body(modsec_re
if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Input filter: This request does not have a body.");
}
- return 0;
+ return APR_SUCCESS;
}
if (msr->txcfg->reqbody_access != 1) {
if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Input filter: Request body access not enabled.");
}
- return 0;
+ return APR_SUCCESS;
}
if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Input filter: Reading request body.");
}
if (modsecurity_request_body_start(msr, error_msg) < 0) {
- return -1;
+ return HTTP_INTERNAL_SERVER_ERROR;
}
finished_reading = 0;
msr->if_seen_eos = 0;
bb_in = apr_brigade_create(msr->mp, r->connection->bucket_alloc);
- if (bb_in == NULL) return -1;
+ if (bb_in == NULL) {
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
do {
apr_status_t rc;
@@ -224,27 +226,19 @@ apr_status_t read_request_body(modsec_re
switch(rc) {
case AP_FILTER_ERROR :
*error_msg = apr_pstrdup(msr->mp, "Error reading request body: filter error");
- return -8;
+ break;
- case APR_INCOMPLETE :
- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
- return -7;
- case APR_EOF :
- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
- return -6;
- case APR_TIMEUP :
- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
- return -4;
case APR_ENOSPC:
*error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)");
- return -3;
+ break;
case APR_EGENERAL :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: Client went away.");
- return -2;
+ break;
default :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
- return -1;
+ break;
}
+ return ap_map_http_request_error(rc, HTTP_BAD_REQUEST);
}
/* Loop through the buckets in the brigade in order
@@ -260,7 +254,7 @@ apr_status_t read_request_body(modsec_re
rc = apr_bucket_read(bucket, &buf, &buflen, APR_BLOCK_READ);
if (rc != APR_SUCCESS) {
*error_msg = apr_psprintf(msr->mp, "Failed reading input / bucket (%d): %s", rc, get_apr_error(msr->mp, rc));
- return -1;
+ return HTTP_INTERNAL_SERVER_ERROR;
}
if (msr->txcfg->debuglog_level >= 9) {
@@ -273,7 +267,7 @@ apr_status_t read_request_body(modsec_re
if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
*error_msg = apr_psprintf(msr->mp, "Request body is larger than the "
"configured limit (%ld).", msr->txcfg->reqbody_limit);
- return -5;
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
} else if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL)) {
*error_msg = apr_psprintf(msr->mp, "Request body is larger than the "
@@ -294,7 +288,7 @@ apr_status_t read_request_body(modsec_re
*error_msg = apr_psprintf(msr->mp, "Request body is larger than the "
"configured limit (%ld).", msr->txcfg->reqbody_limit);
- return -5;
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
}
}
@@ -304,7 +298,7 @@ apr_status_t read_request_body(modsec_re
modsecurity_request_body_to_stream(msr, buf, buflen, error_msg);
#else
if (modsecurity_request_body_to_stream(msr, buf, buflen, error_msg) < 0) {
- return -1;
+ return HTTP_INTERNAL_SERVER_ERROR;
}
#endif
}
@@ -323,7 +317,7 @@ apr_status_t read_request_body(modsec_re
if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
*error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
"configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
- return -5;
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
} else if ((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL)) {
*error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
"configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
@@ -333,12 +327,12 @@ apr_status_t read_request_body(modsec_re
} else {
*error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
"configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
- return -5;
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
}
}
if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT))
- return -1;
+ return HTTP_INTERNAL_SERVER_ERROR;
}
}
@@ -361,7 +355,13 @@ apr_status_t read_request_body(modsec_re
msr->if_status = IF_STATUS_WANTS_TO_RUN;
- return rcbe;
+ if (rcbe == -5) {
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+ if (rcbe < 0) {
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ return APR_SUCCESS;
}
Index: modsecurity-v2.9.11/apache2/mod_security2.c
===================================================================
--- modsecurity-v2.9.11.orig/apache2/mod_security2.c
+++ modsecurity-v2.9.11/apache2/mod_security2.c
@@ -1032,64 +1032,18 @@ static int hook_request_late(request_rec
}
rc = read_request_body(msr, &my_error_msg);
- if (rc < 0) {
- switch(rc) {
- case -1 :
- if (my_error_msg != NULL) {
- msr_log(msr, 1, "%s", my_error_msg);
- }
- return HTTP_INTERNAL_SERVER_ERROR;
- break;
- case -2 : /* Bad request. */
- case -6 : /* EOF when reading request body. */
- case -7 : /* Partial recieved */
- if (my_error_msg != NULL) {
- msr_log(msr, 4, "%s", my_error_msg);
- }
- r->connection->keepalive = AP_CONN_CLOSE;
- return HTTP_BAD_REQUEST;
- break;
- case -3 : /* Apache's LimitRequestBody. */
- if (my_error_msg != NULL) {
- msr_log(msr, 1, "%s", my_error_msg);
- }
- return HTTP_REQUEST_ENTITY_TOO_LARGE;
- break;
- case -4 : /* Timeout. */
- if (my_error_msg != NULL) {
- msr_log(msr, 4, "%s", my_error_msg);
- }
- r->connection->keepalive = AP_CONN_CLOSE;
- return HTTP_REQUEST_TIME_OUT;
- break;
- case -5 : /* Request body limit reached. */
- msr->inbound_error = 1;
- if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
- r->connection->keepalive = AP_CONN_CLOSE;
- if (my_error_msg != NULL) {
- msr_log(msr, 1, "%s. Deny with code (%d)", my_error_msg, HTTP_REQUEST_ENTITY_TOO_LARGE);
- }
- return HTTP_REQUEST_ENTITY_TOO_LARGE;
- } else {
- if (my_error_msg != NULL) {
- msr_log(msr, 1, "%s", my_error_msg);
- }
- }
- break;
- case -8 : /* Filter error. */
- if (my_error_msg != NULL) {
- msr_log(msr, 1, "%s", my_error_msg);
- }
- return AP_FILTER_ERROR;
- break;
- default :
- /* allow through */
- break;
- }
- msr->msc_reqbody_error = 1;
- msr->msc_reqbody_error_msg = my_error_msg;
- }
+ if (rc != OK) {
+ if (my_error_msg != NULL) {
+ msr_log(msr, 1, "%s", my_error_msg);
+ }
+
+ if (rc == HTTP_REQUEST_ENTITY_TOO_LARGE) {
+ msr->inbound_error = 1;
+ }
+ r->connection->keepalive = AP_CONN_CLOSE;
+ return rc;
+ }
/* Update the request headers. They might have changed after
* the body was read (trailers).

35
apache2-mod_security2-gcc14.patch
View File

@@ -1,35 +0,0 @@
Index: modsecurity-2.9.7/tests/msc_test.c
===================================================================
--- modsecurity-2.9.7.orig/tests/msc_test.c
+++ modsecurity-2.9.7/tests/msc_test.c
@@ -81,7 +81,7 @@ char DSOLOCAL *real_server_signature = N
int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
char DSOLOCAL *remote_rules_fail_message = NULL;
module AP_MODULE_DECLARE_DATA security2_module = {
- NULL,
+ STANDARD20_MODULE_STUFF,
NULL,
NULL,
NULL,
Index: modsecurity-2.9.7/standalone/config.c
===================================================================
--- modsecurity-2.9.7.orig/standalone/config.c
+++ modsecurity-2.9.7/standalone/config.c
@@ -989,7 +989,7 @@ AP_DECLARE(const char *) process_fnmatch
const char *rootpath, *filepath = fname;
/* locate the start of the directories proper */
- status = apr_filepath_root(&rootpath, &filepath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp);
+ status = apr_filepath_root((const char **) &rootpath, (const char **) &filepath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp);
/* we allow APR_SUCCESS and APR_EINCOMPLETE */
if (APR_ERELATIVE == status) {
@@ -1104,7 +1104,7 @@ ProcessInclude:
incpath = w;
/* locate the start of the directories proper */
- status = apr_filepath_root(&rootpath, &incpath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp);
+ status = apr_filepath_root((const char**) &rootpath, (const char **) &incpath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp);
/* we allow APR_SUCCESS and APR_EINCOMPLETE */
if (APR_ERELATIVE == status) {

8
apache2-mod_security2.changes
View File

@@ -1,3 +1,11 @@
-------------------------------------------------------------------
Fri Aug 22 09:51:44 UTC 2025 - pgajdos@suse.com
- security update
- added patches
CVE-2025-54571 [bsc#1247674], Insufficient Return Value Handling on ModSecurity leads to XSS and Source Code Disclosure
+ apache2-mod_security2-CVE-2025-54571.patch
-------------------------------------------------------------------
Thu Jul 3 11:13:07 UTC 2025 - pgajdos@suse.com

2
apache2-mod_security2.spec
View File

@@ -34,6 +34,8 @@ Patch1: modsecurity-fixes.patch
Patch2: apache2-mod_security2_tests_conf.patch
# https://github.com/SpiderLabs/ModSecurity/issues/2514
Patch3: modsecurity-2.9.3-input_filtering_errors.patch
# CVE-2025-54571 [bsc#1247674], Insufficient Return Value Handling on ModSecurity leads to XSS and Source Code Disclosure
Patch4: apache2-mod_security2-CVE-2025-54571.patch
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel
BuildRequires: apache2-prefork

4
empty.conf
View File

@@ -1,4 +0,0 @@
# This configuration file has been intentionally left empty to avoid errors
# resulting from an Include statement that matches no files.
# (IncludeOptional is available for apache > 2.4)
#

3
modsecurity-2.9.7.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839
size 4320766

BIN
modsecurity-v2.9.10.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

16
modsecurity-v2.9.10.tar.gz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEECyuhkkBltEaRICoq0obgIhSfD24FAmg9vdIACgkQ0obgIhSf
D26E+A/9EyKVITZQ7/LvBOe+ekk1ZNh2szD4asjPMqSGMazRPlSYXbLn0UWLRoXW
R2HpLcp2wCM9wmyun6vQoN75B+hTvZU8FcIAqUrqDLFRHgd3NJA7g1Sdi87QfLPu
n/adQhWtROCFOQlzz7ByY2jrqj/OwgXydcfB3y/9WtjBCMOXNnZGYPQzPq4p0jxw
ZnVj4YQQ0PIJM4cOJ6JOc9Jfnh0D4E7b9Nx7QtRaiirwv3L+WruPxuMB3sLsAKun
7X/DUo7g4FFYHMC8ssxWIKJ58dAmOYCnZIXmaUl+V8zDadEKDu3sR2Gi1TzjCoAO
xnMhrLaz3vMsdlhgGEeBGb8Qh9htCpO4twXt0u+9GZqojTK3W1XRbbFCETtBgvsn
rn7AzaPwrRoQHl5JWB9Uyx0KrLJKyf2ASpOWP3ilC+FDl5Y/T8uyQ3C+d/ug3jyn
WocfC9b2Ot9D+Fgn9FsIbsksVmovEvqn4q8RSNHvyPhf2oCiCuKdcHI8BULcSw4/
MVcU4hBbkNjkTPD2AOwjx/6kTiZ+b8O+dki2UvvZLluRy7eTUe5ESYAL/VvMQjYC
xqCHr2wDC0MSKt5yGP24om5Kn4X8egJcx2BUiVIMQMnuHzBiFkzsq5o2u2AlKWeV
Gd3AVPbVjrKunGzC8i82QVmLCyL1jweiIHXcEr2ieeGzm4vRlEg=
=idKc
-----END PGP SIGNATURE-----

BIN
modsecurity-v2.9.8.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

16
modsecurity-v2.9.8.tar.gz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEECyuhkkBltEaRICoq0obgIhSfD24FAmbXB9IACgkQ0obgIhSf
D24nAA//aT21bY/w4MWg72yhXoi0GzcsZ6JU1HwWH3Y+NYfHcmgnwH1FkLdZSGM0
P9iZE6HCphqSEctm7oHrKzzUAfvdJo+Qv1dKxFAYf7MT4IPfCH2JGXM5IfW6Nx9S
7dh37kR53x0a9oj9n2+m8jWVbCr8yW4t2bOsmLHH6eBqSKAMYNI01wOhH+4kexVH
d56CVIeZ2RmoT6t0KwnsBoLOFHFOr+sHCowlsjvHVB74r/c6bx5uDok6FVbCmEKI
ettqURJerKrqfR9L145pqjJXPuCZJuYDDm905CfsdnTmNs4v7Hgimo9n2BLARtHf
tG+SEpUxotMLEA2ZE6W+cd/AM2nIIJ/TvY/S3XBDb7mmQW33A6wopJ7tu2XZ5SJJ
Nw5n5v9x3K6UYU/NgjdHbgGxy9TVFqSYaAqSrVUVIz2GpM6Oj0wJ9f1Wtj+v9iim
FYO/dXta29D91RT/0SShX1GAfpt8220zDEX0T+6J71znKzPH5+5Cr+UoDLmIR35t
EVbKcGMZW/6hL1mUyHFbjJgKnhFtRoMPuXUSXPWRjfc3HekwrKQmT8oDfkhdqP+Y
WxNspOGyUjKchUvrnnSkZnlGZSPXamFQ7/DLWNFp3P/aT0NkRSa8S0mLvAmRxY51
HiMAP+AQcsUcLAw0z5Lh7d52UJzYdMaBfs+p+j5GC05qflBpetY=
=oDiC
-----END PGP SIGNATURE-----