OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=3

2009-05-19 00:53:20 +00:00 · 2009-05-19 00:53:20 +00:00 · 4263c40609
commit 4263c40609
parent 492d69c20d
4 changed files with 104 additions and 13 deletions
--- a/apache2-mod_security2.changes
+++ b/apache2-mod_security2.changes
@ -1,3 +1,46 @@
+-------------------------------------------------------------------
+Thu May 14 18:05:26 CEST 2009 - mrueckert@suse.de
+
+- update to version 2.5.9
+  - Fixed parsing multipart content with a missing part header name
+    which would crash Apache.  Discovered by "Internet Security
+    Auditors" (isecauditors.com).
+  - Added ability to specify the config script directly using
+    --with-apr and --with-apu.
+  - Added macro expansion for append/prepend action.
+  - Fixed race condition in concurrent updates of persistent
+    counters.  Updates are now atomic.
+  - Cleaned up build, adding an option for verbose configure output
+    and making the mlogc build more portable.
+- additional changes from 2.5.8
+  - Fixed PDF XSS issue where a non-GET request for a PDF file
+    would crash the Apache httpd process.  Discovered by Steve
+    Grubb at Red Hat.
+  - Removed an invalid "Internal error: Issuing "%s" for
+    unspecified error." message that was logged when denying with
+    nolog/noauditlog set and causing the request to be audited.
+- additional changes from 2.5.7
+  - Fixed XML DTD/Schema validation which will now fail after
+    request body processing errors, even if the XML parser returns
+    a document tree.
+  - Added ctl:forceRequestBodyVariable=on|off which, when enabled,
+    will force the REQUEST_BODY variable to be set when a request
+    body processor is not set.  Previously the REQUEST_BODY target
+    was only populated by the URLENCODED request body processor.
+  - Integrated mlogc source.
+  - Fixed logging the hostname in the error_log which was logging
+    the request hostname instead of the Apache resolved hostname.
+  - Allow for disabling request body limit checks in phase:1.
+  - Added transformations for processing parity for legacy
+    protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit,
+    t:parityZero7bit
+  - Added t:cssDecode transformation to decode CSS escapes.
+  - Now log XML parsing/validation warnings and errors to be in the
+    debug log at levels 3 and 4, respectivly.
+- build and package mlogc
+- remove --with-apxs from the configure args as it breaks the build
+  configure now finds our apxs2
+
 -------------------------------------------------------------------
 Fri Jan 23 16:56:55 CET 2009 - skh@suse.de

--- a/apache2-mod_security2.spec
+++ b/apache2-mod_security2.spec
@ -1,5 +1,5 @@
 #
-# spec file for package apache2-mod_security2 (Version 2.5.6)
+# spec file for package apache2-mod_security2 (Version 2.5.9)
 #
 # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@ -19,14 +19,14 @@


 Name:           apache2-mod_security2
-Version:        2.5.6
-Release:        2
+Version:        2.5.9
+Release:        1
 #
 License:        GPL v2 only; GPLv2 with some FLOSS linking exceptions
 Group:          Productivity/Networking/Web/Servers
 #
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-BuildRequires:  apache2-devel apache2-prefork c++_compiler libxml2-devel pcre-devel
+BuildRequires:  apache2-devel apache2-prefork c++_compiler curl-devel libxml2-devel pcre-devel
 %define apache        apache2
 %define modname       mod_security2
 %define tarballname   modsecurity-apache_%{version}
@ -57,14 +57,18 @@ applications from known and unknown attacks.

 %build
 pushd %{apache}
-  ./configure --with-apxs=%{apxs}
-  CFLAGS="%{optflags}" make
+  ./configure
+  make
+  make -C mlogc-src/
 popd

 %install
 pushd %{apache}
-  install -d -m 0755 %{buildroot}%{apache_libexecdir}
-  install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so
+  install -D -m 0755 .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so
+  install -D -m 0755 mlogc-src/mlogc               %{buildroot}%{_sbindir}/mlogc
+  install -D -m 0755 mlogc-src/mlogc-batch-load.pl %{buildroot}%{_sbindir}/mlogc-batch-load.pl
+  install -D -m 0640 mlogc-src/mlogc-default.conf  %{buildroot}%{_sysconfdir}/mlogc.conf
+  cp mlogc-src/INSTALL mlogc-src/INSTALL.mlogc
 popd
 install -D -m 0644 %{SOURCE1} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf

@ -76,10 +80,54 @@ install -D -m 0644 %{SOURCE1} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}
 %{apache_libexecdir}/%{modname}.so
 %config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf
 %doc doc/html-multipage/ doc/*.pdf
-%doc README.TXT CHANGES LICENSE MODSECURITY_LICENSING_EXCEPTION 
-%doc tools rules
+%doc README.TXT CHANGES LICENSE MODSECURITY_LICENSING_EXCEPTION modsecurity.conf-minimal
+%doc apache2/mlogc-src/INSTALL.mlogc apache2/mlogc-src/mlogc-default.conf
+%doc tools/ rules/ apache2/api/
+%{_sbindir}/mlogc
+%{_sbindir}/mlogc-batch-load.pl
+%config(noreplace) %{_sysconfdir}/mlogc.conf

 %changelog
+* Thu May 14 2009 mrueckert@suse.de
+- update to version 2.5.9
+  - Fixed parsing multipart content with a missing part header name
+  which would crash Apache.  Discovered by "Internet Security
+  Auditors" (isecauditors.com).
+  - Added ability to specify the config script directly using
+    --with-apr and --with-apu.
+  - Added macro expansion for append/prepend action.
+  - Fixed race condition in concurrent updates of persistent
+  counters.  Updates are now atomic.
+  - Cleaned up build, adding an option for verbose configure output
+  and making the mlogc build more portable.
+- additional changes from 2.5.8
+  - Fixed PDF XSS issue where a non-GET request for a PDF file
+  would crash the Apache httpd process.  Discovered by Steve
+  Grubb at Red Hat.
+  - Removed an invalid "Internal error: Issuing "%%s" for
+  unspecified error." message that was logged when denying with
+  nolog/noauditlog set and causing the request to be audited.
+- additional changes from 2.5.7
+  - Fixed XML DTD/Schema validation which will now fail after
+  request body processing errors, even if the XML parser returns
+  a document tree.
+  - Added ctl:forceRequestBodyVariable=on|off which, when enabled,
+  will force the REQUEST_BODY variable to be set when a request
+  body processor is not set.  Previously the REQUEST_BODY target
+  was only populated by the URLENCODED request body processor.
+  - Integrated mlogc source.
+  - Fixed logging the hostname in the error_log which was logging
+  the request hostname instead of the Apache resolved hostname.
+  - Allow for disabling request body limit checks in phase:1.
+  - Added transformations for processing parity for legacy
+  protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit,
+  t:parityZero7bit
+  - Added t:cssDecode transformation to decode CSS escapes.
+  - Now log XML parsing/validation warnings and errors to be in the
+  debug log at levels 3 and 4, respectivly.
+- build and package mlogc
+- remove --with-apxs from the configure args as it breaks the build
+  configure now finds our apxs2
 * Fri Jan 23 2009 skh@suse.de
 - fix broken config [bnc#457200]
 * Mon Sep 15 2008 skh@suse.de
--- a/modsecurity-apache_2.5.6.tar.gz
+++ b/modsecurity-apache_2.5.6.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9f38176cdb69e610238e5aa5401b0fc72972fc72af5d9203ada98f962833bdca
-size 1079094
--- a/modsecurity-apache_2.5.9.tar.gz
+++ b/modsecurity-apache_2.5.9.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:02352221ea268f8ae9aae5b84507f51eba2a67c0f7d2efd5cc88e85f1f394056
+size 1252295