From 4263c406091fca01e95f698d0a2d85bbb188e8b37e5d345d7afd82a44c4dd00c Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Tue, 19 May 2009 00:53:20 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=3 --- apache2-mod_security2.changes | 43 +++++++++++++++++++++ apache2-mod_security2.spec | 68 ++++++++++++++++++++++++++++----- modsecurity-apache_2.5.6.tar.gz | 3 -- modsecurity-apache_2.5.9.tar.gz | 3 ++ 4 files changed, 104 insertions(+), 13 deletions(-) delete mode 100644 modsecurity-apache_2.5.6.tar.gz create mode 100644 modsecurity-apache_2.5.9.tar.gz diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index d356493..a321457 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,46 @@ +------------------------------------------------------------------- +Thu May 14 18:05:26 CEST 2009 - mrueckert@suse.de + +- update to version 2.5.9 + - Fixed parsing multipart content with a missing part header name + which would crash Apache. Discovered by "Internet Security + Auditors" (isecauditors.com). + - Added ability to specify the config script directly using + --with-apr and --with-apu. + - Added macro expansion for append/prepend action. + - Fixed race condition in concurrent updates of persistent + counters. Updates are now atomic. + - Cleaned up build, adding an option for verbose configure output + and making the mlogc build more portable. +- additional changes from 2.5.8 + - Fixed PDF XSS issue where a non-GET request for a PDF file + would crash the Apache httpd process. Discovered by Steve + Grubb at Red Hat. + - Removed an invalid "Internal error: Issuing "%s" for + unspecified error." message that was logged when denying with + nolog/noauditlog set and causing the request to be audited. +- additional changes from 2.5.7 + - Fixed XML DTD/Schema validation which will now fail after + request body processing errors, even if the XML parser returns + a document tree. + - Added ctl:forceRequestBodyVariable=on|off which, when enabled, + will force the REQUEST_BODY variable to be set when a request + body processor is not set. Previously the REQUEST_BODY target + was only populated by the URLENCODED request body processor. + - Integrated mlogc source. + - Fixed logging the hostname in the error_log which was logging + the request hostname instead of the Apache resolved hostname. + - Allow for disabling request body limit checks in phase:1. + - Added transformations for processing parity for legacy + protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit, + t:parityZero7bit + - Added t:cssDecode transformation to decode CSS escapes. + - Now log XML parsing/validation warnings and errors to be in the + debug log at levels 3 and 4, respectivly. +- build and package mlogc +- remove --with-apxs from the configure args as it breaks the build + configure now finds our apxs2 + ------------------------------------------------------------------- Fri Jan 23 16:56:55 CET 2009 - skh@suse.de diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index 56b9207..bdaf563 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -1,5 +1,5 @@ # -# spec file for package apache2-mod_security2 (Version 2.5.6) +# spec file for package apache2-mod_security2 (Version 2.5.9) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,14 +19,14 @@ Name: apache2-mod_security2 -Version: 2.5.6 -Release: 2 +Version: 2.5.9 +Release: 1 # License: GPL v2 only; GPLv2 with some FLOSS linking exceptions Group: Productivity/Networking/Web/Servers # BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: apache2-devel apache2-prefork c++_compiler libxml2-devel pcre-devel +BuildRequires: apache2-devel apache2-prefork c++_compiler curl-devel libxml2-devel pcre-devel %define apache apache2 %define modname mod_security2 %define tarballname modsecurity-apache_%{version} @@ -57,14 +57,18 @@ applications from known and unknown attacks. %build pushd %{apache} - ./configure --with-apxs=%{apxs} - CFLAGS="%{optflags}" make + ./configure + make + make -C mlogc-src/ popd %install pushd %{apache} - install -d -m 0755 %{buildroot}%{apache_libexecdir} - install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so + install -D -m 0755 .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so + install -D -m 0755 mlogc-src/mlogc %{buildroot}%{_sbindir}/mlogc + install -D -m 0755 mlogc-src/mlogc-batch-load.pl %{buildroot}%{_sbindir}/mlogc-batch-load.pl + install -D -m 0640 mlogc-src/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf + cp mlogc-src/INSTALL mlogc-src/INSTALL.mlogc popd install -D -m 0644 %{SOURCE1} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf @@ -76,10 +80,54 @@ install -D -m 0644 %{SOURCE1} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname} %{apache_libexecdir}/%{modname}.so %config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf %doc doc/html-multipage/ doc/*.pdf -%doc README.TXT CHANGES LICENSE MODSECURITY_LICENSING_EXCEPTION -%doc tools rules +%doc README.TXT CHANGES LICENSE MODSECURITY_LICENSING_EXCEPTION modsecurity.conf-minimal +%doc apache2/mlogc-src/INSTALL.mlogc apache2/mlogc-src/mlogc-default.conf +%doc tools/ rules/ apache2/api/ +%{_sbindir}/mlogc +%{_sbindir}/mlogc-batch-load.pl +%config(noreplace) %{_sysconfdir}/mlogc.conf %changelog +* Thu May 14 2009 mrueckert@suse.de +- update to version 2.5.9 + - Fixed parsing multipart content with a missing part header name + which would crash Apache. Discovered by "Internet Security + Auditors" (isecauditors.com). + - Added ability to specify the config script directly using + --with-apr and --with-apu. + - Added macro expansion for append/prepend action. + - Fixed race condition in concurrent updates of persistent + counters. Updates are now atomic. + - Cleaned up build, adding an option for verbose configure output + and making the mlogc build more portable. +- additional changes from 2.5.8 + - Fixed PDF XSS issue where a non-GET request for a PDF file + would crash the Apache httpd process. Discovered by Steve + Grubb at Red Hat. + - Removed an invalid "Internal error: Issuing "%%s" for + unspecified error." message that was logged when denying with + nolog/noauditlog set and causing the request to be audited. +- additional changes from 2.5.7 + - Fixed XML DTD/Schema validation which will now fail after + request body processing errors, even if the XML parser returns + a document tree. + - Added ctl:forceRequestBodyVariable=on|off which, when enabled, + will force the REQUEST_BODY variable to be set when a request + body processor is not set. Previously the REQUEST_BODY target + was only populated by the URLENCODED request body processor. + - Integrated mlogc source. + - Fixed logging the hostname in the error_log which was logging + the request hostname instead of the Apache resolved hostname. + - Allow for disabling request body limit checks in phase:1. + - Added transformations for processing parity for legacy + protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit, + t:parityZero7bit + - Added t:cssDecode transformation to decode CSS escapes. + - Now log XML parsing/validation warnings and errors to be in the + debug log at levels 3 and 4, respectivly. +- build and package mlogc +- remove --with-apxs from the configure args as it breaks the build + configure now finds our apxs2 * Fri Jan 23 2009 skh@suse.de - fix broken config [bnc#457200] * Mon Sep 15 2008 skh@suse.de diff --git a/modsecurity-apache_2.5.6.tar.gz b/modsecurity-apache_2.5.6.tar.gz deleted file mode 100644 index a4757e0..0000000 --- a/modsecurity-apache_2.5.6.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9f38176cdb69e610238e5aa5401b0fc72972fc72af5d9203ada98f962833bdca -size 1079094 diff --git a/modsecurity-apache_2.5.9.tar.gz b/modsecurity-apache_2.5.9.tar.gz new file mode 100644 index 0000000..7342e45 --- /dev/null +++ b/modsecurity-apache_2.5.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:02352221ea268f8ae9aae5b84507f51eba2a67c0f7d2efd5cc88e85f1f394056 +size 1252295