From fdf6dd2bf3f2c87fcd5146abb60a1f9cb31951b68968ae03e3af3426e1a2ac0e Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Wed, 6 Nov 2013 23:16:14 +0000 Subject: [PATCH 01/14] Accepting request 206042 from home:draht:branches:Apache:Modules - complete overhaul of this package, with update to 2.7.5. - ruleset update to 2.2.8-0-g0f07cbb. - new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf - !!! Please note that mod_unique_id is needed for mod_security2 to run! - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object. - fixes contained for the following bugs: * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling * [bnc#768293] multi-part bypass, minor threat * CVE-2013-1915 [bnc#813190] XML external entity vulnerability * CVE-2012-4528 [bnc#789393] rule bypass * CVE-2013-2765 [bnc#822664] null pointer dereference crash - new from 2.5.9 to 2.7.5, only major changes: * GPLv2 replaced by Apache License v2 * rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. * documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. * renamed the term "Encryption" in directives that actually refer to hashes. See CHANGES file for more details. * new directive SecXmlExternalEntity, default off * byte conversion issues on s390x when logging fixed. * many small issues fixed that were discovered by a Coverity scanner * updated reference manual OBS-URL: https://build.opensuse.org/request/show/206042 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=42 --- .gitattributes | 2 + ...ty-Frequently-Asked-Questions-FAQ.html.bz2 | 3 + README-SUSE-mod_security2.txt | 13 + Reference-Manual.html.bz2 | 3 + ...sp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz | 3 + apache2-mod_security2.changes | 45 +++ apache2-mod_security2.spec | 98 +++-- mod_security2.conf | 335 +++++++++++++++--- modsecurity-apache_2.6.7.tar.gz | 3 - modsecurity-apache_2.7.5-build_fix_pcre.diff | 199 +++++++++++ modsecurity-apache_2.7.5.tar.gz | 3 + modsecurity_diagram_apache_request_cycle.jpg | 3 + rules.tar.bz2 | 3 - 13 files changed, 627 insertions(+), 86 deletions(-) create mode 100644 ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2 create mode 100644 README-SUSE-mod_security2.txt create mode 100644 Reference-Manual.html.bz2 create mode 100644 SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz delete mode 100644 modsecurity-apache_2.6.7.tar.gz create mode 100644 modsecurity-apache_2.7.5-build_fix_pcre.diff create mode 100644 modsecurity-apache_2.7.5.tar.gz create mode 100644 modsecurity_diagram_apache_request_cycle.jpg delete mode 100644 rules.tar.bz2 diff --git a/.gitattributes b/.gitattributes index 9b03811..73d0e79 100644 --- a/.gitattributes +++ b/.gitattributes @@ -21,3 +21,5 @@ *.xz filter=lfs diff=lfs merge=lfs -text *.zip filter=lfs diff=lfs merge=lfs -text *.zst filter=lfs diff=lfs merge=lfs -text +## Specific LFS patterns +modsecurity_diagram_apache_request_cycle.jpg filter=lfs diff=lfs merge=lfs -text diff --git a/ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2 b/ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2 new file mode 100644 index 0000000..6deb6f5 --- /dev/null +++ b/ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bab5e208e8c2aa4beeb799a4d05bceb3eb44846e75565b32b483fb5fb32023a7 +size 11838 diff --git a/README-SUSE-mod_security2.txt b/README-SUSE-mod_security2.txt new file mode 100644 index 0000000..ed8e241 --- /dev/null +++ b/README-SUSE-mod_security2.txt @@ -0,0 +1,13 @@ + +# +# Dear Administrator, +# +# mod_security2 is not activated by default upon installation of the +# apache module. +# +# Your starting point for the configuration of mod_security2 is +# /etc/apache2/conf.d/mod_security2.conf . +# Please see that file for comments on how to activate the module +# and on how to assign rules. +# + diff --git a/Reference-Manual.html.bz2 b/Reference-Manual.html.bz2 new file mode 100644 index 0000000..b86cb92 --- /dev/null +++ b/Reference-Manual.html.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:160af986e97bafad2cdbd58469115102068eff3b2f2f246f559adf7256d0dcf8 +size 60381 diff --git a/SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz b/SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz new file mode 100644 index 0000000..d1af24d --- /dev/null +++ b/SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:74053b91ff528ef1052da65ea56881c6849ef809074a84e01dbd8a70ec369e87 +size 279879 diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index ea55bbd..b14f2e0 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,48 @@ +------------------------------------------------------------------- +Fri Aug 2 14:18:39 CEST 2013 - draht@suse.de + +- complete overhaul of this package, with update to 2.7.5. +- ruleset update to 2.2.8-0-g0f07cbb. +- new configuration framework private to mod_security2: + /etc/apache2/conf.d/mod_security2.conf loads + /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf, + then /etc/apache2/mod_security2.d/*.conf , as set up based on + advice in /etc/apache2/conf.d/mod_security2.conf + Your configuration starting point is + /etc/apache2/conf.d/mod_security2.conf +- !!! Please note that mod_unique_id is needed for mod_security2 to run! +- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous + linker parameter, preventing rpath in shared object. +- fixes contained for the following bugs: + * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling + * [bnc#768293] multi-part bypass, minor threat + * CVE-2013-1915 [bnc#813190] XML external entity vulnerability + * CVE-2012-4528 [bnc#789393] rule bypass + * CVE-2013-2765 [bnc#822664] null pointer dereference crash +- new from 2.5.9 to 2.7.5, only major changes: + * GPLv2 replaced by Apache License v2 + * rules are not part of the source tarball any longer, but + maintaned upstream externally, and included in this package. + * documentation was externalized to a wiki. Package contains + the FAQ and the reference manual in html form. + * renamed the term "Encryption" in directives that actually refer + to hashes. See CHANGES file for more details. + * new directive SecXmlExternalEntity, default off + * byte conversion issues on s390x when logging fixed. + * many small issues fixed that were discovered by a Coverity scanner + * updated reference manual + * wrong time calculation when logging for some timezones fixed. + * replaced time-measuring mechanism with finer granularity for + measured request/answer phases. (Stopwatch remains for compat.) + * cookie parser memory leak fix + * parsing of quoted strings in multipart Content-Disposition + headers fixed. + * SDBM deadlock fix + * @rsub memory leak fix + * cookie separator code improvements + * build failure fixes + * compile time option --enable-htaccess-config (set) + ------------------------------------------------------------------- Mon Aug 27 11:43:47 UTC 2012 - cfarrell@suse.com diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index bc21cf5..e03d75e 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_security2 # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,9 +17,9 @@ Name: apache2-mod_security2 -Version: 2.6.7 +Version: 2.7.5 Release: 0 -%define aversion 2.6.7 +%define aversion 2.7.5 # # BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -32,7 +32,9 @@ BuildRequires: pcre-devel %define apache apache2 %define modname mod_security2 %define tarballname modsecurity-apache_%{aversion} -# +%define refman Reference-Manual.html +%define faq ModSecurity-Frequently-Asked-Questions-FAQ.html +%define usrsharedir %{_prefix}/share/%{name} %{!?apxs: %global apxs /usr/sbin/apxs2} %{!?apache_libexecdir: %global apache_libexecdir %(%{apxs} -q LIBEXECDIR)} @@ -47,11 +49,16 @@ Requires: apache2 # Url: http://www.modsecurity.org/ Source: http://www.modsecurity.org/download/%{tarballname}.tar.gz -Source1: mod_security2.conf -Source2: rules.tar.bz2 +Source1: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz +Source2: mod_security2.conf +Source3: %{refman}.bz2 +Source4: %{faq}.bz2 +Source5: modsecurity_diagram_apache_request_cycle.jpg +Source6: README-SUSE-mod_security2.txt # +Patch0: modsecurity-apache_2.7.5-build_fix_pcre.diff Summary: ModSecurity Open Source Web Application Firewall -License: Apache-2.0 and GPL-2.0 +License: Apache-2.0 Group: Productivity/Networking/Web/Servers %description @@ -61,44 +68,73 @@ as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks. +The modsecurity team also offer a commercial version of their excellent +ruleset. Please have a look at http://www.modsecurity.org/ for more details. %prep %setup -n %{tarballname} -tar -xvjpf %{S:2} +#tar -xvjpf %{S:2} +%setup -D -T -a 1 -n %{tarballname} +mv -v SpiderLabs* rules +bzip2 -dc %{SOURCE3} > %{_sourcedir}/%{refman} && touch -r %{SOURCE3} %{_sourcedir}/%{refman} +bzip2 -dc %{SOURCE4} > %{_sourcedir}/%{faq} && touch -r %{SOURCE4} %{_sourcedir}/%{faq} +%patch0 +#%patch1 +#%patch2 %build -#pushd %{apache} - ./configure - make %{?_smp_mflags} -# make -C mlogc-src/ -#popd +%configure --with-apxs=%{apxs} --enable-request-early --enable-htaccess-config +make %{?_smp_mflags} %install pushd %{apache} - install -D -m 0755 .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so + install -d -m 0755 %{buildroot}%{apache_libexecdir} + install -m 0755 .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so popd - install -D -m 0755 mlogc/mlogc %{buildroot}%{_sbindir}/mlogc - install -D -m 0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_sbindir}/mlogc-batch-load.pl - install -D -m 0640 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf - cp mlogc/INSTALL mlogc/INSTALL.mlogc -install -D -m 0644 %{SOURCE1} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf -mkdir examples -cp -a tools examples -rm -f examples/tools/M* -chmod 644 examples/tools/* +install -D -m 0644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf +install -d -m 0755 %{buildroot}%{apache_sysconfdir}/mod_security2.d +install -D -m 0644 %{SOURCE6} %{buildroot}%{apache_sysconfdir}/mod_security2.d +cp -a %{SOURCE6} doc +install -m 0644 %{_sourcedir}/%{faq} %{_sourcedir}/%{refman} doc +install -m 0644 %{SOURCE5} doc +install -d -m 0755 %{buildroot}/%{usrsharedir} +install -d -m 0755 %{buildroot}/%{usrsharedir}/tools +install -d -m 0755 %{buildroot}/%{usrsharedir} +rm -f rules/.gitignore rules/LICENSE +cp -a rules/util/README %{buildroot}/%{usrsharedir}/tools/README-rules-updater.txt +cp -a tools/rules-updater.pl tools/rules-updater-example.conf %{buildroot}/%{usrsharedir}/tools +find rules -type f -print0 | \ + xargs -0 chmod 644 +cp -a rules %{buildroot}/%{usrsharedir} +rm -rf %{buildroot}/%{usrsharedir}/rules/util +rm -rf %{buildroot}/%{usrsharedir}/rules/lua +rm -f %{buildroot}/%{usrsharedir}/rules/READM* +rm -f %{buildroot}/%{usrsharedir}/rules/INSTALL %{buildroot}/%{usrsharedir}/rules/CHANGELOG +mv %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf.example \ + %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf + +%clean +%{__rm} -rf %{buildroot}; +%{__rm} -f %{_sourcedir}/%{faq} %{_sourcedir}/%{refman} %files %defattr(-, root, root, 0755) %{apache_libexecdir}/%{modname}.so %config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf -%doc doc/Reference_Manual.html -%doc README.TXT CHANGES LICENSE modsecurity.conf-recommended -%doc mlogc/INSTALL.mlogc mlogc/mlogc-default.conf -%doc examples/ -%doc rules/ -%{_sbindir}/mlogc -%{_sbindir}/mlogc-batch-load.pl -%config(noreplace) %{_sysconfdir}/mlogc.conf +%dir %{apache_sysconfdir}/mod_security2.d +%{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt +%dir %{usrsharedir} +#%dir %{usrsharedir}/tools +#%dir %{usrsharedir}/rules +%doc README.TXT CHANGES LICENSE NOTICE authors.txt +%{usrsharedir} +#%{usrsharedir}/rules/activated_rules +#%{usrsharedir}/rules/base_rules +#%{usrsharedir}/rules/experimental_rules +#%{usrsharedir}/rules/optional_rules +#%{usrsharedir}/rules/slr_rules +%doc doc/* +#rules/util/regression_tests %changelog diff --git a/mod_security2.conf b/mod_security2.conf index fee845f..7ac6126 100644 --- a/mod_security2.conf +++ b/mod_security2.conf @@ -1,60 +1,297 @@ + +# Dear administrator/webmaster, +# +# Welcome to /etc/apache2/conf.d/mod_security2.conf, the starting point for +# the configuration of mod_security2. +# Please read this text down to line 63 for information about activation +# and configuration of the mod_security2 apache module. +# +# To activate mod_security2, its apache module must be configured to be +# loaded when apache starts. The mod_security2 apache module depends on +# the module mod_unique_id to be able to run. This means that both apache +# modules must be activated/loaded when apache starts. + +# Change the configuration to load these two modules by adding the two +# module names "security2" and "unique_id" to the variable APACHE_MODULES +# in /etc/sysconfig/apache2 . You can do that manually, or use the tools +# a2enmod (enable apache module) and a2dismod (disable apache module). +# These two tools expect the name of the module without the leading +# "mod_" as an argument! +# +# note: /etc/sysconfig/apache2 is evaluated upon apache start by the apache +# start script /etc/init.d/apache2 . Changes in APACHE_MODULES are then +# visible in /etc/apache2/sysconfig.d/loadmodule.conf, changed by the start +# script. +# +# example for the use of a2enmod/a2dismod: +# +# a2enmod security2 # enable module security2 +# a2enmod unique_id # enable module unique_id +# +# a2dismod security2 # disable +# a2dismod unique_id # % + +# +# This file /etc/apache2/conf.d/mod_security2.conf makes some basic +# configuration settings, then loads +# /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf +# which is the baseline for the rules that can be loaded later. +# +# Afterwards, all files named *.conf in /etc/apache2/mod_security2.d are read. +# For the rules you wish to apply, place a symlink to the rules file there. +# +# About the rules; The OWASP ModSecurity Core Rule Set version 2.2.7 +# is contained in this package, a splendid set of rules made to provide for a +# decent basic and even advanced protection. The rules files are contained +# in the directory /usr/share/apache2-mod_security2/rules/. +# +# Example (use all of the basic rules that come with the package): +# +# cd /etc/apache2/mod_security2.d +# for i in /usr/share/apache2-mod_security2/rules/base_rules/mod*; do +# ln -s $i . +# done +# +# At last, simply restart apache: +# rcapache2 restart +# +# In doubt, please consult the valuable online documentation on the project's +# website, which is the authoritative source for documentation. +# For offline reading, the webpages for the Reference Guide and the FAQ are +# located in the package's documentation directory, in the state of 2013/01: +# /usr/share/doc/packages/apache2-mod_security2 +# +# Roman Drahtmueller , SUSE, 20130118. +# + + + - # Basic configuration options - SecRuleEngine On - SecRequestBodyAccess On - SecResponseBodyAccess Off - # Handling of file uploads - # TODO Choose a folder private to Apache. - # SecUploadDir /opt/apache-frontend/tmp/ - SecUploadKeepFiles Off +# -- Rule engine initialization ---------------------------------------------- - # Debug log - SecDebugLog /var/log/apache2/modsec_debug.log - SecDebugLogLevel 0 +# Enable ModSecurity, attaching it to every transaction. Use detection +# only to start with, because that minimises the chances of post-installation +# disruption. +# +SecRuleEngine DetectionOnly - # Serial audit log - SecAuditEngine RelevantOnly - SecAuditLogRelevantStatus ^5 - SecAuditLogParts ABIFHZ - SecAuditLogType Serial - SecAuditLog /var/log/apache2/modsec_audit.log - # Maximum request body size we will - # accept for buffering - SecRequestBodyLimit 131072 +# -- Request body handling --------------------------------------------------- - # Store up to 128 KB in memory - SecRequestBodyInMemoryLimit 131072 +# Allow ModSecurity to access request bodies. If you don't, ModSecurity +# won't be able to see any POST parameters, which opens a large security +# hole for attackers to exploit. +# +SecRequestBodyAccess On - # Buffer response bodies of up to - # 512 KB in length - SecResponseBodyLimit 524288 - # Verify that we've correctly processed the request body. - # As a rule of thumb, when failing to process a request body - # you should reject the request (when deployed in blocking mode) - # or log a high-severity alert (when deployed in detection-only mode). - SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2" +# Enable XML request body parser. +# Initiate XML Processor in case of xml content-type +# +SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" - # By default be strict with what we accept in the multipart/form-data - # request body. If the rule below proves to be too strict for your - # environment consider changing it to detection-only. You are encouraged - # _not_ to remove it altogether. - SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Multipart request body \ - failed strict validation: \ - PE %{REQBODY_PROCESSOR_ERROR}, \ - BQ %{MULTIPART_BOUNDARY_QUOTED}, \ - BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ - DB %{MULTIPART_DATA_BEFORE}, \ - DA %{MULTIPART_DATA_AFTER}, \ - HF %{MULTIPART_HEADER_FOLDING}, \ - LF %{MULTIPART_LF_LINE}, \ - SM %{MULTIPART_SEMICOLON_MISSING}'" - # Did we see anything that might be a boundary? - SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" +# -- XML external entity loading by libxml2. +# Defaults to off. +SecXmlExternalEntity Off + +# Maximum request body size we will accept for buffering. If you support +# file uploads then the value given on the first line has to be as large +# as the largest file you are willing to accept. The second value refers +# to the size of data, with files excluded. You want to keep that value as +# low as practical. +# +SecRequestBodyLimit 13107200 +SecRequestBodyNoFilesLimit 131072 + +# Store up to 128 KB of request body data in memory. When the multipart +# parser reachers this limit, it will start using your hard disk for +# storage. That is slow, but unavoidable. +# +SecRequestBodyInMemoryLimit 131072 + +# What do do if the request body size is above our configured limit. +# Keep in mind that this setting will automatically be set to ProcessPartial +# when SecRuleEngine is set to DetectionOnly mode in order to minimize +# disruptions when initially deploying ModSecurity. +# +SecRequestBodyLimitAction Reject + +# Verify that we've correctly processed the request body. +# As a rule of thumb, when failing to process a request body +# you should reject the request (when deployed in blocking mode) +# or log a high-severity alert (when deployed in detection-only mode). +# +SecRule REQBODY_ERROR "!@eq 0" \ +"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" + +# By default be strict with what we accept in the multipart/form-data +# request body. If the rule below proves to be too strict for your +# environment consider changing it to detection-only. You are encouraged +# _not_ to remove it altogether. +# +SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ +"id:'200002',phase:2,t:none,log,deny,status:44, \ +msg:'Multipart request body failed strict validation: \ +PE %{REQBODY_PROCESSOR_ERROR}, \ +BQ %{MULTIPART_BOUNDARY_QUOTED}, \ +BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ +DB %{MULTIPART_DATA_BEFORE}, \ +DA %{MULTIPART_DATA_AFTER}, \ +HF %{MULTIPART_HEADER_FOLDING}, \ +LF %{MULTIPART_LF_LINE}, \ +SM %{MULTIPART_MISSING_SEMICOLON}, \ +IQ %{MULTIPART_INVALID_QUOTING}, \ +IP %{MULTIPART_INVALID_PART}, \ +IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ +FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + +# Did we see anything that might be a boundary? +# +SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ +"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" + +# PCRE Tuning +# We want to avoid a potential RegEx DoS condition +# +SecPcreMatchLimit 1000 +SecPcreMatchLimitRecursion 1000 + +# Some internal errors will set flags in TX and we will need to look for these. +# All of these are prefixed with "MSC_". The following flags currently exist: +# +# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. +# +SecRule TX:/^MSC_/ "!@streq 0" \ + "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + + +# -- Response body handling -------------------------------------------------- + +# Allow ModSecurity to access response bodies. +# You should have this directive enabled in order to identify errors +# and data leakage issues. +# +# Do keep in mind that enabling this directive does increases both +# memory consumption and response latency. +# +SecResponseBodyAccess On + +# Which response MIME types do you want to inspect? You should adjust the +# configuration below to catch documents but avoid static files +# (e.g., images and archives). +# +SecResponseBodyMimeType text/plain text/html text/xml + +# Buffer response bodies of up to 512 KB in length. +SecResponseBodyLimit 524288 + +# What happens when we encounter a response body larger than the configured +# limit? By default, we process what we have and let the rest through. +# That's somewhat less secure, but does not break any legitimate pages. +# +SecResponseBodyLimitAction ProcessPartial + + +# -- Filesystem configuration ------------------------------------------------ + +# The location where ModSecurity stores temporary files (for example, when +# it needs to handle a file upload that is larger than the configured limit). +# +# This default setting is chosen due to all systems have /tmp available however, +# this is less than ideal. It is recommended that you specify a location that's private. +# +SecTmpDir /tmp/ + +# The location where ModSecurity will keep its persistent data. This default setting +# is chosen due to all systems have /tmp available however, it +# too should be updated to a place that other users can't access. +# +SecDataDir /tmp/ + + +# -- File uploads handling configuration ------------------------------------- + +# The location where ModSecurity stores intercepted uploaded files. This +# location must be private to ModSecurity. You don't want other users on +# the server to access the files, do you? +# +#SecUploadDir /opt/modsecurity/var/upload/ + +# By default, only keep the files that were determined to be unusual +# in some way (by an external inspection script). For this to work you +# will also need at least one file inspection rule. +# +#SecUploadKeepFiles RelevantOnly + +# Uploaded files are by default created with permissions that do not allow +# any other user to access them. You may need to relax that if you want to +# interface ModSecurity to an external program (e.g., an anti-virus). +# +#SecUploadFileMode 0600 + + +# -- Debug log configuration ------------------------------------------------- + +# The default debug log configuration is to duplicate the error, warning +# and notice messages from the error log. +# +#SecDebugLog /var/log/apache2/modsec_debug.log +#SecDebugLogLevel 3 + +# -- Audit log configuration ------------------------------------------------- + +# Log the transactions that are marked by a rule, as well as those that +# trigger a server error (determined by a 5xx or 4xx, excluding 404, +# level response status codes). +# +SecAuditEngine RelevantOnly +SecAuditLogRelevantStatus "^(?:5|4(?!04))" + +# Log everything we know about a transaction. +SecAuditLogParts ABIJDEFHZ + +# Use a single file for logging. This is much easier to look at, but +# assumes that you will use the audit log only ocassionally. +# +SecAuditLogType Serial +SecAuditLog /var/log/apache2/modsec_audit.log + +# Specify the path for concurrent audit logging. +#SecAuditLogStorageDir /opt/modsecurity/var/audit/ + + +# -- Miscellaneous ----------------------------------------------------------- + +# Use the most commonly used application/x-www-form-urlencoded parameter +# separator. There's probably only one application somewhere that uses +# something else so don't expect to change this value. +# +SecArgumentSeparator & + +# Settle on version 0 (zero) cookies, as that is what most applications +# use. Using an incorrect cookie version may open your installation to +# evasion attacks (against the rules that examine named cookies). +# +SecCookieFormat 0 + +# Specify your Unicode Code Point. +# This mapping is used by the t:urlDecodeUni transformation function +# to properly map encoded data to your language. Properly setting +# these directives helps to reduce false positives and negatives. +# +#SecUnicodeCodePage 20127 +#SecUnicodeMapFile unicode.mapping + + + + + + +Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf +# as set up with symlinks for files that are placed here: +Include /etc/apache2/mod_security2.d/*.conf + diff --git a/modsecurity-apache_2.6.7.tar.gz b/modsecurity-apache_2.6.7.tar.gz deleted file mode 100644 index cd8df78..0000000 --- a/modsecurity-apache_2.6.7.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3fa05e2be9e8a6e99747defe0df35ace99ba44683afef5205819db9706c03f29 -size 785852 diff --git a/modsecurity-apache_2.7.5-build_fix_pcre.diff b/modsecurity-apache_2.7.5-build_fix_pcre.diff new file mode 100644 index 0000000..5df5ef1 --- /dev/null +++ b/modsecurity-apache_2.7.5-build_fix_pcre.diff @@ -0,0 +1,199 @@ +diff -rNU 30 ../modsecurity-apache_2.7.5-o/apache2/Makefile.am ./apache2/Makefile.am +--- ../modsecurity-apache_2.7.5-o/apache2/Makefile.am 2013-07-28 05:58:49.000000000 +0200 ++++ ./apache2/Makefile.am 2013-08-01 15:08:21.000000000 +0200 +@@ -17,61 +17,61 @@ + mod_security2_la_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \ + @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @LUA_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @CURL_CFLAGS@ + mod_security2_la_CPPFLAGS = @APR_CPPFLAGS@ @PCRE_CPPFLAGS@ @LIBXML2_CPPFLAGS@ + mod_security2_la_LIBADD = @APR_LDADD@ @APU_LDADD@ @PCRE_LDADD@ @LIBXML2_LDADD@ @LUA_LDADD@ + + if AIX + mod_security2_la_LDFLAGS = -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if HPUX + mod_security2_la_LDFLAGS = -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if MACOSX + mod_security2_la_LDFLAGS = -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if SOLARIS + mod_security2_la_LDFLAGS = -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if LINUX +-mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ ++mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if FREEBSD + mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if OPENBSD + mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if NETBSD + mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + endif + + if LINUX + install-exec-hook: $(pkglib_LTLIBRARIES) + @echo "Removing unused static libraries..."; \ + for m in $(pkglib_LTLIBRARIES); do \ + base=`echo $$m | sed 's/\..*//'`; \ + rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \ + install -D -m444 $(DESTDIR)$(pkglibdir)/$$base.so $(DESTDIR)$(APXS_MODULES)/$$base.so; \ + done +diff -rNU 30 ../modsecurity-apache_2.7.5-o/apache2/Makefile.in ./apache2/Makefile.in +--- ../modsecurity-apache_2.7.5-o/apache2/Makefile.in 2013-07-28 05:59:01.000000000 +0200 ++++ ./apache2/Makefile.in 2013-08-01 15:08:56.000000000 +0200 +@@ -303,61 +303,61 @@ + #include_HEADERS = re.h modsecurity.h msc_logging.h msc_multipart.h \ + # msc_parsers.h msc_pcre.h msc_util.h msc_xml.h \ + # persist_dbm.h apache2.h msc_geo.h acmp.h utf8tables.h \ + # msc_lua.h msc_release.h + mod_security2_la_SOURCES = mod_security2.c \ + apache2_config.c apache2_io.c apache2_util.c \ + re.c re_operators.c re_actions.c re_tfns.c \ + re_variables.c msc_logging.c msc_xml.c \ + msc_multipart.c modsecurity.c msc_parsers.c \ + msc_util.c msc_pcre.c persist_dbm.c msc_reqbody.c \ + msc_geo.c msc_gsb.c msc_crypt.c msc_tree.c msc_unicode.c acmp.c msc_lua.c msc_release.c \ + libinjection/libinjection_sqli.c + + mod_security2_la_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \ + @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @LUA_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @CURL_CFLAGS@ + + mod_security2_la_CPPFLAGS = @APR_CPPFLAGS@ @PCRE_CPPFLAGS@ @LIBXML2_CPPFLAGS@ + mod_security2_la_LIBADD = @APR_LDADD@ @APU_LDADD@ @PCRE_LDADD@ @LIBXML2_LDADD@ @LUA_LDADD@ + @AIX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \ + @AIX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @AIX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + @FREEBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @FREEBSD_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @FREEBSD_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + @HPUX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \ + @HPUX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @HPUX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + +-@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ ++@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @LINUX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @LINUX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + @MACOSX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \ + @MACOSX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @MACOSX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + @NETBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @NETBSD_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @NETBSD_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + @OPENBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @OPENBSD_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @OPENBSD_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + @SOLARIS_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \ + @SOLARIS_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ + @SOLARIS_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ + + all: modsecurity_config_auto.h + $(MAKE) $(AM_MAKEFLAGS) all-am + + .SUFFIXES: + .SUFFIXES: .c .lo .o .obj + $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ +diff -rNU 30 ../modsecurity-apache_2.7.5-o/configure ./configure +--- ../modsecurity-apache_2.7.5-o/configure 2013-07-28 05:59:03.000000000 +0200 ++++ ./configure 2013-08-01 15:02:59.000000000 +0200 +@@ -13103,61 +13103,62 @@ + if test -e "${x}/bin/${PCRE_CONFIG}"; then + pcre_path="${x}/bin" + break + elif test -e "${x}/${PCRE_CONFIG}"; then + pcre_path="${x}" + break + else + pcre_path="" + fi + done + if test -n "$pcre_path"; then + break + fi + done + + if test -n "${pcre_path}"; then + if test "${pcre_path}" != "no"; then + PCRE_CONFIG="${pcre_path}/${PCRE_CONFIG}" + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${PCRE_CONFIG}" >&5 + $as_echo "${PCRE_CONFIG}" >&6; } + PCRE_VERSION="`${PCRE_CONFIG} --version`" + if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre VERSION: $PCRE_VERSION" >&5 + $as_echo "$as_me: pcre VERSION: $PCRE_VERSION" >&6;}; fi + PCRE_CFLAGS="`${PCRE_CONFIG} --cflags`" + if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre CFLAGS: $PCRE_CFLAGS" >&5 + $as_echo "$as_me: pcre CFLAGS: $PCRE_CFLAGS" >&6;}; fi + PCRE_LDADD="`${PCRE_CONFIG} --libs`" + if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre LDADD: $PCRE_LDADD" >&5 + $as_echo "$as_me: pcre LDADD: $PCRE_LDADD" >&6;}; fi +- PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`" ++# PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`" ++ PCRE_LD_PATH="" + if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&5 + $as_echo "$as_me: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&6;}; fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + $as_echo "no" >&6; } + fi + + + + + + + + + + if test -z "${PCRE_VERSION}"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: *** pcre library not found." >&5 + $as_echo "$as_me: *** pcre library not found." >&6;} + as_fn_error "pcre library is required" "$LINENO" 5 + else + { $as_echo "$as_me:${as_lineno-$LINENO}: using pcre v${PCRE_VERSION}" >&5 + $as_echo "$as_me: using pcre v${PCRE_VERSION}" >&6;} + + fi + + if test "$build_apache2_module" -ne 0 -o "$build_mlogc" -ne 0; then + + + # Check whether --with-apr was given. + if test "${with_apr+set}" = set; then : diff --git a/modsecurity-apache_2.7.5.tar.gz b/modsecurity-apache_2.7.5.tar.gz new file mode 100644 index 0000000..6f8078c --- /dev/null +++ b/modsecurity-apache_2.7.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9e907536278d8da80d3dbb29aeffe9c4ec37ce9b641035b2da64e993135647a2 +size 1045387 diff --git a/modsecurity_diagram_apache_request_cycle.jpg b/modsecurity_diagram_apache_request_cycle.jpg new file mode 100644 index 0000000..b31317a --- /dev/null +++ b/modsecurity_diagram_apache_request_cycle.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4366e727c511bccbf56ec646dd0961c65c8054fdc235ab26e06e3faf08052f6d +size 46799 diff --git a/rules.tar.bz2 b/rules.tar.bz2 deleted file mode 100644 index dcd63ce..0000000 --- a/rules.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5b025dd7e2fc74aebf4bbf671ef238325737cc8a5da9e1eda6c9f739d5d2226b -size 33001 From 43623123c605df584f5a01bd18d8f61cceb613cbe72abf7c760811ec2e5eeffe Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Thu, 23 Jan 2014 13:15:05 +0000 Subject: [PATCH 02/14] Accepting request 214773 from home:aeneas_jaissle:branches:Apache:Modules Use correct source Url OBS-URL: https://build.opensuse.org/request/show/214773 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=43 --- apache2-mod_security2.changes | 5 +++++ apache2-mod_security2.spec | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index b14f2e0..c750e47 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Jan 23 13:06:09 UTC 2014 - aj@ajaissle.de + +- Use correct source Url + ------------------------------------------------------------------- Fri Aug 2 14:18:39 CEST 2013 - draht@suse.de diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index e03d75e..aaafdab 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -48,7 +48,7 @@ Requires: %{apache_mmn} Requires: apache2 # Url: http://www.modsecurity.org/ -Source: http://www.modsecurity.org/download/%{tarballname}.tar.gz +Source: https://www.modsecurity.org/tarball/%{version}/%{tarballname}.tar.gz Source1: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz Source2: mod_security2.conf Source3: %{refman}.bz2 From 70581c9f39cfd9fedfe7e7c5032df057b852ed41eb273a32a8aa8607329cd7ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Wed, 19 Mar 2014 10:06:20 +0000 Subject: [PATCH 03/14] Accepting request 215135 from home:thomas-worm-sicsec:dev:mod_security - Raised to version 2.7.7. - modified patches: * modsecurity-apache_2.7.5-build_fix_pcre.diff, renamed to modsecurity-apache_2.7.7-build_fix_pcre.diff. OBS-URL: https://build.opensuse.org/request/show/215135 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=44 --- apache2-mod_security2.changes | 8 + apache2-mod_security2.spec | 13 +- modsecurity-apache_2.7.5-build_fix_pcre.diff | 199 ------------------- modsecurity-apache_2.7.5.tar.gz | 3 - modsecurity-apache_2.7.7-build_fix_pcre.diff | 37 ++++ modsecurity-apache_2.7.7.tar.gz | 3 + 6 files changed, 54 insertions(+), 209 deletions(-) delete mode 100644 modsecurity-apache_2.7.5-build_fix_pcre.diff delete mode 100644 modsecurity-apache_2.7.5.tar.gz create mode 100644 modsecurity-apache_2.7.7-build_fix_pcre.diff create mode 100644 modsecurity-apache_2.7.7.tar.gz diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index c750e47..eb2d09f 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat Jan 25 17:43:33 UTC 2014 - thomas.worm@sicsec.de + + - Raised to version 2.7.7. + - modified patches: + * modsecurity-apache_2.7.5-build_fix_pcre.diff, + renamed to modsecurity-apache_2.7.7-build_fix_pcre.diff. + ------------------------------------------------------------------- Thu Jan 23 13:06:09 UTC 2014 - aj@ajaissle.de diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index aaafdab..0341eb4 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_security2 # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,9 +17,9 @@ Name: apache2-mod_security2 -Version: 2.7.5 +Version: 2.7.7 Release: 0 -%define aversion 2.7.5 +%define aversion 2.7.7 # # BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -56,7 +56,8 @@ Source4: %{faq}.bz2 Source5: modsecurity_diagram_apache_request_cycle.jpg Source6: README-SUSE-mod_security2.txt # -Patch0: modsecurity-apache_2.7.5-build_fix_pcre.diff +# PATCH-FIX-OPENSUSE modsecurity-apache_2.7.7-build_fix_pcre.diff +Patch0: modsecurity-apache_2.7.7-build_fix_pcre.diff Summary: ModSecurity Open Source Web Application Firewall License: Apache-2.0 Group: Productivity/Networking/Web/Servers @@ -79,9 +80,7 @@ ruleset. Please have a look at http://www.modsecurity.org/ for more details. mv -v SpiderLabs* rules bzip2 -dc %{SOURCE3} > %{_sourcedir}/%{refman} && touch -r %{SOURCE3} %{_sourcedir}/%{refman} bzip2 -dc %{SOURCE4} > %{_sourcedir}/%{faq} && touch -r %{SOURCE4} %{_sourcedir}/%{faq} -%patch0 -#%patch1 -#%patch2 +%patch0 -p1 %build %configure --with-apxs=%{apxs} --enable-request-early --enable-htaccess-config diff --git a/modsecurity-apache_2.7.5-build_fix_pcre.diff b/modsecurity-apache_2.7.5-build_fix_pcre.diff deleted file mode 100644 index 5df5ef1..0000000 --- a/modsecurity-apache_2.7.5-build_fix_pcre.diff +++ /dev/null @@ -1,199 +0,0 @@ -diff -rNU 30 ../modsecurity-apache_2.7.5-o/apache2/Makefile.am ./apache2/Makefile.am ---- ../modsecurity-apache_2.7.5-o/apache2/Makefile.am 2013-07-28 05:58:49.000000000 +0200 -+++ ./apache2/Makefile.am 2013-08-01 15:08:21.000000000 +0200 -@@ -17,61 +17,61 @@ - mod_security2_la_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \ - @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @LUA_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @CURL_CFLAGS@ - mod_security2_la_CPPFLAGS = @APR_CPPFLAGS@ @PCRE_CPPFLAGS@ @LIBXML2_CPPFLAGS@ - mod_security2_la_LIBADD = @APR_LDADD@ @APU_LDADD@ @PCRE_LDADD@ @LIBXML2_LDADD@ @LUA_LDADD@ - - if AIX - mod_security2_la_LDFLAGS = -module -avoid-version \ - @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - endif - - if HPUX - mod_security2_la_LDFLAGS = -module -avoid-version \ - @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - endif - - if MACOSX - mod_security2_la_LDFLAGS = -module -avoid-version \ - @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - endif - - if SOLARIS - mod_security2_la_LDFLAGS = -module -avoid-version \ - @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - endif - - if LINUX --mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ -+mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ - @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - endif - - if FREEBSD - mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ - @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - endif - - if OPENBSD - mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ - @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - endif - - if NETBSD - mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ - @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - endif - - if LINUX - install-exec-hook: $(pkglib_LTLIBRARIES) - @echo "Removing unused static libraries..."; \ - for m in $(pkglib_LTLIBRARIES); do \ - base=`echo $$m | sed 's/\..*//'`; \ - rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \ - install -D -m444 $(DESTDIR)$(pkglibdir)/$$base.so $(DESTDIR)$(APXS_MODULES)/$$base.so; \ - done -diff -rNU 30 ../modsecurity-apache_2.7.5-o/apache2/Makefile.in ./apache2/Makefile.in ---- ../modsecurity-apache_2.7.5-o/apache2/Makefile.in 2013-07-28 05:59:01.000000000 +0200 -+++ ./apache2/Makefile.in 2013-08-01 15:08:56.000000000 +0200 -@@ -303,61 +303,61 @@ - #include_HEADERS = re.h modsecurity.h msc_logging.h msc_multipart.h \ - # msc_parsers.h msc_pcre.h msc_util.h msc_xml.h \ - # persist_dbm.h apache2.h msc_geo.h acmp.h utf8tables.h \ - # msc_lua.h msc_release.h - mod_security2_la_SOURCES = mod_security2.c \ - apache2_config.c apache2_io.c apache2_util.c \ - re.c re_operators.c re_actions.c re_tfns.c \ - re_variables.c msc_logging.c msc_xml.c \ - msc_multipart.c modsecurity.c msc_parsers.c \ - msc_util.c msc_pcre.c persist_dbm.c msc_reqbody.c \ - msc_geo.c msc_gsb.c msc_crypt.c msc_tree.c msc_unicode.c acmp.c msc_lua.c msc_release.c \ - libinjection/libinjection_sqli.c - - mod_security2_la_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \ - @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @LUA_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @CURL_CFLAGS@ - - mod_security2_la_CPPFLAGS = @APR_CPPFLAGS@ @PCRE_CPPFLAGS@ @LIBXML2_CPPFLAGS@ - mod_security2_la_LIBADD = @APR_LDADD@ @APU_LDADD@ @PCRE_LDADD@ @LIBXML2_LDADD@ @LUA_LDADD@ - @AIX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \ - @AIX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @AIX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - - @FREEBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ - @FREEBSD_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @FREEBSD_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - - @HPUX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \ - @HPUX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @HPUX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - --@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ -+@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ - @LINUX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @LINUX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - - @MACOSX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \ - @MACOSX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @MACOSX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - - @NETBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ - @NETBSD_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @NETBSD_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - - @OPENBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ - @OPENBSD_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @OPENBSD_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - - @SOLARIS_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \ - @SOLARIS_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ - @SOLARIS_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ - - all: modsecurity_config_auto.h - $(MAKE) $(AM_MAKEFLAGS) all-am - - .SUFFIXES: - .SUFFIXES: .c .lo .o .obj - $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ -diff -rNU 30 ../modsecurity-apache_2.7.5-o/configure ./configure ---- ../modsecurity-apache_2.7.5-o/configure 2013-07-28 05:59:03.000000000 +0200 -+++ ./configure 2013-08-01 15:02:59.000000000 +0200 -@@ -13103,61 +13103,62 @@ - if test -e "${x}/bin/${PCRE_CONFIG}"; then - pcre_path="${x}/bin" - break - elif test -e "${x}/${PCRE_CONFIG}"; then - pcre_path="${x}" - break - else - pcre_path="" - fi - done - if test -n "$pcre_path"; then - break - fi - done - - if test -n "${pcre_path}"; then - if test "${pcre_path}" != "no"; then - PCRE_CONFIG="${pcre_path}/${PCRE_CONFIG}" - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${PCRE_CONFIG}" >&5 - $as_echo "${PCRE_CONFIG}" >&6; } - PCRE_VERSION="`${PCRE_CONFIG} --version`" - if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre VERSION: $PCRE_VERSION" >&5 - $as_echo "$as_me: pcre VERSION: $PCRE_VERSION" >&6;}; fi - PCRE_CFLAGS="`${PCRE_CONFIG} --cflags`" - if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre CFLAGS: $PCRE_CFLAGS" >&5 - $as_echo "$as_me: pcre CFLAGS: $PCRE_CFLAGS" >&6;}; fi - PCRE_LDADD="`${PCRE_CONFIG} --libs`" - if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre LDADD: $PCRE_LDADD" >&5 - $as_echo "$as_me: pcre LDADD: $PCRE_LDADD" >&6;}; fi -- PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`" -+# PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`" -+ PCRE_LD_PATH="" - if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&5 - $as_echo "$as_me: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&6;}; fi - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 - $as_echo "no" >&6; } - fi - - - - - - - - - - if test -z "${PCRE_VERSION}"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: *** pcre library not found." >&5 - $as_echo "$as_me: *** pcre library not found." >&6;} - as_fn_error "pcre library is required" "$LINENO" 5 - else - { $as_echo "$as_me:${as_lineno-$LINENO}: using pcre v${PCRE_VERSION}" >&5 - $as_echo "$as_me: using pcre v${PCRE_VERSION}" >&6;} - - fi - - if test "$build_apache2_module" -ne 0 -o "$build_mlogc" -ne 0; then - - - # Check whether --with-apr was given. - if test "${with_apr+set}" = set; then : diff --git a/modsecurity-apache_2.7.5.tar.gz b/modsecurity-apache_2.7.5.tar.gz deleted file mode 100644 index 6f8078c..0000000 --- a/modsecurity-apache_2.7.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9e907536278d8da80d3dbb29aeffe9c4ec37ce9b641035b2da64e993135647a2 -size 1045387 diff --git a/modsecurity-apache_2.7.7-build_fix_pcre.diff b/modsecurity-apache_2.7.7-build_fix_pcre.diff new file mode 100644 index 0000000..c9aecc9 --- /dev/null +++ b/modsecurity-apache_2.7.7-build_fix_pcre.diff @@ -0,0 +1,37 @@ +diff -rupN modsecurity-apache_2.7.7.orig/apache2/Makefile.am modsecurity-apache_2.7.7/apache2/Makefile.am +--- modsecurity-apache_2.7.7.orig/apache2/Makefile.am 2013-12-17 00:55:17.000000000 +0100 ++++ modsecurity-apache_2.7.7/apache2/Makefile.am 2014-01-25 18:28:47.542133608 +0100 +@@ -90,7 +90,7 @@ mod_security2_la_LDFLAGS = -module -avoi + endif + + if LINUX +-mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ ++mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ \ + @APU_LDFLAGS@ \ + @APXS_LDFLAGS@ \ +diff -rupN modsecurity-apache_2.7.7.orig/apache2/Makefile.in modsecurity-apache_2.7.7/apache2/Makefile.in +--- modsecurity-apache_2.7.7.orig/apache2/Makefile.in 2013-12-18 12:50:41.000000000 +0100 ++++ modsecurity-apache_2.7.7/apache2/Makefile.in 2014-01-25 18:28:59.621134193 +0100 +@@ -476,7 +476,7 @@ mod_security2_la_LIBADD = @APR_LDADD@ \ + @HPUX_TRUE@ @LUA_LDFLAGS@ \ + @HPUX_TRUE@ @PCRE_LDFLAGS@ + +-@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ ++@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @LINUX_TRUE@ @APR_LDFLAGS@ \ + @LINUX_TRUE@ @APU_LDFLAGS@ \ + @LINUX_TRUE@ @APXS_LDFLAGS@ \ +diff -rupN modsecurity-apache_2.7.7.orig/configure modsecurity-apache_2.7.7/configure +--- modsecurity-apache_2.7.7.orig/configure 2013-12-18 12:50:42.000000000 +0100 ++++ modsecurity-apache_2.7.7/configure 2014-01-25 18:32:31.913144475 +0100 +@@ -14225,7 +14225,8 @@ $as_echo "$as_me: pcre CFLAGS: $PCRE_CFL + PCRE_LDADD="`${PCRE_CONFIG} --libs`" + if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre LDADD: $PCRE_LDADD" >&5 + $as_echo "$as_me: pcre LDADD: $PCRE_LDADD" >&6;}; fi +- PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`" ++ #PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`" ++ PCRE_LD_PATH="" + if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&5 + $as_echo "$as_me: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&6;}; fi + else diff --git a/modsecurity-apache_2.7.7.tar.gz b/modsecurity-apache_2.7.7.tar.gz new file mode 100644 index 0000000..2a865fa --- /dev/null +++ b/modsecurity-apache_2.7.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:11e05cfa6b363c2844c6412a40ff16f0021e302152b38870fd1f2f44b204379b +size 1003835 From 2052f24a659aab47bdb922d4fd87e6500b33ac5546ed28987a9411c44f777011 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= Date: Thu, 1 May 2014 19:12:22 +0000 Subject: [PATCH 04/14] Accepting request 232296 from home:thomas-worm-sicsec:dev:mod_security - Raised to version 2.8.0. - updated patches: * modsecurity-apache_2.8.0-build_fix_pcre.diff -> modsecurity-apache_2.7.7-build_fix_pcre.diff OBS-URL: https://build.opensuse.org/request/show/232296 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=45 --- apache2-mod_security2.changes | 8 ++++++++ apache2-mod_security2.spec | 10 +++++----- modsecurity-2.8.0.tar.gz | 3 +++ modsecurity-apache_2.7.7.tar.gz | 3 --- ...iff => modsecurity-apache_2.8.0-build_fix_pcre.diff | 10 +++++----- 5 files changed, 21 insertions(+), 13 deletions(-) create mode 100644 modsecurity-2.8.0.tar.gz delete mode 100644 modsecurity-apache_2.7.7.tar.gz rename modsecurity-apache_2.7.7-build_fix_pcre.diff => modsecurity-apache_2.8.0-build_fix_pcre.diff (88%) diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index eb2d09f..409610b 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu May 1 05:06:15 UTC 2014 - thomas.worm@sicsec.de + +- Raised to version 2.8.0. +- updated patches: + * modsecurity-apache_2.8.0-build_fix_pcre.diff + -> modsecurity-apache_2.7.7-build_fix_pcre.diff + ------------------------------------------------------------------- Sat Jan 25 17:43:33 UTC 2014 - thomas.worm@sicsec.de diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index 0341eb4..e96ceb7 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -17,9 +17,9 @@ Name: apache2-mod_security2 -Version: 2.7.7 +Version: 2.8.0 Release: 0 -%define aversion 2.7.7 +%define aversion 2.8.0 # # BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -31,7 +31,7 @@ BuildRequires: libxml2-devel BuildRequires: pcre-devel %define apache apache2 %define modname mod_security2 -%define tarballname modsecurity-apache_%{aversion} +%define tarballname modsecurity-%{aversion} %define refman Reference-Manual.html %define faq ModSecurity-Frequently-Asked-Questions-FAQ.html %define usrsharedir %{_prefix}/share/%{name} @@ -56,8 +56,8 @@ Source4: %{faq}.bz2 Source5: modsecurity_diagram_apache_request_cycle.jpg Source6: README-SUSE-mod_security2.txt # -# PATCH-FIX-OPENSUSE modsecurity-apache_2.7.7-build_fix_pcre.diff -Patch0: modsecurity-apache_2.7.7-build_fix_pcre.diff +# PATCH-FIX-OPENSUSE modsecurity-apache_2.8.0-build_fix_pcre.diff +Patch0: modsecurity-apache_2.8.0-build_fix_pcre.diff Summary: ModSecurity Open Source Web Application Firewall License: Apache-2.0 Group: Productivity/Networking/Web/Servers diff --git a/modsecurity-2.8.0.tar.gz b/modsecurity-2.8.0.tar.gz new file mode 100644 index 0000000..7f20c32 --- /dev/null +++ b/modsecurity-2.8.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5cbbc7fc993d39106b653213753d25c4ec21771eee17b01b69122ccf3f73460e +size 3940357 diff --git a/modsecurity-apache_2.7.7.tar.gz b/modsecurity-apache_2.7.7.tar.gz deleted file mode 100644 index 2a865fa..0000000 --- a/modsecurity-apache_2.7.7.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:11e05cfa6b363c2844c6412a40ff16f0021e302152b38870fd1f2f44b204379b -size 1003835 diff --git a/modsecurity-apache_2.7.7-build_fix_pcre.diff b/modsecurity-apache_2.8.0-build_fix_pcre.diff similarity index 88% rename from modsecurity-apache_2.7.7-build_fix_pcre.diff rename to modsecurity-apache_2.8.0-build_fix_pcre.diff index c9aecc9..76441da 100644 --- a/modsecurity-apache_2.7.7-build_fix_pcre.diff +++ b/modsecurity-apache_2.8.0-build_fix_pcre.diff @@ -1,7 +1,7 @@ diff -rupN modsecurity-apache_2.7.7.orig/apache2/Makefile.am modsecurity-apache_2.7.7/apache2/Makefile.am --- modsecurity-apache_2.7.7.orig/apache2/Makefile.am 2013-12-17 00:55:17.000000000 +0100 +++ modsecurity-apache_2.7.7/apache2/Makefile.am 2014-01-25 18:28:47.542133608 +0100 -@@ -90,7 +90,7 @@ mod_security2_la_LDFLAGS = -module -avoi +@@ -100,7 +100,7 @@ mod_security2_la_LDFLAGS = -module -avoi endif if LINUX @@ -13,9 +13,9 @@ diff -rupN modsecurity-apache_2.7.7.orig/apache2/Makefile.am modsecurity-apache_ diff -rupN modsecurity-apache_2.7.7.orig/apache2/Makefile.in modsecurity-apache_2.7.7/apache2/Makefile.in --- modsecurity-apache_2.7.7.orig/apache2/Makefile.in 2013-12-18 12:50:41.000000000 +0100 +++ modsecurity-apache_2.7.7/apache2/Makefile.in 2014-01-25 18:28:59.621134193 +0100 -@@ -476,7 +476,7 @@ mod_security2_la_LIBADD = @APR_LDADD@ \ - @HPUX_TRUE@ @LUA_LDFLAGS@ \ - @HPUX_TRUE@ @PCRE_LDFLAGS@ +@@ -495,7 +495,7 @@ mod_security2_la_LIBADD = @APR_LDADD@ \ + @HPUX_TRUE@ @PCRE_LDFLAGS@ \ + @HPUX_TRUE@ @YAJL_LDFLAGS@ -@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ +@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ @@ -25,7 +25,7 @@ diff -rupN modsecurity-apache_2.7.7.orig/apache2/Makefile.in modsecurity-apache_ diff -rupN modsecurity-apache_2.7.7.orig/configure modsecurity-apache_2.7.7/configure --- modsecurity-apache_2.7.7.orig/configure 2013-12-18 12:50:42.000000000 +0100 +++ modsecurity-apache_2.7.7/configure 2014-01-25 18:32:31.913144475 +0100 -@@ -14225,7 +14225,8 @@ $as_echo "$as_me: pcre CFLAGS: $PCRE_CFL +@@ -14233,7 +14233,8 @@ $as_echo "$as_me: pcre CFLAGS: $PCRE_CFL PCRE_LDADD="`${PCRE_CONFIG} --libs`" if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre LDADD: $PCRE_LDADD" >&5 $as_echo "$as_me: pcre LDADD: $PCRE_LDADD" >&6;}; fi From 7ec89887586cc448ca37c98d89d55f002445939cad5567df36d6187db6ef00be Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Mon, 16 Jun 2014 15:37:59 +0000 Subject: [PATCH 05/14] - apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath in autoconf m4 macros. Obsoletes patch modsecurity-apache_2.8.0-build_fix_pcre.diff - use automake for build, add autoconf and automake to BuildRequires:. This fix is combined with [bnc#876878]. - turn on --enable-htaccess-config - use %{?_smp_mflags} for build - OWASP rule set. [bnc#876878] new in 2.8.0 (more complete changelog to add to last changelog): * Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list * New variables: FULL_REQUEST and FULL_REQUEST_LENGTH * GPLv2 replaced by Apache License v2 * rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. * documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. * renamed the term "Encryption" in directives that actually refer to hashes. See CHANGES file for more details. * byte conversion issues on s390x when logging fixed. * many small issues fixed that were discovered by a Coverity scanner * updated reference manual * wrong time calculation when logging for some timezones fixed. * replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.) * cookie parser memory leak fix * parsing of quoted strings in multipart Content-Disposition headers fixed. OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=46 --- ...sp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz | 3 - ...sp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz | 3 + apache2-mod_security2-no_rpath.diff | 324 ++++++++++++++++++ apache2-mod_security2.changes | 36 ++ apache2-mod_security2.spec | 53 +-- mod_security2.conf | 10 +- modsecurity-apache_2.8.0-build_fix_pcre.diff | 37 -- 7 files changed, 393 insertions(+), 73 deletions(-) delete mode 100644 SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz create mode 100644 SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz create mode 100644 apache2-mod_security2-no_rpath.diff delete mode 100644 modsecurity-apache_2.8.0-build_fix_pcre.diff diff --git a/SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz b/SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz deleted file mode 100644 index d1af24d..0000000 --- a/SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:74053b91ff528ef1052da65ea56881c6849ef809074a84e01dbd8a70ec369e87 -size 279879 diff --git a/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz b/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz new file mode 100644 index 0000000..78f0869 --- /dev/null +++ b/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bae3ef19925168a3b8ef9663bc9ed677cc6ca2fdbdbdd6111653c1b2991e24e3 +size 280011 diff --git a/apache2-mod_security2-no_rpath.diff b/apache2-mod_security2-no_rpath.diff new file mode 100644 index 0000000..49c19c8 --- /dev/null +++ b/apache2-mod_security2-no_rpath.diff @@ -0,0 +1,324 @@ +diff -rNU 30 ../modsecurity-2.8.0-o/apache2/Makefile.am ./apache2/Makefile.am +--- ../modsecurity-2.8.0-o/apache2/Makefile.am 2014-04-15 14:44:04.000000000 +0200 ++++ ./apache2/Makefile.am 2014-06-16 16:17:44.000000000 +0200 +@@ -73,61 +73,61 @@ + @APXS_LDFLAGS@ \ + @LIBXML2_LDFLAGS@ \ + @LUA_LDFLAGS@ \ + @PCRE_LDFLAGS@ \ + @YAJL_LDFLAGS@ + endif + + if MACOSX + mod_security2_la_LDFLAGS = -module -avoid-version \ + @APR_LDFLAGS@ \ + @APU_LDFLAGS@ \ + @APXS_LDFLAGS@ \ + @LIBXML2_LDFLAGS@ \ + @LUA_LDFLAGS@ \ + @PCRE_LDFLAGS@ \ + @YAJL_LDFLAGS@ + endif + + if SOLARIS + mod_security2_la_LDFLAGS = -module -avoid-version \ + @APR_LDFLAGS@ \ + @APU_LDFLAGS@ \ + @APXS_LDFLAGS@ \ + @LIBXML2_LDFLAGS@ \ + @LUA_LDFLAGS@ \ + @PCRE_LDFLAGS@ \ + @YAJL_LDFLAGS@ + endif + + if LINUX +-mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ ++mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ \ + @APU_LDFLAGS@ \ + @APXS_LDFLAGS@ \ + @LIBXML2_LDFLAGS@ \ + @LUA_LDFLAGS@ \ + @PCRE_LDFLAGS@ \ + @YAJL_LDFLAGS@ + endif + + if FREEBSD + mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ \ + @APU_LDFLAGS@ \ + @APXS_LDFLAGS@ \ + @LIBXML2_LDFLAGS@ \ + @LUA_LDFLAGS@ \ + @PCRE_LDFLAGS@ \ + @YAJL_LDFLAGS@ + endif + + if OPENBSD + mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ \ + @APU_LDFLAGS@ \ + @APXS_LDFLAGS@ \ + @LIBXML2_LDFLAGS@ \ + @LUA_LDFLAGS@ \ + @PCRE_LDFLAGS@ \ + @YAJL_LDFLAGS@ + endif +diff -rNU 30 ../modsecurity-2.8.0-o/apache2/Makefile.in ./apache2/Makefile.in +--- ../modsecurity-2.8.0-o/apache2/Makefile.in 2014-04-15 14:44:14.000000000 +0200 ++++ ./apache2/Makefile.in 2014-06-16 16:18:03.000000000 +0200 +@@ -600,61 +600,61 @@ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(pkglibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pkglibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(pkglibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(pkglibdir)"; \ + } + + uninstall-pkglibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(pkglibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(pkglibdir)/$$f"; \ + done + + clean-pkglibLTLIBRARIES: + -test -z "$(pkglib_LTLIBRARIES)" || rm -f $(pkglib_LTLIBRARIES) + @list='$(pkglib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + + mod_security2.la: $(mod_security2_la_OBJECTS) $(mod_security2_la_DEPENDENCIES) $(EXTRA_mod_security2_la_DEPENDENCIES) +- $(AM_V_CCLD)$(mod_security2_la_LINK) -rpath $(pkglibdir) $(mod_security2_la_OBJECTS) $(mod_security2_la_LIBADD) $(LIBS) ++ $(AM_V_CCLD)$(mod_security2_la_LINK) $(mod_security2_la_OBJECTS) $(mod_security2_la_LIBADD) $(LIBS) + + mostlyclean-compile: + -rm -f *.$(OBJEXT) + + distclean-compile: + -rm -f *.tab.c + + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-acmp.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-apache2_config.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-apache2_io.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-apache2_util.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-libinjection_html5.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-libinjection_sqli.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-libinjection_xss.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-mod_security2.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-modsecurity.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_crypt.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_geo.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_gsb.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_json.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_logging.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_lua.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_multipart.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_parsers.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_pcre.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_release.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_reqbody.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_status_engine.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_tree.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_unicode.Plo@am__quote@ +diff -rNU 30 ../modsecurity-2.8.0-o/build/libtool.m4 ./build/libtool.m4 +--- ../modsecurity-2.8.0-o/build/libtool.m4 2014-04-15 14:44:04.000000000 +0200 ++++ ./build/libtool.m4 2014-06-16 16:16:39.000000000 +0200 +@@ -4661,61 +4661,61 @@ + if test "$with_gnu_ld" = yes; then + case $host_os in + aix*) + # The AIX port of GNU ld has always aspired to compatibility + # with the native linker. However, as the warning in the GNU ld + # block says, versions before 2.19.5* couldn't really create working + # shared libraries, regardless of the interface used. + case `$LD -v 2>&1` in + *\ \(GNU\ Binutils\)\ 2.19.5*) ;; + *\ \(GNU\ Binutils\)\ 2.[[2-9]]*) ;; + *\ \(GNU\ Binutils\)\ [[3-9]]*) ;; + *) + lt_use_gnu_ld_interface=yes + ;; + esac + ;; + *) + lt_use_gnu_ld_interface=yes + ;; + esac + fi + + if test "$lt_use_gnu_ld_interface" = yes; then + # If archive_cmds runs LD, not CC, wlarc should be empty + wlarc='${wl}' + + # Set some defaults for GNU ld with shared library support. These + # are reset later if shared libraries are not supported. Putting them + # here allows them to be overridden if necessary. + runpath_var=LD_RUN_PATH +- _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' ++ _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + # ancient GNU ld didn't support --whole-archive et. al. + if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then + _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' + else + _LT_TAGVAR(whole_archive_flag_spec, $1)= + fi + supports_anon_versioning=no + case `$LD -v 2>&1` in + *GNU\ gold*) supports_anon_versioning=yes ;; + *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11 + *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... + *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... + *\ 2.11.*) ;; # other 2.11 versions + *) supports_anon_versioning=yes ;; + esac + + # See if GNU ld supports shared libraries. + case $host_os in + aix[[3-9]]*) + # On AIX/PPC, the GNU linker is very broken + if test "$host_cpu" != ia64; then + _LT_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 + + *** Warning: the GNU linker, at least up to release 2.19, is reported + *** to be unable to reliably create shared libraries on AIX. + *** Therefore, libtool is disabling shared libraries support. If you + *** really care for shared libraries, you may want to install binutils + *** 2.20 or above, or modify your PATH so that a non-GNU linker is found. +@@ -4897,61 +4897,61 @@ + _LT_EOF + elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) + case `$LD -v 2>&1` in + *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*) + _LT_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 + + *** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not + *** reliably create shared libraries on SCO systems. Therefore, libtool + *** is disabling shared libraries support. We urge you to upgrade GNU + *** binutils to release 2.16.91.0.3 or newer. Another option is to modify + *** your PATH or compiler configuration so that the native linker is + *** used, and then restart. + + _LT_EOF + ;; + *) + # For security reasons, it is highly recommended that you always + # use absolute paths for naming shared libraries, and exclude the + # DT_RUNPATH tag from executables and libraries. But doing so + # requires that you compile everything twice, which is a pain. + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then +- _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' ++ _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; + + sunos4*) + _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' + wlarc= + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + *) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + + if test "$_LT_TAGVAR(ld_shlibs, $1)" = no; then + runpath_var= + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= + _LT_TAGVAR(export_dynamic_flag_spec, $1)= +@@ -5907,61 +5907,61 @@ + else + $as_unset lt_cv_path_LD + fi + test -z "${LDCXX+set}" || LD=$LDCXX + CC=${CXX-"c++"} + CFLAGS=$CXXFLAGS + compiler=$CC + _LT_TAGVAR(compiler, $1)=$CC + _LT_CC_BASENAME([$compiler]) + + if test -n "$compiler"; then + # We don't want -fno-exception when compiling C++ code, so set the + # no_builtin_flag separately + if test "$GXX" = yes; then + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' + else + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= + fi + + if test "$GXX" = yes; then + # Set up default GNU C++ configuration + + LT_PATH_LD + + # Check if GNU C++ uses GNU ld as the underlying linker, since the + # archiving commands below assume that GNU ld is being used. + if test "$with_gnu_ld" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + +- _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' ++ _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + + # If archive_cmds runs LD, not CC, wlarc should be empty + # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to + # investigate it a little bit more. (MM) + wlarc='${wl}' + + # ancient GNU ld didn't support --whole-archive et. al. + if eval "`$CC -print-prog-name=ld` --help 2>&1" | + $GREP 'no-whole-archive' > /dev/null; then + _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' + else + _LT_TAGVAR(whole_archive_flag_spec, $1)= + fi + else + with_gnu_ld=no + wlarc= + + # A generic and very simple default shared library creation + # command for GNU C++ for the case where it uses the native + # linker, instead of GNU ld. If possible, this setting should + # overridden to take advantage of the native linker features on + # the platform it is being used on. + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' + fi + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index 409610b..dacfdef 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,39 @@ +------------------------------------------------------------------- +Mon Jun 16 17:31:34 CEST 2014 - draht@suse.de + +- apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath + in autoconf m4 macros. Obsoletes patch + modsecurity-apache_2.8.0-build_fix_pcre.diff +- use automake for build, add autoconf and automake to + BuildRequires:. This fix is combined with [bnc#876878]. +- turn on --enable-htaccess-config +- use %{?_smp_mflags} for build + +------------------------------------------------------------------- +Thu Jun 12 12:33:49 CEST 2014 - draht@suse.de + +- OWASP rule set. [bnc#876878] + new in 2.8.0 (more complete changelog to add to last changelog): + * Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) + now support white and suspicious list + * New variables: FULL_REQUEST and FULL_REQUEST_LENGTH + * GPLv2 replaced by Apache License v2 + * rules are not part of the source tarball any longer, but + maintaned upstream externally, and included in this package. + * documentation was externalized to a wiki. Package contains + the FAQ and the reference manual in html form. + * renamed the term "Encryption" in directives that actually refer + to hashes. See CHANGES file for more details. + * byte conversion issues on s390x when logging fixed. + * many small issues fixed that were discovered by a Coverity scanner + * updated reference manual + * wrong time calculation when logging for some timezones fixed. + * replaced time-measuring mechanism with finer granularity for + measured request/answer phases. (Stopwatch remains for compat.) + * cookie parser memory leak fix + * parsing of quoted strings in multipart Content-Disposition + headers fixed. + ------------------------------------------------------------------- Thu May 1 05:06:15 UTC 2014 - thomas.worm@sicsec.de diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index e96ceb7..fc591a9 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -18,46 +18,45 @@ Name: apache2-mod_security2 Version: 2.8.0 -Release: 0 -%define aversion 2.8.0 +Release: 0.1 # # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: apache2-devel BuildRequires: apache2-prefork +BuildRequires: autoconf +BuildRequires: automake BuildRequires: c++_compiler -BuildRequires: curl-devel +BuildRequires: libcurl-devel BuildRequires: libxml2-devel +BuildRequires: lua-devel BuildRequires: pcre-devel %define apache apache2 %define modname mod_security2 -%define tarballname modsecurity-%{aversion} -%define refman Reference-Manual.html -%define faq ModSecurity-Frequently-Asked-Questions-FAQ.html +%define tarballname modsecurity-%{version} +# +%define apxs %{_sbindir}/apxs2 +%define apache_libexecdir %(%{apxs} -q LIBEXECDIR) +%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR) +%define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)/MMN; test -x $MMN && $MMN) %define usrsharedir %{_prefix}/share/%{name} - -%{!?apxs: %global apxs /usr/sbin/apxs2} -%{!?apache_libexecdir: %global apache_libexecdir %(%{apxs} -q LIBEXECDIR)} -%{!?apache_sysconfdir: %global apache_sysconfdir %(%{apxs} -q SYSCONFDIR)} -%{!?apache_includedir: %global apache_includedir %(%{apxs} -q INCLUDEDIR)} -%{!?apache_serveroot: %global apache_serverroot %(%{apxs} -q PREFIX)} -%{!?apache_localstatedir: %global apache_localstatedir %(%{apxs} -q LOCALSTATEDIR)} -%{!?apache_mmn: %global apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)} - +%define refman Reference-Manual.html +%define faq ModSecurity-Frequently-Asked-Questions-FAQ.html +%if 0%{?apache_mmn} Requires: %{apache_mmn} +%endif Requires: apache2 # Url: http://www.modsecurity.org/ -Source: https://www.modsecurity.org/tarball/%{version}/%{tarballname}.tar.gz -Source1: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz +Source: http://www.modsecurity.org/download/%{tarballname}.tar.gz +Source1: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz Source2: mod_security2.conf Source3: %{refman}.bz2 Source4: %{faq}.bz2 Source5: modsecurity_diagram_apache_request_cycle.jpg Source6: README-SUSE-mod_security2.txt +Patch0: apache2-mod_security2-no_rpath.diff # -# PATCH-FIX-OPENSUSE modsecurity-apache_2.8.0-build_fix_pcre.diff -Patch0: modsecurity-apache_2.8.0-build_fix_pcre.diff Summary: ModSecurity Open Source Web Application Firewall License: Apache-2.0 Group: Productivity/Networking/Web/Servers @@ -75,21 +74,24 @@ ruleset. Please have a look at http://www.modsecurity.org/ for more details. %prep %setup -n %{tarballname} -#tar -xvjpf %{S:2} %setup -D -T -a 1 -n %{tarballname} mv -v SpiderLabs* rules bzip2 -dc %{SOURCE3} > %{_sourcedir}/%{refman} && touch -r %{SOURCE3} %{_sourcedir}/%{refman} bzip2 -dc %{SOURCE4} > %{_sourcedir}/%{faq} && touch -r %{SOURCE4} %{_sourcedir}/%{faq} -%patch0 -p1 +%patch0 +#%patch1 +#%patch2 %build -%configure --with-apxs=%{apxs} --enable-request-early --enable-htaccess-config -make %{?_smp_mflags} +aclocal +automake +./configure --with-apxs=%{apxs} --enable-request-early --enable-htaccess-config +CFLAGS="%{optflags}" make %{?_smp_mflags} %install pushd %{apache} install -d -m 0755 %{buildroot}%{apache_libexecdir} - install -m 0755 .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so + install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so popd install -D -m 0644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf install -d -m 0755 %{buildroot}%{apache_sysconfdir}/mod_security2.d @@ -133,7 +135,6 @@ mv %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf.example \ #%{usrsharedir}/rules/experimental_rules #%{usrsharedir}/rules/optional_rules #%{usrsharedir}/rules/slr_rules -%doc doc/* -#rules/util/regression_tests +%doc doc/* rules/util/regression-tests %changelog diff --git a/mod_security2.conf b/mod_security2.conf index 7ac6126..24600a1 100644 --- a/mod_security2.conf +++ b/mod_security2.conf @@ -19,7 +19,7 @@ # "mod_" as an argument! # # note: /etc/sysconfig/apache2 is evaluated upon apache start by the apache -# start script /etc/init.d/apache2 . Changes in APACHE_MODULES are then +# start script /usr/sbin/start_apache2 . Changes in APACHE_MODULES are then # visible in /etc/apache2/sysconfig.d/loadmodule.conf, changed by the start # script. # @@ -40,7 +40,7 @@ # Afterwards, all files named *.conf in /etc/apache2/mod_security2.d are read. # For the rules you wish to apply, place a symlink to the rules file there. # -# About the rules; The OWASP ModSecurity Core Rule Set version 2.2.7 +# About the rules; The OWASP ModSecurity Core Rule Set version 2.2.9 # is contained in this package, a splendid set of rules made to provide for a # decent basic and even advanced protection. The rules files are contained # in the directory /usr/share/apache2-mod_security2/rules/. @@ -61,7 +61,7 @@ # located in the package's documentation directory, in the state of 2013/01: # /usr/share/doc/packages/apache2-mod_security2 # -# Roman Drahtmueller , SUSE, 20130118. +# Roman Drahtmueller , SUSE, 20140610. # @@ -93,10 +93,6 @@ SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" -# -- XML external entity loading by libxml2. -# Defaults to off. -SecXmlExternalEntity Off - # Maximum request body size we will accept for buffering. If you support # file uploads then the value given on the first line has to be as large # as the largest file you are willing to accept. The second value refers diff --git a/modsecurity-apache_2.8.0-build_fix_pcre.diff b/modsecurity-apache_2.8.0-build_fix_pcre.diff deleted file mode 100644 index 76441da..0000000 --- a/modsecurity-apache_2.8.0-build_fix_pcre.diff +++ /dev/null @@ -1,37 +0,0 @@ -diff -rupN modsecurity-apache_2.7.7.orig/apache2/Makefile.am modsecurity-apache_2.7.7/apache2/Makefile.am ---- modsecurity-apache_2.7.7.orig/apache2/Makefile.am 2013-12-17 00:55:17.000000000 +0100 -+++ modsecurity-apache_2.7.7/apache2/Makefile.am 2014-01-25 18:28:47.542133608 +0100 -@@ -100,7 +100,7 @@ mod_security2_la_LDFLAGS = -module -avoi - endif - - if LINUX --mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ -+mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ - @APR_LDFLAGS@ \ - @APU_LDFLAGS@ \ - @APXS_LDFLAGS@ \ -diff -rupN modsecurity-apache_2.7.7.orig/apache2/Makefile.in modsecurity-apache_2.7.7/apache2/Makefile.in ---- modsecurity-apache_2.7.7.orig/apache2/Makefile.in 2013-12-18 12:50:41.000000000 +0100 -+++ modsecurity-apache_2.7.7/apache2/Makefile.in 2014-01-25 18:28:59.621134193 +0100 -@@ -495,7 +495,7 @@ mod_security2_la_LIBADD = @APR_LDADD@ \ - @HPUX_TRUE@ @PCRE_LDFLAGS@ \ - @HPUX_TRUE@ @YAJL_LDFLAGS@ - --@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ -+@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ - @LINUX_TRUE@ @APR_LDFLAGS@ \ - @LINUX_TRUE@ @APU_LDFLAGS@ \ - @LINUX_TRUE@ @APXS_LDFLAGS@ \ -diff -rupN modsecurity-apache_2.7.7.orig/configure modsecurity-apache_2.7.7/configure ---- modsecurity-apache_2.7.7.orig/configure 2013-12-18 12:50:42.000000000 +0100 -+++ modsecurity-apache_2.7.7/configure 2014-01-25 18:32:31.913144475 +0100 -@@ -14233,7 +14233,8 @@ $as_echo "$as_me: pcre CFLAGS: $PCRE_CFL - PCRE_LDADD="`${PCRE_CONFIG} --libs`" - if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre LDADD: $PCRE_LDADD" >&5 - $as_echo "$as_me: pcre LDADD: $PCRE_LDADD" >&6;}; fi -- PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`" -+ #PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`" -+ PCRE_LD_PATH="" - if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&5 - $as_echo "$as_me: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&6;}; fi - else From fce1311a9befc91dfa52cdcbfd3cbc9b88983f2aa1ea49a7fee318751857caea Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Mon, 16 Jun 2014 17:03:44 +0000 Subject: [PATCH 06/14] - BuildRequires: libtool missing - apache2-mod_security2-libtool-fix.diff: initialize libtool. OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=47 --- apache2-mod_security2.changes | 10 ++++++++++ apache2-mod_security2.spec | 2 ++ 2 files changed, 12 insertions(+) diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index dacfdef..01ad5f9 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Jun 16 19:04:00 CEST 2014 - draht@suse.de + +- BuildRequires: libtool missing + +------------------------------------------------------------------- +Mon Jun 16 18:17:26 CEST 2014 - draht@suse.de + +- apache2-mod_security2-libtool-fix.diff: initialize libtool. + ------------------------------------------------------------------- Mon Jun 16 17:31:34 CEST 2014 - draht@suse.de diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index fc591a9..ff9286b 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -28,6 +28,7 @@ BuildRequires: autoconf BuildRequires: automake BuildRequires: c++_compiler BuildRequires: libcurl-devel +BuildRequires: libtool BuildRequires: libxml2-devel BuildRequires: lua-devel BuildRequires: pcre-devel @@ -85,6 +86,7 @@ bzip2 -dc %{SOURCE4} > %{_sourcedir}/%{faq} && touch -r %{SOURCE4} %{_sourcedir} %build aclocal automake +#autoreconf -fi ./configure --with-apxs=%{apxs} --enable-request-early --enable-htaccess-config CFLAGS="%{optflags}" make %{?_smp_mflags} From f458f3c6eb938054f6b6b2178bfc48815ff67d84930c617fcc9d29b33c071af5 Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Mon, 7 Jul 2014 12:07:15 +0000 Subject: [PATCH 07/14] - last changelog does not say that apache2-mod_security2-libtool-fix.diff was obsoleted. OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=48 --- apache2-mod_security2.changes | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index 01ad5f9..28a7d54 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Jul 7 14:06:19 CEST 2014 - draht@suse.de + +- last changelog does not say that + apache2-mod_security2-libtool-fix.diff was obsoleted. + ------------------------------------------------------------------- Mon Jun 16 19:04:00 CEST 2014 - draht@suse.de From fc3d6dbc4e5d621cdc8e0ddddc940ed6e0bda0a2962ff0fe87e0cd1ab8790f0d Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Wed, 27 Aug 2014 15:27:01 +0000 Subject: [PATCH 08/14] Accepting request 246404 from home:thomas-worm-sicsec:dev:mod_security Added backward compatibility for SLE 11 (aclocal fails on older distributions than openSuSE 13.1). Please forward to updates. OBS-URL: https://build.opensuse.org/request/show/246404 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=49 --- apache2-mod_security2.changes | 7 +++++++ apache2-mod_security2.spec | 7 ++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index 28a7d54..53bde9d 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Aug 25 19:33:11 UTC 2014 - thomas.worm@sicsec.de + +- Fixed spec file to work with older distribution versions. + Before openSuSE 13.1 aclocal doesn't work, instead autoreconf + has to be called. + ------------------------------------------------------------------- Mon Jul 7 14:06:19 CEST 2014 - draht@suse.de diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index ff9286b..dd2fcd9 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -84,9 +84,14 @@ bzip2 -dc %{SOURCE4} > %{_sourcedir}/%{faq} && touch -r %{SOURCE4} %{_sourcedir} #%patch2 %build +# aclocal only works with never distributions, +%if 0%{?suse_version} >= 1310 aclocal +# on older versions only autoconf is called. +%else +autoreconf -fi +%endif automake -#autoreconf -fi ./configure --with-apxs=%{apxs} --enable-request-early --enable-htaccess-config CFLAGS="%{optflags}" make %{?_smp_mflags} From 0d2701922b181996dae88b2ad2293dc18c26058935121b38101ddbdf021d3342 Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Wed, 27 Aug 2014 15:30:58 +0000 Subject: [PATCH 09/14] - Portability: provide /etc/apache2/mod_security2.d/empty.conf to avoid a non-match of the file-glob in the Include statement from /etc/apache2/conf.d/mod_security2.conf . This restores the Include back from the IncludeOptional, which is not portable. OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=50 --- apache2-mod_security2.changes | 8 ++++++++ apache2-mod_security2.spec | 1 + empty.conf | 4 ++++ 3 files changed, 13 insertions(+) create mode 100644 empty.conf diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index 53bde9d..4ee0abc 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Aug 27 17:30:25 CEST 2014 - draht@suse.de + +- Portability: provide /etc/apache2/mod_security2.d/empty.conf + to avoid a non-match of the file-glob in the Include statement + from /etc/apache2/conf.d/mod_security2.conf . This restores + the Include back from the IncludeOptional, which is not portable. + ------------------------------------------------------------------- Mon Aug 25 19:33:11 UTC 2014 - thomas.worm@sicsec.de diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index dd2fcd9..7ad3894 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -56,6 +56,7 @@ Source3: %{refman}.bz2 Source4: %{faq}.bz2 Source5: modsecurity_diagram_apache_request_cycle.jpg Source6: README-SUSE-mod_security2.txt +Source7: empty.conf Patch0: apache2-mod_security2-no_rpath.diff # Summary: ModSecurity Open Source Web Application Firewall diff --git a/empty.conf b/empty.conf new file mode 100644 index 0000000..7b57715 --- /dev/null +++ b/empty.conf @@ -0,0 +1,4 @@ +# This configuration file has been intentionally left empty to avoid errors +# resulting from an Include statement that matches no files. +# (IncludeOptional is available for apache > 2.4) +# From 8897dd4991bf1741872f024d8b4ea7c7e621d06551508f8f6d3a9961ae192aa6 Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Wed, 27 Aug 2014 15:32:56 +0000 Subject: [PATCH 10/14] OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=51 --- apache2-mod_security2.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index 7ad3894..f9b2912 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -133,6 +133,7 @@ mv %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf.example \ %config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf %dir %{apache_sysconfdir}/mod_security2.d %{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt +%{apache_sysconfdir}/mod_security2.d/empty.conf %dir %{usrsharedir} #%dir %{usrsharedir}/tools #%dir %{usrsharedir}/rules From 683b922885c9ab71d8a9c4fea04657ce34894b12fe35300f285849d37f5c6e2b Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Wed, 27 Aug 2014 16:32:34 +0000 Subject: [PATCH 11/14] OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=52 --- apache2-mod_security2.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index f9b2912..ae99871 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -104,6 +104,7 @@ popd install -D -m 0644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf install -d -m 0755 %{buildroot}%{apache_sysconfdir}/mod_security2.d install -D -m 0644 %{SOURCE6} %{buildroot}%{apache_sysconfdir}/mod_security2.d +install -D -m 0644 %{SOURCE7} %{buildroot}%{apache_sysconfdir}/mod_security2.d cp -a %{SOURCE6} doc install -m 0644 %{_sourcedir}/%{faq} %{_sourcedir}/%{refman} doc install -m 0644 %{SOURCE5} doc From b518d3bbc3dce0c1fc1c102bb3235c40f2cf344357c241a7a83d39b7d2bd0ddb Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Wed, 27 Aug 2014 16:51:13 +0000 Subject: [PATCH 12/14] OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=53 --- apache2-mod_security2.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index ae99871..78ecbc9 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -49,7 +49,7 @@ Requires: %{apache_mmn} Requires: apache2 # Url: http://www.modsecurity.org/ -Source: http://www.modsecurity.org/download/%{tarballname}.tar.gz +Source: %{tarballname}.tar.gz Source1: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz Source2: mod_security2.conf Source3: %{refman}.bz2 From d204f2d2cab52e56740bd5891c4f5fef05c53201fb3aae0669274b2476e8f3f8 Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Wed, 27 Aug 2014 16:54:45 +0000 Subject: [PATCH 13/14] OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=54 --- apache2-mod_security2.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index 78ecbc9..ae99871 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -49,7 +49,7 @@ Requires: %{apache_mmn} Requires: apache2 # Url: http://www.modsecurity.org/ -Source: %{tarballname}.tar.gz +Source: http://www.modsecurity.org/download/%{tarballname}.tar.gz Source1: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz Source2: mod_security2.conf Source3: %{refman}.bz2 From 6145a7eaa6cc32b692b971ae7c1263880080d267d9c86ee63a0f2300f6dbff4b Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Wed, 27 Aug 2014 16:57:19 +0000 Subject: [PATCH 14/14] - Source URL set to (expanded) https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=55 --- apache2-mod_security2.changes | 2 ++ apache2-mod_security2.spec | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index 4ee0abc..f2ba18f 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -5,6 +5,8 @@ Wed Aug 27 17:30:25 CEST 2014 - draht@suse.de to avoid a non-match of the file-glob in the Include statement from /etc/apache2/conf.d/mod_security2.conf . This restores the Include back from the IncludeOptional, which is not portable. +- Source URL set to (expanded) + https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz ------------------------------------------------------------------- Mon Aug 25 19:33:11 UTC 2014 - thomas.worm@sicsec.de diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index ae99871..0462382 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -49,7 +49,7 @@ Requires: %{apache_mmn} Requires: apache2 # Url: http://www.modsecurity.org/ -Source: http://www.modsecurity.org/download/%{tarballname}.tar.gz +Source: https://www.modsecurity.org/tarball/%{version}/%{tarballname}.tar.gz Source1: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz Source2: mod_security2.conf Source3: %{refman}.bz2