Accepting request 246670 from Apache:Modules

- Portability: provide /etc/apache2/mod_security2.d/empty.conf to avoid a non-match of the file-glob in the Include statement from /etc/apache2/conf.d/mod_security2.conf . This restores the Include back from the IncludeOptional, which is not portable. - Source URL set to (expanded) https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz - Fixed spec file to work with older distribution versions. Before openSuSE 13.1 aclocal doesn't work, instead autoreconf has to be called. - last changelog does not say that apache2-mod_security2-libtool-fix.diff was obsoleted. - BuildRequires: libtool missing - apache2-mod_security2-libtool-fix.diff: initialize libtool. - apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath in autoconf m4 macros. Obsoletes patch modsecurity-apache_2.8.0-build_fix_pcre.diff - use automake for build, add autoconf and automake to BuildRequires:. This fix is combined with [bnc#876878]. - turn on --enable-htaccess-config - use %{?_smp_mflags} for build - OWASP rule set. [bnc#876878] new in 2.8.0 (more complete changelog to add to last changelog): * Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list OBS-URL: https://build.opensuse.org/request/show/246670 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=16
2014-09-03 16:22:03 +00:00 · 2014-09-03 16:22:03 +00:00 · 6dbfb577bd
commit 6dbfb577bd
parent 6341f03002 6145a7eaa6
14 changed files with 864 additions and 98 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -21,3 +21,5 @@
 *.xz filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 ## Specific LFS patterns
 modsecurity_diagram_apache_request_cycle.jpg filter=lfs diff=lfs merge=lfs -text
--- a/ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2
+++ b/ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:bab5e208e8c2aa4beeb799a4d05bceb3eb44846e75565b32b483fb5fb32023a7
 size 11838
--- a/README-SUSE-mod_security2.txt
+++ b/README-SUSE-mod_security2.txt
@ -0,0 +1,13 @@
 #
 # Dear Administrator,
 #
 # mod_security2 is not activated by default upon installation of the
 # apache module.
 #
 # Your starting point for the configuration of mod_security2 is
 # /etc/apache2/conf.d/mod_security2.conf .
 # Please see that file for comments on how to activate the module
 # and on how to assign rules.
 #
--- a/Reference-Manual.html.bz2
+++ b/Reference-Manual.html.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:160af986e97bafad2cdbd58469115102068eff3b2f2f246f559adf7256d0dcf8
 size 60381
--- a/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz
+++ b/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:bae3ef19925168a3b8ef9663bc9ed677cc6ca2fdbdbdd6111653c1b2991e24e3
 size 280011
--- a/apache2-mod_security2-no_rpath.diff
+++ b/apache2-mod_security2-no_rpath.diff
@ -0,0 +1,324 @@
 diff -rNU 30 ../modsecurity-2.8.0-o/apache2/Makefile.am ./apache2/Makefile.am
 --- ../modsecurity-2.8.0-o/apache2/Makefile.am	2014-04-15 14:44:04.000000000 +0200
 +++ ./apache2/Makefile.am	2014-06-16 16:17:44.000000000 +0200
@@ -73,61 +73,61 @@
     @APXS_LDFLAGS@ \
     @LIBXML2_LDFLAGS@ \
     @LUA_LDFLAGS@ \
     @PCRE_LDFLAGS@ \
     @YAJL_LDFLAGS@
 endif
 if MACOSX
 mod_security2_la_LDFLAGS = -module -avoid-version \
     @APR_LDFLAGS@ \
     @APU_LDFLAGS@ \
     @APXS_LDFLAGS@ \
     @LIBXML2_LDFLAGS@ \
     @LUA_LDFLAGS@ \
     @PCRE_LDFLAGS@ \
     @YAJL_LDFLAGS@
 endif
 if SOLARIS
 mod_security2_la_LDFLAGS = -module -avoid-version \
     @APR_LDFLAGS@ \
     @APU_LDFLAGS@ \
     @APXS_LDFLAGS@ \
     @LIBXML2_LDFLAGS@ \
     @LUA_LDFLAGS@ \
     @PCRE_LDFLAGS@ \
     @YAJL_LDFLAGS@
 endif
 if LINUX
 -mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \
 +mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
     @APR_LDFLAGS@ \
     @APU_LDFLAGS@ \
     @APXS_LDFLAGS@ \
     @LIBXML2_LDFLAGS@ \
     @LUA_LDFLAGS@ \
     @PCRE_LDFLAGS@ \
     @YAJL_LDFLAGS@
 endif
 if FREEBSD
 mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
     @APR_LDFLAGS@ \
     @APU_LDFLAGS@ \
     @APXS_LDFLAGS@ \
     @LIBXML2_LDFLAGS@ \
     @LUA_LDFLAGS@ \
     @PCRE_LDFLAGS@ \
     @YAJL_LDFLAGS@
 endif
 if OPENBSD
 mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
     @APR_LDFLAGS@ \
     @APU_LDFLAGS@ \
     @APXS_LDFLAGS@ \
     @LIBXML2_LDFLAGS@ \
     @LUA_LDFLAGS@ \
     @PCRE_LDFLAGS@ \
     @YAJL_LDFLAGS@
 endif
 diff -rNU 30 ../modsecurity-2.8.0-o/apache2/Makefile.in ./apache2/Makefile.in
 --- ../modsecurity-2.8.0-o/apache2/Makefile.in	2014-04-15 14:44:14.000000000 +0200
 +++ ./apache2/Makefile.in	2014-06-16 16:18:03.000000000 +0200
@@ -600,61 +600,61 @@
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
 	  echo " $(MKDIR_P) '$(DESTDIR)$(pkglibdir)'"; \
 	  $(MKDIR_P) "$(DESTDIR)$(pkglibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(pkglibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(pkglibdir)"; \
 	}
 uninstall-pkglibLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
 	@list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \
 	for p in $$list; do \
 	  $(am__strip_dir) \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(pkglibdir)/$$f'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(pkglibdir)/$$f"; \
 	done
 clean-pkglibLTLIBRARIES:
 	-test -z "$(pkglib_LTLIBRARIES)" || rm -f $(pkglib_LTLIBRARIES)
 	@list='$(pkglib_LTLIBRARIES)'; \
 	locs=`for p in $$list; do echo $$p; done | \
 	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
 	      sort -u`; \
 	test -z "$$locs" || { \
 	  echo rm -f $${locs}; \
 	  rm -f $${locs}; \
 	}
 mod_security2.la: $(mod_security2_la_OBJECTS) $(mod_security2_la_DEPENDENCIES) $(EXTRA_mod_security2_la_DEPENDENCIES) 
 -	$(AM_V_CCLD)$(mod_security2_la_LINK) -rpath $(pkglibdir) $(mod_security2_la_OBJECTS) $(mod_security2_la_LIBADD) $(LIBS)
 +	$(AM_V_CCLD)$(mod_security2_la_LINK) $(mod_security2_la_OBJECTS) $(mod_security2_la_LIBADD) $(LIBS)
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
 distclean-compile:
 	-rm -f *.tab.c
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-acmp.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-apache2_config.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-apache2_io.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-apache2_util.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-libinjection_html5.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-libinjection_sqli.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-libinjection_xss.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-mod_security2.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-modsecurity.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_crypt.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_geo.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_gsb.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_json.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_logging.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_lua.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_multipart.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_parsers.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_pcre.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_release.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_reqbody.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_status_engine.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_tree.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_unicode.Plo@am__quote@
 diff -rNU 30 ../modsecurity-2.8.0-o/build/libtool.m4 ./build/libtool.m4
 --- ../modsecurity-2.8.0-o/build/libtool.m4	2014-04-15 14:44:04.000000000 +0200
 +++ ./build/libtool.m4	2014-06-16 16:16:39.000000000 +0200
@@ -4661,61 +4661,61 @@
   if test "$with_gnu_ld" = yes; then
     case $host_os in
       aix*)
 	# The AIX port of GNU ld has always aspired to compatibility
 	# with the native linker.  However, as the warning in the GNU ld
 	# block says, versions before 2.19.5* couldn't really create working
 	# shared libraries, regardless of the interface used.
 	case `$LD -v 2>&1` in
 	  *\ \(GNU\ Binutils\)\ 2.19.5*) ;;
 	  *\ \(GNU\ Binutils\)\ 2.[[2-9]]*) ;;
 	  *\ \(GNU\ Binutils\)\ [[3-9]]*) ;;
 	  *)
 	    lt_use_gnu_ld_interface=yes
 	    ;;
 	esac
 	;;
       *)
 	lt_use_gnu_ld_interface=yes
 	;;
     esac
   fi
   if test "$lt_use_gnu_ld_interface" = yes; then
     # If archive_cmds runs LD, not CC, wlarc should be empty
     wlarc='${wl}'
     # Set some defaults for GNU ld with shared library support. These
     # are reset later if shared libraries are not supported. Putting them
     # here allows them to be overridden if necessary.
     runpath_var=LD_RUN_PATH
 -    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 +    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
     _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
     # ancient GNU ld didn't support --whole-archive et. al.
     if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
       _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
     else
       _LT_TAGVAR(whole_archive_flag_spec, $1)=
     fi
     supports_anon_versioning=no
     case `$LD -v 2>&1` in
       *GNU\ gold*) supports_anon_versioning=yes ;;
       *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
       *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
       *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
       *\ 2.11.*) ;; # other 2.11 versions
       *) supports_anon_versioning=yes ;;
     esac
     # See if GNU ld supports shared libraries.
     case $host_os in
     aix[[3-9]]*)
       # On AIX/PPC, the GNU linker is very broken
       if test "$host_cpu" != ia64; then
 	_LT_TAGVAR(ld_shlibs, $1)=no
 	cat <<_LT_EOF 1>&2
 *** Warning: the GNU linker, at least up to release 2.19, is reported
 *** to be unable to reliably create shared libraries on AIX.
 *** Therefore, libtool is disabling shared libraries support.  If you
 *** really care for shared libraries, you may want to install binutils
 *** 2.20 or above, or modify your PATH so that a non-GNU linker is found.
@@ -4897,61 +4897,61 @@
 _LT_EOF
       elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	_LT_TAGVAR(ld_shlibs, $1)=no
       fi
       ;;
     sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
       case `$LD -v 2>&1` in
         *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*)
 	_LT_TAGVAR(ld_shlibs, $1)=no
 	cat <<_LT_EOF 1>&2
 *** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
 *** reliably create shared libraries on SCO systems.  Therefore, libtool
 *** is disabling shared libraries support.  We urge you to upgrade GNU
 *** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
 *** your PATH or compiler configuration so that the native linker is
 *** used, and then restart.
 _LT_EOF
 	;;
 	*)
 	  # For security reasons, it is highly recommended that you always
 	  # use absolute paths for naming shared libraries, and exclude the
 	  # DT_RUNPATH tag from executables and libraries.  But doing so
 	  # requires that you compile everything twice, which is a pain.
 	  if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
 -	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 +	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
 	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 	  else
 	    _LT_TAGVAR(ld_shlibs, $1)=no
 	  fi
 	;;
       esac
       ;;
     sunos4*)
       _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       wlarc=
       _LT_TAGVAR(hardcode_direct, $1)=yes
       _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
       ;;
     *)
       if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	_LT_TAGVAR(ld_shlibs, $1)=no
       fi
       ;;
     esac
     if test "$_LT_TAGVAR(ld_shlibs, $1)" = no; then
       runpath_var=
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
       _LT_TAGVAR(export_dynamic_flag_spec, $1)=
@@ -5907,61 +5907,61 @@
   else
     $as_unset lt_cv_path_LD
   fi
   test -z "${LDCXX+set}" || LD=$LDCXX
   CC=${CXX-"c++"}
   CFLAGS=$CXXFLAGS
   compiler=$CC
   _LT_TAGVAR(compiler, $1)=$CC
   _LT_CC_BASENAME([$compiler])
   if test -n "$compiler"; then
     # We don't want -fno-exception when compiling C++ code, so set the
     # no_builtin_flag separately
     if test "$GXX" = yes; then
       _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
     else
       _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
     fi
     if test "$GXX" = yes; then
       # Set up default GNU C++ configuration
       LT_PATH_LD
       # Check if GNU C++ uses GNU ld as the underlying linker, since the
       # archiving commands below assume that GNU ld is being used.
       if test "$with_gnu_ld" = yes; then
         _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
         _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 -        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 +        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
         _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
         # If archive_cmds runs LD, not CC, wlarc should be empty
         # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
         #     investigate it a little bit more. (MM)
         wlarc='${wl}'
         # ancient GNU ld didn't support --whole-archive et. al.
         if eval "`$CC -print-prog-name=ld` --help 2>&1" |
 	  $GREP 'no-whole-archive' > /dev/null; then
           _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
         else
           _LT_TAGVAR(whole_archive_flag_spec, $1)=
         fi
       else
         with_gnu_ld=no
         wlarc=
         # A generic and very simple default shared library creation
         # command for GNU C++ for the case where it uses the native
         # linker, instead of GNU ld.  If possible, this setting should
         # overridden to take advantage of the native linker features on
         # the platform it is being used on.
         _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
       fi
       # Commands to make compiler produce verbose output that lists
       # what "hidden" libraries, object files and flags are used when
       # linking a shared library.
       output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
--- a/apache2-mod_security2.changes
+++ b/apache2-mod_security2.changes
@ -1,3 +1,138 @@
 -------------------------------------------------------------------
 Wed Aug 27 17:30:25 CEST 2014 - draht@suse.de
 - Portability: provide /etc/apache2/mod_security2.d/empty.conf
  to avoid a non-match of the file-glob in the Include statement
  from /etc/apache2/conf.d/mod_security2.conf . This restores
  the Include back from the IncludeOptional, which is not portable.
 - Source URL set to (expanded)
  https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
 -------------------------------------------------------------------
 Mon Aug 25 19:33:11 UTC 2014 - thomas.worm@sicsec.de
 - Fixed spec file to work with older distribution versions.
  Before openSuSE 13.1 aclocal doesn't work, instead autoreconf
  has to be called.
 -------------------------------------------------------------------
 Mon Jul  7 14:06:19 CEST 2014 - draht@suse.de
 - last changelog does not say that 
  apache2-mod_security2-libtool-fix.diff was obsoleted.
 -------------------------------------------------------------------
 Mon Jun 16 19:04:00 CEST 2014 - draht@suse.de
 - BuildRequires: libtool missing
 -------------------------------------------------------------------
 Mon Jun 16 18:17:26 CEST 2014 - draht@suse.de
 - apache2-mod_security2-libtool-fix.diff: initialize libtool.
 -------------------------------------------------------------------
 Mon Jun 16 17:31:34 CEST 2014 - draht@suse.de
 - apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath
  in autoconf m4 macros. Obsoletes patch
  modsecurity-apache_2.8.0-build_fix_pcre.diff
 - use automake for build, add autoconf and automake to
  BuildRequires:. This fix is combined with [bnc#876878].
 - turn on --enable-htaccess-config
 - use %{?_smp_mflags} for build
 -------------------------------------------------------------------
 Thu Jun 12 12:33:49 CEST 2014 - draht@suse.de
 - OWASP rule set. [bnc#876878]
  new in 2.8.0 (more complete changelog to add to last changelog):
  * Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit)
    now support white and suspicious list
  * New variables: FULL_REQUEST and FULL_REQUEST_LENGTH
  * GPLv2 replaced by Apache License v2
  * rules are not part of the source tarball any longer, but
    maintaned upstream externally, and included in this package.
  * documentation was externalized to a wiki. Package contains
    the FAQ and the reference manual in html form.
  * renamed the term "Encryption" in directives that actually refer
    to hashes. See CHANGES file for more details.
  * byte conversion issues on s390x when logging fixed.
  * many small issues fixed that were discovered by a Coverity scanner
  * updated reference manual
  * wrong time calculation when logging for some timezones fixed.
  * replaced time-measuring mechanism with finer granularity for
    measured request/answer phases. (Stopwatch remains for compat.)
  * cookie parser memory leak fix
  * parsing of quoted strings in multipart Content-Disposition
    headers fixed.
 -------------------------------------------------------------------
 Thu May  1 05:06:15 UTC 2014 - thomas.worm@sicsec.de
 - Raised to version 2.8.0. 
 - updated patches:
  * modsecurity-apache_2.8.0-build_fix_pcre.diff
    -> modsecurity-apache_2.7.7-build_fix_pcre.diff
 -------------------------------------------------------------------
 Sat Jan 25 17:43:33 UTC 2014 - thomas.worm@sicsec.de
 - Raised to version 2.7.7.
 - modified patches:
  * modsecurity-apache_2.7.5-build_fix_pcre.diff,
    renamed to modsecurity-apache_2.7.7-build_fix_pcre.diff.
 -------------------------------------------------------------------
 Thu Jan 23 13:06:09 UTC 2014 - aj@ajaissle.de
 - Use correct source Url
 -------------------------------------------------------------------
 Fri Aug  2 14:18:39 CEST 2013 - draht@suse.de
 - complete overhaul of this package, with update to 2.7.5.
 - ruleset update to 2.2.8-0-g0f07cbb.
 - new configuration framework private to mod_security2:
  /etc/apache2/conf.d/mod_security2.conf loads
  /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf,
  then /etc/apache2/mod_security2.d/*.conf , as set up based on
  advice in /etc/apache2/conf.d/mod_security2.conf
  Your configuration starting point is
  /etc/apache2/conf.d/mod_security2.conf
 - !!! Please note that mod_unique_id is needed for mod_security2 to run!
 - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous
  linker parameter, preventing rpath in shared object.
 - fixes contained for the following bugs:
  * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling
  * [bnc#768293] multi-part bypass, minor threat
  * CVE-2013-1915 [bnc#813190] XML external entity vulnerability
  * CVE-2012-4528 [bnc#789393] rule bypass
  * CVE-2013-2765 [bnc#822664] null pointer dereference crash
 - new from 2.5.9 to 2.7.5, only major changes:
  * GPLv2 replaced by Apache License v2
  * rules are not part of the source tarball any longer, but
    maintaned upstream externally, and included in this package.
  * documentation was externalized to a wiki. Package contains
    the FAQ and the reference manual in html form.
  * renamed the term "Encryption" in directives that actually refer
    to hashes. See CHANGES file for more details.
  * new directive SecXmlExternalEntity, default off
  * byte conversion issues on s390x when logging fixed.
  * many small issues fixed that were discovered by a Coverity scanner
  * updated reference manual
  * wrong time calculation when logging for some timezones fixed.
  * replaced time-measuring mechanism with finer granularity for
    measured request/answer phases. (Stopwatch remains for compat.)
  * cookie parser memory leak fix
  * parsing of quoted strings in multipart Content-Disposition
    headers fixed.
  * SDBM deadlock fix
  * @rsub memory leak fix
  * cookie separator code improvements
  * build failure fixes
  * compile time option --enable-htaccess-config (set)
 -------------------------------------------------------------------
 Mon Aug 27 11:43:47 UTC 2012 - cfarrell@suse.com
--- a/apache2-mod_security2.spec
+++ b/apache2-mod_security2.spec
@ -1,7 +1,7 @@
 #
 # spec file for package apache2-mod_security2
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,41 +17,50 @@
 Name:           apache2-mod_security2
-Version:        2.6.7
+Version:        2.8.0
-Release:        0
+Release:        0.1
 %define aversion 2.6.7
 #
 #
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  apache2-devel
 BuildRequires:  apache2-prefork
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  c++_compiler
-BuildRequires:  curl-devel
+BuildRequires:  libcurl-devel
 BuildRequires:  libtool
 BuildRequires:  libxml2-devel
 BuildRequires:  lua-devel
 BuildRequires:  pcre-devel
 %define apache        apache2
 %define modname       mod_security2
-%define tarballname   modsecurity-apache_%{aversion}
+%define tarballname   modsecurity-%{version}
 #
-
+%define apxs              %{_sbindir}/apxs2
-%{!?apxs: %global apxs /usr/sbin/apxs2}
+%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
-%{!?apache_libexecdir: %global apache_libexecdir %(%{apxs} -q LIBEXECDIR)}
+%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR)
-%{!?apache_sysconfdir: %global apache_sysconfdir %(%{apxs} -q SYSCONFDIR)}  
+%define apache_mmn       %(MMN=$(%{apxs} -q LIBEXECDIR)/MMN; test -x $MMN && $MMN)
-%{!?apache_includedir: %global apache_includedir %(%{apxs} -q INCLUDEDIR)}
+%define usrsharedir %{_prefix}/share/%{name}
-%{!?apache_serveroot: %global apache_serverroot %(%{apxs} -q PREFIX)}
+%define refman Reference-Manual.html
-%{!?apache_localstatedir: %global apache_localstatedir %(%{apxs} -q LOCALSTATEDIR)}
+%define faq ModSecurity-Frequently-Asked-Questions-FAQ.html
-%{!?apache_mmn: %global apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)}
+%if 0%{?apache_mmn}
 Requires:       %{apache_mmn}
 %endif
 Requires:       apache2
 #
 Url:            http://www.modsecurity.org/
-Source:         http://www.modsecurity.org/download/%{tarballname}.tar.gz
+Source:         https://www.modsecurity.org/tarball/%{version}/%{tarballname}.tar.gz
-Source1:        mod_security2.conf
+Source1:        https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz
-Source2:        rules.tar.bz2
+Source2:        mod_security2.conf
 Source3:        %{refman}.bz2
 Source4:        %{faq}.bz2
 Source5:        modsecurity_diagram_apache_request_cycle.jpg
 Source6:        README-SUSE-mod_security2.txt
 Source7:        empty.conf
 Patch0:         apache2-mod_security2-no_rpath.diff
 #
 Summary:        ModSecurity Open Source Web Application Firewall
-License:        Apache-2.0 and GPL-2.0
+License:        Apache-2.0
 Group:          Productivity/Networking/Web/Servers
 %description
@ -61,44 +70,81 @@ as an Apache Web server module or standalone, the purpose of
 ModSecurity is to increase web application security, protecting web
 applications from known and unknown attacks.
 The modsecurity team also offer a commercial version of their excellent
 ruleset. Please have a look at http://www.modsecurity.org/ for more details.
 %prep
 %setup -n %{tarballname}
-tar -xvjpf %{S:2}
+%setup -D -T -a 1 -n %{tarballname}
 mv -v SpiderLabs* rules
 bzip2 -dc %{SOURCE3} > %{_sourcedir}/%{refman} && touch -r %{SOURCE3} %{_sourcedir}/%{refman}
 bzip2 -dc %{SOURCE4} > %{_sourcedir}/%{faq} && touch -r %{SOURCE4} %{_sourcedir}/%{faq}
 %patch0
 #%patch1
 #%patch2
 %build
-#pushd %{apache}
+# aclocal only works with never distributions,
-  ./configure
+%if 0%{?suse_version} >= 1310
-  make %{?_smp_mflags}
+aclocal
-#  make -C mlogc-src/
+# on older versions only autoconf is called.
-#popd
+%else
 autoreconf -fi
 %endif
 automake
 ./configure --with-apxs=%{apxs} --enable-request-early --enable-htaccess-config
 CFLAGS="%{optflags}" make %{?_smp_mflags}
 %install
 pushd %{apache}
-  install -D -m 0755 .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so
+  install -d -m 0755 %{buildroot}%{apache_libexecdir}
  install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so
 popd
-  install -D -m 0755 mlogc/mlogc               %{buildroot}%{_sbindir}/mlogc
+install -D -m 0644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf
-  install -D -m 0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_sbindir}/mlogc-batch-load.pl
+install -d -m 0755 %{buildroot}%{apache_sysconfdir}/mod_security2.d
-  install -D -m 0640 mlogc/mlogc-default.conf  %{buildroot}%{_sysconfdir}/mlogc.conf
+install -D -m 0644 %{SOURCE6} %{buildroot}%{apache_sysconfdir}/mod_security2.d
-  cp mlogc/INSTALL mlogc/INSTALL.mlogc
+install -D -m 0644 %{SOURCE7} %{buildroot}%{apache_sysconfdir}/mod_security2.d
-install -D -m 0644 %{SOURCE1} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf
+cp -a %{SOURCE6} doc
-mkdir examples
+install -m 0644 %{_sourcedir}/%{faq} %{_sourcedir}/%{refman} doc
-cp -a tools examples
+install -m 0644 %{SOURCE5} doc
-rm -f examples/tools/M*
+install -d -m 0755 %{buildroot}/%{usrsharedir}
-chmod 644 examples/tools/*
+install -d -m 0755 %{buildroot}/%{usrsharedir}/tools
 install -d -m 0755 %{buildroot}/%{usrsharedir}
 rm -f rules/.gitignore rules/LICENSE
 cp -a rules/util/README %{buildroot}/%{usrsharedir}/tools/README-rules-updater.txt
 cp -a tools/rules-updater.pl tools/rules-updater-example.conf %{buildroot}/%{usrsharedir}/tools
 find rules -type f -print0 | \
  xargs -0 chmod 644
 cp -a rules %{buildroot}/%{usrsharedir}
 rm -rf %{buildroot}/%{usrsharedir}/rules/util
 rm -rf %{buildroot}/%{usrsharedir}/rules/lua
 rm -f %{buildroot}/%{usrsharedir}/rules/READM*
 rm -f %{buildroot}/%{usrsharedir}/rules/INSTALL %{buildroot}/%{usrsharedir}/rules/CHANGELOG
 mv %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf.example \
  %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf
 %clean
 %{__rm} -rf %{buildroot};
 %{__rm} -f %{_sourcedir}/%{faq} %{_sourcedir}/%{refman}
 %files
 %defattr(-, root, root, 0755)
 %{apache_libexecdir}/%{modname}.so
 %config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf
-%doc doc/Reference_Manual.html
+%dir %{apache_sysconfdir}/mod_security2.d
-%doc README.TXT CHANGES LICENSE modsecurity.conf-recommended
+%{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt
-%doc mlogc/INSTALL.mlogc mlogc/mlogc-default.conf
+%{apache_sysconfdir}/mod_security2.d/empty.conf
-%doc examples/
+%dir %{usrsharedir}
-%doc rules/
+#%dir %{usrsharedir}/tools
-%{_sbindir}/mlogc
+#%dir %{usrsharedir}/rules
-%{_sbindir}/mlogc-batch-load.pl
+%doc README.TXT CHANGES LICENSE NOTICE authors.txt
-%config(noreplace) %{_sysconfdir}/mlogc.conf
+%{usrsharedir}
 #%{usrsharedir}/rules/activated_rules
 #%{usrsharedir}/rules/base_rules
 #%{usrsharedir}/rules/experimental_rules
 #%{usrsharedir}/rules/optional_rules
 #%{usrsharedir}/rules/slr_rules
 %doc doc/* rules/util/regression-tests
 %changelog
--- a/empty.conf
+++ b/empty.conf
@ -0,0 +1,4 @@
 # This configuration file has been intentionally left empty to avoid errors
 # resulting from an Include statement that matches no files.
 # (IncludeOptional is available for apache > 2.4)
 #
--- a/mod_security2.conf
+++ b/mod_security2.conf
@ -1,60 +1,293 @@
 # Dear administrator/webmaster,
 #
 # Welcome to /etc/apache2/conf.d/mod_security2.conf, the starting point for
 # the configuration of mod_security2.
 # Please read this text down to line 63 for information about activation
 # and configuration of the mod_security2 apache module.
 #
 # To activate mod_security2, its apache module must be configured to be
 # loaded when apache starts. The mod_security2 apache module depends on 
 # the module mod_unique_id to be able to run. This means that both apache
 # modules must be activated/loaded when apache starts.
 # Change the configuration to load these two modules by adding the two
 # module names "security2" and "unique_id" to the variable APACHE_MODULES
 # in /etc/sysconfig/apache2 . You can do that manually, or use the tools
 # a2enmod (enable apache module) and a2dismod (disable apache module). 
 # These two tools expect the name of the module without the leading 
 # "mod_" as an argument!
 #
 # note: /etc/sysconfig/apache2 is evaluated upon apache start by the apache
 # start script /usr/sbin/start_apache2 . Changes in APACHE_MODULES are then 
 # visible in /etc/apache2/sysconfig.d/loadmodule.conf, changed by the start
 # script.
 #
 # example for the use of a2enmod/a2dismod:
 #
 # a2enmod security2		# enable module security2
 # a2enmod unique_id		# enable module unique_id
 #
 # a2dismod security2		# disable
 # a2dismod unique_id		# %
 #
 # This file /etc/apache2/conf.d/mod_security2.conf makes some basic
 # configuration settings, then loads
 #   /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
 # which is the baseline for the rules that can be loaded later.
 #
 # Afterwards, all files named *.conf in /etc/apache2/mod_security2.d are read.
 # For the rules you wish to apply, place a symlink to the rules file there.
 #
 # About the rules; The OWASP ModSecurity Core Rule Set version 2.2.9
 # is contained in this package, a splendid set of rules made to provide for a
 # decent basic and even advanced protection. The rules files are contained
 # in the directory /usr/share/apache2-mod_security2/rules/.
 #
 # Example (use all of the basic rules that come with the package):
 #
 # cd /etc/apache2/mod_security2.d
 # for i in /usr/share/apache2-mod_security2/rules/base_rules/mod*; do
 #   ln -s $i .
 # done
 #
 # At last, simply restart apache:
 #   rcapache2 restart
 #
 # In doubt, please consult the valuable online documentation on the project's
 # website, which is the authoritative source for documentation.
 # For offline reading, the webpages for the Reference Guide and the FAQ are
 # located in the package's documentation directory, in the state of 2013/01:
 # /usr/share/doc/packages/apache2-mod_security2
 #
 # Roman Drahtmueller <draht@suse.de>, SUSE, 20140610.
 #
 <IfModule mod_security2.c>
 	# Basic configuration options
 	SecRuleEngine On
 	SecRequestBodyAccess On
 	SecResponseBodyAccess Off
-	# Handling of file uploads
+# -- Rule engine initialization ----------------------------------------------
 	# TODO Choose a folder private to Apache.
 	# SecUploadDir /opt/apache-frontend/tmp/
 	SecUploadKeepFiles Off
-	# Debug log
+# Enable ModSecurity, attaching it to every transaction. Use detection
-	SecDebugLog /var/log/apache2/modsec_debug.log
+# only to start with, because that minimises the chances of post-installation
-	SecDebugLogLevel 0
+# disruption.
 #
 SecRuleEngine DetectionOnly
 	# Serial audit log
 	SecAuditEngine RelevantOnly
 	SecAuditLogRelevantStatus ^5
 	SecAuditLogParts ABIFHZ
 	SecAuditLogType Serial
 	SecAuditLog /var/log/apache2/modsec_audit.log
-	# Maximum request body size we will
+# -- Request body handling ---------------------------------------------------
 	# accept for buffering
 	SecRequestBodyLimit 131072
-	# Store up to 128 KB in memory
+# Allow ModSecurity to access request bodies. If you don't, ModSecurity
-	SecRequestBodyInMemoryLimit 131072
+# won't be able to see any POST parameters, which opens a large security
 # hole for attackers to exploit.
 #
 SecRequestBodyAccess On
 	# Buffer response bodies of up to
 	# 512 KB in length
 	SecResponseBodyLimit 524288
-	# Verify that we've correctly processed the request body.
+# Enable XML request body parser.
-	# As a rule of thumb, when failing to process a request body
+# Initiate XML Processor in case of xml content-type
-	# you should reject the request (when deployed in blocking mode)
+#
-	# or log a high-severity alert (when deployed in detection-only mode).
+SecRule REQUEST_HEADERS:Content-Type "text/xml" \
-	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
+     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
 	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
 	# By default be strict with what we accept in the multipart/form-data
 	# request body. If the rule below proves to be too strict for your
 	# environment consider changing it to detection-only. You are encouraged
 	# _not_ to remove it altogether.
 	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
 	"phase:2,t:none,log,deny,msg:'Multipart request body \
 	failed strict validation: \
 	PE %{REQBODY_PROCESSOR_ERROR}, \
 	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
 	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
 	DB %{MULTIPART_DATA_BEFORE}, \
 	DA %{MULTIPART_DATA_AFTER}, \
 	HF %{MULTIPART_HEADER_FOLDING}, \
 	LF %{MULTIPART_LF_LINE}, \
 	SM %{MULTIPART_SEMICOLON_MISSING}'"
-	# Did we see anything that might be a boundary?
+# Maximum request body size we will accept for buffering. If you support
-	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+# file uploads then the value given on the first line has to be as large
-	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+# as the largest file you are willing to accept. The second value refers
 # to the size of data, with files excluded. You want to keep that value as
 # low as practical.
 #
 SecRequestBodyLimit 13107200
 SecRequestBodyNoFilesLimit 131072
 # Store up to 128 KB of request body data in memory. When the multipart
 # parser reachers this limit, it will start using your hard disk for
 # storage. That is slow, but unavoidable.
 #
 SecRequestBodyInMemoryLimit 131072
 # What do do if the request body size is above our configured limit.
 # Keep in mind that this setting will automatically be set to ProcessPartial
 # when SecRuleEngine is set to DetectionOnly mode in order to minimize
 # disruptions when initially deploying ModSecurity.
 #
 SecRequestBodyLimitAction Reject
 # Verify that we've correctly processed the request body.
 # As a rule of thumb, when failing to process a request body
 # you should reject the request (when deployed in blocking mode)
 # or log a high-severity alert (when deployed in detection-only mode).
 #
 SecRule REQBODY_ERROR "!@eq 0" \
 "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
 # By default be strict with what we accept in the multipart/form-data
 # request body. If the rule below proves to be too strict for your
 # environment consider changing it to detection-only. You are encouraged
 # _not_ to remove it altogether.
 #
 SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
 "id:'200002',phase:2,t:none,log,deny,status:44, \
 msg:'Multipart request body failed strict validation: \
 PE %{REQBODY_PROCESSOR_ERROR}, \
 BQ %{MULTIPART_BOUNDARY_QUOTED}, \
 BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
 DB %{MULTIPART_DATA_BEFORE}, \
 DA %{MULTIPART_DATA_AFTER}, \
 HF %{MULTIPART_HEADER_FOLDING}, \
 LF %{MULTIPART_LF_LINE}, \
 SM %{MULTIPART_MISSING_SEMICOLON}, \
 IQ %{MULTIPART_INVALID_QUOTING}, \
 IP %{MULTIPART_INVALID_PART}, \
 IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
 FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
 # Did we see anything that might be a boundary?
 #
 SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
 "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
 # PCRE Tuning
 # We want to avoid a potential RegEx DoS condition
 #
 SecPcreMatchLimit 1000
 SecPcreMatchLimitRecursion 1000
 # Some internal errors will set flags in TX and we will need to look for these.
 # All of these are prefixed with "MSC_".  The following flags currently exist:
 #
 # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
 #
 SecRule TX:/^MSC_/ "!@streq 0" \
        "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
 # -- Response body handling --------------------------------------------------
 # Allow ModSecurity to access response bodies. 
 # You should have this directive enabled in order to identify errors
 # and data leakage issues.
 # 
 # Do keep in mind that enabling this directive does increases both
 # memory consumption and response latency.
 #
 SecResponseBodyAccess On
 # Which response MIME types do you want to inspect? You should adjust the
 # configuration below to catch documents but avoid static files
 # (e.g., images and archives).
 #
 SecResponseBodyMimeType text/plain text/html text/xml
 # Buffer response bodies of up to 512 KB in length.
 SecResponseBodyLimit 524288
 # What happens when we encounter a response body larger than the configured
 # limit? By default, we process what we have and let the rest through.
 # That's somewhat less secure, but does not break any legitimate pages.
 #
 SecResponseBodyLimitAction ProcessPartial
 # -- Filesystem configuration ------------------------------------------------
 # The location where ModSecurity stores temporary files (for example, when
 # it needs to handle a file upload that is larger than the configured limit).
 # 
 # This default setting is chosen due to all systems have /tmp available however, 
 # this is less than ideal. It is recommended that you specify a location that's private.
 #
 SecTmpDir /tmp/
 # The location where ModSecurity will keep its persistent data.  This default setting 
 # is chosen due to all systems have /tmp available however, it
 # too should be updated to a place that other users can't access.
 #
 SecDataDir /tmp/
 # -- File uploads handling configuration -------------------------------------
 # The location where ModSecurity stores intercepted uploaded files. This
 # location must be private to ModSecurity. You don't want other users on
 # the server to access the files, do you?
 #
 #SecUploadDir /opt/modsecurity/var/upload/
 # By default, only keep the files that were determined to be unusual
 # in some way (by an external inspection script). For this to work you
 # will also need at least one file inspection rule.
 #
 #SecUploadKeepFiles RelevantOnly
 # Uploaded files are by default created with permissions that do not allow
 # any other user to access them. You may need to relax that if you want to
 # interface ModSecurity to an external program (e.g., an anti-virus).
 #
 #SecUploadFileMode 0600
 # -- Debug log configuration -------------------------------------------------
 # The default debug log configuration is to duplicate the error, warning
 # and notice messages from the error log.
 #
 #SecDebugLog /var/log/apache2/modsec_debug.log
 #SecDebugLogLevel 3
 # -- Audit log configuration -------------------------------------------------
 # Log the transactions that are marked by a rule, as well as those that
 # trigger a server error (determined by a 5xx or 4xx, excluding 404,  
 # level response status codes).
 #
 SecAuditEngine RelevantOnly
 SecAuditLogRelevantStatus "^(?:5|4(?!04))"
 # Log everything we know about a transaction.
 SecAuditLogParts ABIJDEFHZ
 # Use a single file for logging. This is much easier to look at, but
 # assumes that you will use the audit log only ocassionally.
 #
 SecAuditLogType Serial
 SecAuditLog /var/log/apache2/modsec_audit.log
 # Specify the path for concurrent audit logging.
 #SecAuditLogStorageDir /opt/modsecurity/var/audit/
 # -- Miscellaneous -----------------------------------------------------------
 # Use the most commonly used application/x-www-form-urlencoded parameter
 # separator. There's probably only one application somewhere that uses
 # something else so don't expect to change this value.
 #
 SecArgumentSeparator &
 # Settle on version 0 (zero) cookies, as that is what most applications
 # use. Using an incorrect cookie version may open your installation to
 # evasion attacks (against the rules that examine named cookies).
 #
 SecCookieFormat 0
 # Specify your Unicode Code Point.
 # This mapping is used by the t:urlDecodeUni transformation function
 # to properly map encoded data to your language. Properly setting
 # these directives helps to reduce false positives and negatives.
 #
 #SecUnicodeCodePage 20127
 #SecUnicodeMapFile unicode.mapping
 Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
 # as set up with symlinks for files that are placed here:
 Include /etc/apache2/mod_security2.d/*.conf
 </IfModule>
--- a/modsecurity-2.8.0.tar.gz
+++ b/modsecurity-2.8.0.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:5cbbc7fc993d39106b653213753d25c4ec21771eee17b01b69122ccf3f73460e
 size 3940357
--- a/modsecurity-apache_2.6.7.tar.gz
+++ b/modsecurity-apache_2.6.7.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:3fa05e2be9e8a6e99747defe0df35ace99ba44683afef5205819db9706c03f29
 size 785852
--- a/modsecurity_diagram_apache_request_cycle.jpg
+++ b/modsecurity_diagram_apache_request_cycle.jpg
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:4366e727c511bccbf56ec646dd0961c65c8054fdc235ab26e06e3faf08052f6d
 size 46799
--- a/rules.tar.bz2
+++ b/rules.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:5b025dd7e2fc74aebf4bbf671ef238325737cc8a5da9e1eda6c9f739d5d2226b
 size 33001