Accepting request 246670 from Apache:Modules

- Portability: provide /etc/apache2/mod_security2.d/empty.conf
  to avoid a non-match of the file-glob in the Include statement
  from /etc/apache2/conf.d/mod_security2.conf . This restores
  the Include back from the IncludeOptional, which is not portable.
- Source URL set to (expanded)
  https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz

- Fixed spec file to work with older distribution versions.
  Before openSuSE 13.1 aclocal doesn't work, instead autoreconf
  has to be called.

- last changelog does not say that 
  apache2-mod_security2-libtool-fix.diff was obsoleted.

- BuildRequires: libtool missing

- apache2-mod_security2-libtool-fix.diff: initialize libtool.

- apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath
  in autoconf m4 macros. Obsoletes patch
  modsecurity-apache_2.8.0-build_fix_pcre.diff
- use automake for build, add autoconf and automake to
  BuildRequires:. This fix is combined with [bnc#876878].
- turn on --enable-htaccess-config
- use %{?_smp_mflags} for build

- OWASP rule set. [bnc#876878]
  new in 2.8.0 (more complete changelog to add to last changelog):
  * Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit)
    now support white and suspicious list

OBS-URL: https://build.opensuse.org/request/show/246670
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=16

.gitattributes

@@ -21,3 +21,5 @@
 *.xz filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
+## Specific LFS patterns
+modsecurity_diagram_apache_request_cycle.jpg filter=lfs diff=lfs merge=lfs -text

ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bab5e208e8c2aa4beeb799a4d05bceb3eb44846e75565b32b483fb5fb32023a7
+size 11838

README-SUSE-mod_security2.txt

@@ -0,0 +1,13 @@
+
+#
+# Dear Administrator,
+#
+# mod_security2 is not activated by default upon installation of the
+# apache module.
+#
+# Your starting point for the configuration of mod_security2 is
+# /etc/apache2/conf.d/mod_security2.conf .
+# Please see that file for comments on how to activate the module
+# and on how to assign rules.
+#
+

Reference-Manual.html.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:160af986e97bafad2cdbd58469115102068eff3b2f2f246f559adf7256d0dcf8
+size 60381

SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bae3ef19925168a3b8ef9663bc9ed677cc6ca2fdbdbdd6111653c1b2991e24e3
+size 280011

apache2-mod_security2-no_rpath.diff

@@ -0,0 +1,324 @@
+diff -rNU 30 ../modsecurity-2.8.0-o/apache2/Makefile.am ./apache2/Makefile.am
+--- ../modsecurity-2.8.0-o/apache2/Makefile.am	2014-04-15 14:44:04.000000000 +0200
++++ ./apache2/Makefile.am	2014-06-16 16:17:44.000000000 +0200
+@@ -73,61 +73,61 @@
+     @APXS_LDFLAGS@ \
+     @LIBXML2_LDFLAGS@ \
+     @LUA_LDFLAGS@ \
+     @PCRE_LDFLAGS@ \
+     @YAJL_LDFLAGS@
+ endif
+ 
+ if MACOSX
+ mod_security2_la_LDFLAGS = -module -avoid-version \
+     @APR_LDFLAGS@ \
+     @APU_LDFLAGS@ \
+     @APXS_LDFLAGS@ \
+     @LIBXML2_LDFLAGS@ \
+     @LUA_LDFLAGS@ \
+     @PCRE_LDFLAGS@ \
+     @YAJL_LDFLAGS@
+ endif
+ 
+ if SOLARIS
+ mod_security2_la_LDFLAGS = -module -avoid-version \
+     @APR_LDFLAGS@ \
+     @APU_LDFLAGS@ \
+     @APXS_LDFLAGS@ \
+     @LIBXML2_LDFLAGS@ \
+     @LUA_LDFLAGS@ \
+     @PCRE_LDFLAGS@ \
+     @YAJL_LDFLAGS@
+ endif
+ 
+ if LINUX
+-mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \
++mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
+     @APR_LDFLAGS@ \
+     @APU_LDFLAGS@ \
+     @APXS_LDFLAGS@ \
+     @LIBXML2_LDFLAGS@ \
+     @LUA_LDFLAGS@ \
+     @PCRE_LDFLAGS@ \
+     @YAJL_LDFLAGS@
+ endif
+ 
+ if FREEBSD
+ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
+     @APR_LDFLAGS@ \
+     @APU_LDFLAGS@ \
+     @APXS_LDFLAGS@ \
+     @LIBXML2_LDFLAGS@ \
+     @LUA_LDFLAGS@ \
+     @PCRE_LDFLAGS@ \
+     @YAJL_LDFLAGS@
+ endif
+ 
+ if OPENBSD
+ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
+     @APR_LDFLAGS@ \
+     @APU_LDFLAGS@ \
+     @APXS_LDFLAGS@ \
+     @LIBXML2_LDFLAGS@ \
+     @LUA_LDFLAGS@ \
+     @PCRE_LDFLAGS@ \
+     @YAJL_LDFLAGS@
+ endif
+diff -rNU 30 ../modsecurity-2.8.0-o/apache2/Makefile.in ./apache2/Makefile.in
+--- ../modsecurity-2.8.0-o/apache2/Makefile.in	2014-04-15 14:44:14.000000000 +0200
++++ ./apache2/Makefile.in	2014-06-16 16:18:03.000000000 +0200
+@@ -600,61 +600,61 @@
+ 	  else :; fi; \
+ 	done; \
+ 	test -z "$$list2" || { \
+ 	  echo " $(MKDIR_P) '$(DESTDIR)$(pkglibdir)'"; \
+ 	  $(MKDIR_P) "$(DESTDIR)$(pkglibdir)" || exit 1; \
+ 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(pkglibdir)'"; \
+ 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(pkglibdir)"; \
+ 	}
+ 
+ uninstall-pkglibLTLIBRARIES:
+ 	@$(NORMAL_UNINSTALL)
+ 	@list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \
+ 	for p in $$list; do \
+ 	  $(am__strip_dir) \
+ 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(pkglibdir)/$$f'"; \
+ 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(pkglibdir)/$$f"; \
+ 	done
+ 
+ clean-pkglibLTLIBRARIES:
+ 	-test -z "$(pkglib_LTLIBRARIES)" || rm -f $(pkglib_LTLIBRARIES)
+ 	@list='$(pkglib_LTLIBRARIES)'; \
+ 	locs=`for p in $$list; do echo $$p; done | \
+ 	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ 	      sort -u`; \
+ 	test -z "$$locs" || { \
+ 	  echo rm -f $${locs}; \
+ 	  rm -f $${locs}; \
+ 	}
+ 
+ mod_security2.la: $(mod_security2_la_OBJECTS) $(mod_security2_la_DEPENDENCIES) $(EXTRA_mod_security2_la_DEPENDENCIES) 
+-	$(AM_V_CCLD)$(mod_security2_la_LINK) -rpath $(pkglibdir) $(mod_security2_la_OBJECTS) $(mod_security2_la_LIBADD) $(LIBS)
++	$(AM_V_CCLD)$(mod_security2_la_LINK) $(mod_security2_la_OBJECTS) $(mod_security2_la_LIBADD) $(LIBS)
+ 
+ mostlyclean-compile:
+ 	-rm -f *.$(OBJEXT)
+ 
+ distclean-compile:
+ 	-rm -f *.tab.c
+ 
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-acmp.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-apache2_config.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-apache2_io.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-apache2_util.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-libinjection_html5.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-libinjection_sqli.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-libinjection_xss.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-mod_security2.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-modsecurity.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_crypt.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_geo.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_gsb.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_json.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_logging.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_lua.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_multipart.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_parsers.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_pcre.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_release.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_reqbody.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_status_engine.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_tree.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_unicode.Plo@am__quote@
+diff -rNU 30 ../modsecurity-2.8.0-o/build/libtool.m4 ./build/libtool.m4
+--- ../modsecurity-2.8.0-o/build/libtool.m4	2014-04-15 14:44:04.000000000 +0200
++++ ./build/libtool.m4	2014-06-16 16:16:39.000000000 +0200
+@@ -4661,61 +4661,61 @@
+   if test "$with_gnu_ld" = yes; then
+     case $host_os in
+       aix*)
+ 	# The AIX port of GNU ld has always aspired to compatibility
+ 	# with the native linker.  However, as the warning in the GNU ld
+ 	# block says, versions before 2.19.5* couldn't really create working
+ 	# shared libraries, regardless of the interface used.
+ 	case `$LD -v 2>&1` in
+ 	  *\ \(GNU\ Binutils\)\ 2.19.5*) ;;
+ 	  *\ \(GNU\ Binutils\)\ 2.[[2-9]]*) ;;
+ 	  *\ \(GNU\ Binutils\)\ [[3-9]]*) ;;
+ 	  *)
+ 	    lt_use_gnu_ld_interface=yes
+ 	    ;;
+ 	esac
+ 	;;
+       *)
+ 	lt_use_gnu_ld_interface=yes
+ 	;;
+     esac
+   fi
+ 
+   if test "$lt_use_gnu_ld_interface" = yes; then
+     # If archive_cmds runs LD, not CC, wlarc should be empty
+     wlarc='${wl}'
+ 
+     # Set some defaults for GNU ld with shared library support. These
+     # are reset later if shared libraries are not supported. Putting them
+     # here allows them to be overridden if necessary.
+     runpath_var=LD_RUN_PATH
+-    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
++    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+     _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+     # ancient GNU ld didn't support --whole-archive et. al.
+     if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
+       _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+     else
+       _LT_TAGVAR(whole_archive_flag_spec, $1)=
+     fi
+     supports_anon_versioning=no
+     case `$LD -v 2>&1` in
+       *GNU\ gold*) supports_anon_versioning=yes ;;
+       *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
+       *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+       *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+       *\ 2.11.*) ;; # other 2.11 versions
+       *) supports_anon_versioning=yes ;;
+     esac
+ 
+     # See if GNU ld supports shared libraries.
+     case $host_os in
+     aix[[3-9]]*)
+       # On AIX/PPC, the GNU linker is very broken
+       if test "$host_cpu" != ia64; then
+ 	_LT_TAGVAR(ld_shlibs, $1)=no
+ 	cat <<_LT_EOF 1>&2
+ 
+ *** Warning: the GNU linker, at least up to release 2.19, is reported
+ *** to be unable to reliably create shared libraries on AIX.
+ *** Therefore, libtool is disabling shared libraries support.  If you
+ *** really care for shared libraries, you may want to install binutils
+ *** 2.20 or above, or modify your PATH so that a non-GNU linker is found.
+@@ -4897,61 +4897,61 @@
+ _LT_EOF
+       elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+ 	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+ 	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+       else
+ 	_LT_TAGVAR(ld_shlibs, $1)=no
+       fi
+       ;;
+ 
+     sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+       case `$LD -v 2>&1` in
+         *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*)
+ 	_LT_TAGVAR(ld_shlibs, $1)=no
+ 	cat <<_LT_EOF 1>&2
+ 
+ *** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+ *** reliably create shared libraries on SCO systems.  Therefore, libtool
+ *** is disabling shared libraries support.  We urge you to upgrade GNU
+ *** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+ *** your PATH or compiler configuration so that the native linker is
+ *** used, and then restart.
+ 
+ _LT_EOF
+ 	;;
+ 	*)
+ 	  # For security reasons, it is highly recommended that you always
+ 	  # use absolute paths for naming shared libraries, and exclude the
+ 	  # DT_RUNPATH tag from executables and libraries.  But doing so
+ 	  # requires that you compile everything twice, which is a pain.
+ 	  if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
++	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+ 	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+ 	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+ 	  else
+ 	    _LT_TAGVAR(ld_shlibs, $1)=no
+ 	  fi
+ 	;;
+       esac
+       ;;
+ 
+     sunos4*)
+       _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+       wlarc=
+       _LT_TAGVAR(hardcode_direct, $1)=yes
+       _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+       ;;
+ 
+     *)
+       if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+ 	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+ 	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+       else
+ 	_LT_TAGVAR(ld_shlibs, $1)=no
+       fi
+       ;;
+     esac
+ 
+     if test "$_LT_TAGVAR(ld_shlibs, $1)" = no; then
+       runpath_var=
+       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+       _LT_TAGVAR(export_dynamic_flag_spec, $1)=
+@@ -5907,61 +5907,61 @@
+   else
+     $as_unset lt_cv_path_LD
+   fi
+   test -z "${LDCXX+set}" || LD=$LDCXX
+   CC=${CXX-"c++"}
+   CFLAGS=$CXXFLAGS
+   compiler=$CC
+   _LT_TAGVAR(compiler, $1)=$CC
+   _LT_CC_BASENAME([$compiler])
+ 
+   if test -n "$compiler"; then
+     # We don't want -fno-exception when compiling C++ code, so set the
+     # no_builtin_flag separately
+     if test "$GXX" = yes; then
+       _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+     else
+       _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+     fi
+ 
+     if test "$GXX" = yes; then
+       # Set up default GNU C++ configuration
+ 
+       LT_PATH_LD
+ 
+       # Check if GNU C++ uses GNU ld as the underlying linker, since the
+       # archiving commands below assume that GNU ld is being used.
+       if test "$with_gnu_ld" = yes; then
+         _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+         _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+ 
+-        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
++        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+         _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+ 
+         # If archive_cmds runs LD, not CC, wlarc should be empty
+         # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
+         #     investigate it a little bit more. (MM)
+         wlarc='${wl}'
+ 
+         # ancient GNU ld didn't support --whole-archive et. al.
+         if eval "`$CC -print-prog-name=ld` --help 2>&1" |
+ 	  $GREP 'no-whole-archive' > /dev/null; then
+           _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+         else
+           _LT_TAGVAR(whole_archive_flag_spec, $1)=
+         fi
+       else
+         with_gnu_ld=no
+         wlarc=
+ 
+         # A generic and very simple default shared library creation
+         # command for GNU C++ for the case where it uses the native
+         # linker, instead of GNU ld.  If possible, this setting should
+         # overridden to take advantage of the native linker features on
+         # the platform it is being used on.
+         _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+       fi
+ 
+       # Commands to make compiler produce verbose output that lists
+       # what "hidden" libraries, object files and flags are used when
+       # linking a shared library.
+       output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'

apache2-mod_security2.changes

@@ -1,3 +1,138 @@
+-------------------------------------------------------------------
+Wed Aug 27 17:30:25 CEST 2014 - draht@suse.de
+
+- Portability: provide /etc/apache2/mod_security2.d/empty.conf
+  to avoid a non-match of the file-glob in the Include statement
+  from /etc/apache2/conf.d/mod_security2.conf . This restores
+  the Include back from the IncludeOptional, which is not portable.
+- Source URL set to (expanded)
+  https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
+
+-------------------------------------------------------------------
+Mon Aug 25 19:33:11 UTC 2014 - thomas.worm@sicsec.de
+
+- Fixed spec file to work with older distribution versions.
+  Before openSuSE 13.1 aclocal doesn't work, instead autoreconf
+  has to be called.
+
+-------------------------------------------------------------------
+Mon Jul  7 14:06:19 CEST 2014 - draht@suse.de
+
+- last changelog does not say that 
+  apache2-mod_security2-libtool-fix.diff was obsoleted.
+
+-------------------------------------------------------------------
+Mon Jun 16 19:04:00 CEST 2014 - draht@suse.de
+
+- BuildRequires: libtool missing
+
+-------------------------------------------------------------------
+Mon Jun 16 18:17:26 CEST 2014 - draht@suse.de
+
+- apache2-mod_security2-libtool-fix.diff: initialize libtool.
+
+-------------------------------------------------------------------
+Mon Jun 16 17:31:34 CEST 2014 - draht@suse.de
+
+- apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath
+  in autoconf m4 macros. Obsoletes patch
+  modsecurity-apache_2.8.0-build_fix_pcre.diff
+- use automake for build, add autoconf and automake to
+  BuildRequires:. This fix is combined with [bnc#876878].
+- turn on --enable-htaccess-config
+- use %{?_smp_mflags} for build
+
+-------------------------------------------------------------------
+Thu Jun 12 12:33:49 CEST 2014 - draht@suse.de
+
+- OWASP rule set. [bnc#876878]
+  new in 2.8.0 (more complete changelog to add to last changelog):
+  * Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit)
+    now support white and suspicious list
+  * New variables: FULL_REQUEST and FULL_REQUEST_LENGTH
+  * GPLv2 replaced by Apache License v2
+  * rules are not part of the source tarball any longer, but
+    maintaned upstream externally, and included in this package.
+  * documentation was externalized to a wiki. Package contains
+    the FAQ and the reference manual in html form.
+  * renamed the term "Encryption" in directives that actually refer
+    to hashes. See CHANGES file for more details.
+  * byte conversion issues on s390x when logging fixed.
+  * many small issues fixed that were discovered by a Coverity scanner
+  * updated reference manual
+  * wrong time calculation when logging for some timezones fixed.
+  * replaced time-measuring mechanism with finer granularity for
+    measured request/answer phases. (Stopwatch remains for compat.)
+  * cookie parser memory leak fix
+  * parsing of quoted strings in multipart Content-Disposition
+    headers fixed.
+
+-------------------------------------------------------------------
+Thu May  1 05:06:15 UTC 2014 - thomas.worm@sicsec.de
+
+- Raised to version 2.8.0. 
+- updated patches:
+  * modsecurity-apache_2.8.0-build_fix_pcre.diff
+    -> modsecurity-apache_2.7.7-build_fix_pcre.diff
+
+-------------------------------------------------------------------
+Sat Jan 25 17:43:33 UTC 2014 - thomas.worm@sicsec.de
+
+ - Raised to version 2.7.7.
+ - modified patches:
+  * modsecurity-apache_2.7.5-build_fix_pcre.diff,
+    renamed to modsecurity-apache_2.7.7-build_fix_pcre.diff.
+
+-------------------------------------------------------------------
+Thu Jan 23 13:06:09 UTC 2014 - aj@ajaissle.de
+
+- Use correct source Url
+
+-------------------------------------------------------------------
+Fri Aug  2 14:18:39 CEST 2013 - draht@suse.de
+
+- complete overhaul of this package, with update to 2.7.5.
+- ruleset update to 2.2.8-0-g0f07cbb.
+- new configuration framework private to mod_security2:
+  /etc/apache2/conf.d/mod_security2.conf loads
+  /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf,
+  then /etc/apache2/mod_security2.d/*.conf , as set up based on
+  advice in /etc/apache2/conf.d/mod_security2.conf
+  Your configuration starting point is
+  /etc/apache2/conf.d/mod_security2.conf
+- !!! Please note that mod_unique_id is needed for mod_security2 to run!
+- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous
+  linker parameter, preventing rpath in shared object.
+- fixes contained for the following bugs:
+  * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling
+  * [bnc#768293] multi-part bypass, minor threat
+  * CVE-2013-1915 [bnc#813190] XML external entity vulnerability
+  * CVE-2012-4528 [bnc#789393] rule bypass
+  * CVE-2013-2765 [bnc#822664] null pointer dereference crash
+- new from 2.5.9 to 2.7.5, only major changes:
+  * GPLv2 replaced by Apache License v2
+  * rules are not part of the source tarball any longer, but
+    maintaned upstream externally, and included in this package.
+  * documentation was externalized to a wiki. Package contains
+    the FAQ and the reference manual in html form.
+  * renamed the term "Encryption" in directives that actually refer
+    to hashes. See CHANGES file for more details.
+  * new directive SecXmlExternalEntity, default off
+  * byte conversion issues on s390x when logging fixed.
+  * many small issues fixed that were discovered by a Coverity scanner
+  * updated reference manual
+  * wrong time calculation when logging for some timezones fixed.
+  * replaced time-measuring mechanism with finer granularity for
+    measured request/answer phases. (Stopwatch remains for compat.)
+  * cookie parser memory leak fix
+  * parsing of quoted strings in multipart Content-Disposition
+    headers fixed.
+  * SDBM deadlock fix
+  * @rsub memory leak fix
+  * cookie separator code improvements
+  * build failure fixes
+  * compile time option --enable-htaccess-config (set)
+
 -------------------------------------------------------------------
 Mon Aug 27 11:43:47 UTC 2012 - cfarrell@suse.com
 

apache2-mod_security2.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package apache2-mod_security2
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,41 +17,50 @@
 
 
 Name:           apache2-mod_security2
-Version:        2.6.7
-Release:        0
-%define aversion 2.6.7
+Version:        2.8.0
+Release:        0.1
 #
 #
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  apache2-devel
 BuildRequires:  apache2-prefork
+BuildRequires:  autoconf
+BuildRequires:  automake
 BuildRequires:  c++_compiler
-BuildRequires:  curl-devel
+BuildRequires:  libcurl-devel
+BuildRequires:  libtool
 BuildRequires:  libxml2-devel
+BuildRequires:  lua-devel
 BuildRequires:  pcre-devel
 %define apache        apache2
 %define modname       mod_security2
-%define tarballname   modsecurity-apache_%{aversion}
+%define tarballname   modsecurity-%{version}
 #
-
-%{!?apxs: %global apxs /usr/sbin/apxs2}
-%{!?apache_libexecdir: %global apache_libexecdir %(%{apxs} -q LIBEXECDIR)}
-%{!?apache_sysconfdir: %global apache_sysconfdir %(%{apxs} -q SYSCONFDIR)}  
-%{!?apache_includedir: %global apache_includedir %(%{apxs} -q INCLUDEDIR)}
-%{!?apache_serveroot: %global apache_serverroot %(%{apxs} -q PREFIX)}
-%{!?apache_localstatedir: %global apache_localstatedir %(%{apxs} -q LOCALSTATEDIR)}
-%{!?apache_mmn: %global apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)}
-
+%define apxs              %{_sbindir}/apxs2
+%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
+%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR)
+%define apache_mmn       %(MMN=$(%{apxs} -q LIBEXECDIR)/MMN; test -x $MMN && $MMN)
+%define usrsharedir %{_prefix}/share/%{name}
+%define refman Reference-Manual.html
+%define faq ModSecurity-Frequently-Asked-Questions-FAQ.html
+%if 0%{?apache_mmn}
 Requires:       %{apache_mmn}
+%endif
 Requires:       apache2
 #
 Url:            http://www.modsecurity.org/
-Source:         http://www.modsecurity.org/download/%{tarballname}.tar.gz
-Source1:        mod_security2.conf
-Source2:        rules.tar.bz2
+Source:         https://www.modsecurity.org/tarball/%{version}/%{tarballname}.tar.gz
+Source1:        https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz
+Source2:        mod_security2.conf
+Source3:        %{refman}.bz2
+Source4:        %{faq}.bz2
+Source5:        modsecurity_diagram_apache_request_cycle.jpg
+Source6:        README-SUSE-mod_security2.txt
+Source7:        empty.conf
+Patch0:         apache2-mod_security2-no_rpath.diff
 #
 Summary:        ModSecurity Open Source Web Application Firewall
-License:        Apache-2.0 and GPL-2.0
+License:        Apache-2.0
 Group:          Productivity/Networking/Web/Servers
 
 %description
@@ -61,44 +70,81 @@ as an Apache Web server module or standalone, the purpose of
 ModSecurity is to increase web application security, protecting web
 applications from known and unknown attacks.
 
+The modsecurity team also offer a commercial version of their excellent
+ruleset. Please have a look at http://www.modsecurity.org/ for more details.
 
 
 %prep
 %setup -n %{tarballname}
-tar -xvjpf %{S:2}
+%setup -D -T -a 1 -n %{tarballname}
+mv -v SpiderLabs* rules
+bzip2 -dc %{SOURCE3} > %{_sourcedir}/%{refman} && touch -r %{SOURCE3} %{_sourcedir}/%{refman}
+bzip2 -dc %{SOURCE4} > %{_sourcedir}/%{faq} && touch -r %{SOURCE4} %{_sourcedir}/%{faq}
+%patch0
+#%patch1
+#%patch2
 
 %build
-#pushd %{apache}
-  ./configure
-  make %{?_smp_mflags}
-#  make -C mlogc-src/
-#popd
+# aclocal only works with never distributions,
+%if 0%{?suse_version} >= 1310
+aclocal
+# on older versions only autoconf is called.
+%else
+autoreconf -fi
+%endif
+automake
+./configure --with-apxs=%{apxs} --enable-request-early --enable-htaccess-config
+CFLAGS="%{optflags}" make %{?_smp_mflags}
 
 %install
 pushd %{apache}
-  install -D -m 0755 .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so
+  install -d -m 0755 %{buildroot}%{apache_libexecdir}
+  install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so
 popd
-  install -D -m 0755 mlogc/mlogc               %{buildroot}%{_sbindir}/mlogc
-  install -D -m 0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_sbindir}/mlogc-batch-load.pl
-  install -D -m 0640 mlogc/mlogc-default.conf  %{buildroot}%{_sysconfdir}/mlogc.conf
-  cp mlogc/INSTALL mlogc/INSTALL.mlogc
-install -D -m 0644 %{SOURCE1} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf
-mkdir examples
-cp -a tools examples
-rm -f examples/tools/M*
-chmod 644 examples/tools/*
+install -D -m 0644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf
+install -d -m 0755 %{buildroot}%{apache_sysconfdir}/mod_security2.d
+install -D -m 0644 %{SOURCE6} %{buildroot}%{apache_sysconfdir}/mod_security2.d
+install -D -m 0644 %{SOURCE7} %{buildroot}%{apache_sysconfdir}/mod_security2.d
+cp -a %{SOURCE6} doc
+install -m 0644 %{_sourcedir}/%{faq} %{_sourcedir}/%{refman} doc
+install -m 0644 %{SOURCE5} doc
+install -d -m 0755 %{buildroot}/%{usrsharedir}
+install -d -m 0755 %{buildroot}/%{usrsharedir}/tools
+install -d -m 0755 %{buildroot}/%{usrsharedir}
+rm -f rules/.gitignore rules/LICENSE
+cp -a rules/util/README %{buildroot}/%{usrsharedir}/tools/README-rules-updater.txt
+cp -a tools/rules-updater.pl tools/rules-updater-example.conf %{buildroot}/%{usrsharedir}/tools
+find rules -type f -print0 | \
+  xargs -0 chmod 644
+cp -a rules %{buildroot}/%{usrsharedir}
+rm -rf %{buildroot}/%{usrsharedir}/rules/util
+rm -rf %{buildroot}/%{usrsharedir}/rules/lua
+rm -f %{buildroot}/%{usrsharedir}/rules/READM*
+rm -f %{buildroot}/%{usrsharedir}/rules/INSTALL %{buildroot}/%{usrsharedir}/rules/CHANGELOG
+mv %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf.example \
+  %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf
+
+%clean
+%{__rm} -rf %{buildroot};
+%{__rm} -f %{_sourcedir}/%{faq} %{_sourcedir}/%{refman}
 
 %files
 %defattr(-, root, root, 0755)
 %{apache_libexecdir}/%{modname}.so
 %config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf
-%doc doc/Reference_Manual.html
-%doc README.TXT CHANGES LICENSE modsecurity.conf-recommended
-%doc mlogc/INSTALL.mlogc mlogc/mlogc-default.conf
-%doc examples/
-%doc rules/
-%{_sbindir}/mlogc
-%{_sbindir}/mlogc-batch-load.pl
-%config(noreplace) %{_sysconfdir}/mlogc.conf
+%dir %{apache_sysconfdir}/mod_security2.d
+%{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt
+%{apache_sysconfdir}/mod_security2.d/empty.conf
+%dir %{usrsharedir}
+#%dir %{usrsharedir}/tools
+#%dir %{usrsharedir}/rules
+%doc README.TXT CHANGES LICENSE NOTICE authors.txt
+%{usrsharedir}
+#%{usrsharedir}/rules/activated_rules
+#%{usrsharedir}/rules/base_rules
+#%{usrsharedir}/rules/experimental_rules
+#%{usrsharedir}/rules/optional_rules
+#%{usrsharedir}/rules/slr_rules
+%doc doc/* rules/util/regression-tests
 
 %changelog

empty.conf

@@ -0,0 +1,4 @@
+# This configuration file has been intentionally left empty to avoid errors
+# resulting from an Include statement that matches no files.
+# (IncludeOptional is available for apache > 2.4)
+#

mod_security2.conf

@@ -1,60 +1,293 @@
+
+# Dear administrator/webmaster,
+#
+# Welcome to /etc/apache2/conf.d/mod_security2.conf, the starting point for
+# the configuration of mod_security2.
+# Please read this text down to line 63 for information about activation
+# and configuration of the mod_security2 apache module.
+#
+# To activate mod_security2, its apache module must be configured to be
+# loaded when apache starts. The mod_security2 apache module depends on 
+# the module mod_unique_id to be able to run. This means that both apache
+# modules must be activated/loaded when apache starts.
+
+# Change the configuration to load these two modules by adding the two
+# module names "security2" and "unique_id" to the variable APACHE_MODULES
+# in /etc/sysconfig/apache2 . You can do that manually, or use the tools
+# a2enmod (enable apache module) and a2dismod (disable apache module). 
+# These two tools expect the name of the module without the leading 
+# "mod_" as an argument!
+#
+# note: /etc/sysconfig/apache2 is evaluated upon apache start by the apache
+# start script /usr/sbin/start_apache2 . Changes in APACHE_MODULES are then 
+# visible in /etc/apache2/sysconfig.d/loadmodule.conf, changed by the start
+# script.
+#
+# example for the use of a2enmod/a2dismod:
+#
+# a2enmod security2		# enable module security2
+# a2enmod unique_id		# enable module unique_id
+#
+# a2dismod security2		# disable
+# a2dismod unique_id		# %
+
+#
+# This file /etc/apache2/conf.d/mod_security2.conf makes some basic
+# configuration settings, then loads
+#   /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
+# which is the baseline for the rules that can be loaded later.
+#
+# Afterwards, all files named *.conf in /etc/apache2/mod_security2.d are read.
+# For the rules you wish to apply, place a symlink to the rules file there.
+#
+# About the rules; The OWASP ModSecurity Core Rule Set version 2.2.9
+# is contained in this package, a splendid set of rules made to provide for a
+# decent basic and even advanced protection. The rules files are contained
+# in the directory /usr/share/apache2-mod_security2/rules/.
+#
+# Example (use all of the basic rules that come with the package):
+#
+# cd /etc/apache2/mod_security2.d
+# for i in /usr/share/apache2-mod_security2/rules/base_rules/mod*; do
+#   ln -s $i .
+# done
+#
+# At last, simply restart apache:
+#   rcapache2 restart
+#
+# In doubt, please consult the valuable online documentation on the project's
+# website, which is the authoritative source for documentation.
+# For offline reading, the webpages for the Reference Guide and the FAQ are
+# located in the package's documentation directory, in the state of 2013/01:
+# /usr/share/doc/packages/apache2-mod_security2
+#
+# Roman Drahtmueller <draht@suse.de>, SUSE, 20140610.
+#
+
+
+
 <IfModule mod_security2.c>
-	# Basic configuration options
-	SecRuleEngine On
-	SecRequestBodyAccess On
-	SecResponseBodyAccess Off
 
-	# Handling of file uploads
-	# TODO Choose a folder private to Apache.
-	# SecUploadDir /opt/apache-frontend/tmp/
-	SecUploadKeepFiles Off
+# -- Rule engine initialization ----------------------------------------------
 
-	# Debug log
-	SecDebugLog /var/log/apache2/modsec_debug.log
-	SecDebugLogLevel 0
+# Enable ModSecurity, attaching it to every transaction. Use detection
+# only to start with, because that minimises the chances of post-installation
+# disruption.
+#
+SecRuleEngine DetectionOnly
 
-	# Serial audit log
-	SecAuditEngine RelevantOnly
-	SecAuditLogRelevantStatus ^5
-	SecAuditLogParts ABIFHZ
-	SecAuditLogType Serial
-	SecAuditLog /var/log/apache2/modsec_audit.log
 
-	# Maximum request body size we will
-	# accept for buffering
-	SecRequestBodyLimit 131072
+# -- Request body handling ---------------------------------------------------
 
-	# Store up to 128 KB in memory
-	SecRequestBodyInMemoryLimit 131072
+# Allow ModSecurity to access request bodies. If you don't, ModSecurity
+# won't be able to see any POST parameters, which opens a large security
+# hole for attackers to exploit.
+#
+SecRequestBodyAccess On
 
-	# Buffer response bodies of up to
-	# 512 KB in length
-	SecResponseBodyLimit 524288
 
-	# Verify that we've correctly processed the request body.
-	# As a rule of thumb, when failing to process a request body
-	# you should reject the request (when deployed in blocking mode)
-	# or log a high-severity alert (when deployed in detection-only mode).
-	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
-	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
+# Enable XML request body parser.
+# Initiate XML Processor in case of xml content-type
+#
+SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
 
-	# By default be strict with what we accept in the multipart/form-data
-	# request body. If the rule below proves to be too strict for your
-	# environment consider changing it to detection-only. You are encouraged
-	# _not_ to remove it altogether.
-	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-	"phase:2,t:none,log,deny,msg:'Multipart request body \
-	failed strict validation: \
-	PE %{REQBODY_PROCESSOR_ERROR}, \
-	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
-	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
-	DB %{MULTIPART_DATA_BEFORE}, \
-	DA %{MULTIPART_DATA_AFTER}, \
-	HF %{MULTIPART_HEADER_FOLDING}, \
-	LF %{MULTIPART_LF_LINE}, \
-	SM %{MULTIPART_SEMICOLON_MISSING}'"
 
-	# Did we see anything that might be a boundary?
-	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
-	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+# Maximum request body size we will accept for buffering. If you support
+# file uploads then the value given on the first line has to be as large
+# as the largest file you are willing to accept. The second value refers
+# to the size of data, with files excluded. You want to keep that value as
+# low as practical.
+#
+SecRequestBodyLimit 13107200
+SecRequestBodyNoFilesLimit 131072
+
+# Store up to 128 KB of request body data in memory. When the multipart
+# parser reachers this limit, it will start using your hard disk for
+# storage. That is slow, but unavoidable.
+#
+SecRequestBodyInMemoryLimit 131072
+
+# What do do if the request body size is above our configured limit.
+# Keep in mind that this setting will automatically be set to ProcessPartial
+# when SecRuleEngine is set to DetectionOnly mode in order to minimize
+# disruptions when initially deploying ModSecurity.
+#
+SecRequestBodyLimitAction Reject
+
+# Verify that we've correctly processed the request body.
+# As a rule of thumb, when failing to process a request body
+# you should reject the request (when deployed in blocking mode)
+# or log a high-severity alert (when deployed in detection-only mode).
+#
+SecRule REQBODY_ERROR "!@eq 0" \
+"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+
+# By default be strict with what we accept in the multipart/form-data
+# request body. If the rule below proves to be too strict for your
+# environment consider changing it to detection-only. You are encouraged
+# _not_ to remove it altogether.
+#
+SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+"id:'200002',phase:2,t:none,log,deny,status:44, \
+msg:'Multipart request body failed strict validation: \
+PE %{REQBODY_PROCESSOR_ERROR}, \
+BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+DB %{MULTIPART_DATA_BEFORE}, \
+DA %{MULTIPART_DATA_AFTER}, \
+HF %{MULTIPART_HEADER_FOLDING}, \
+LF %{MULTIPART_LF_LINE}, \
+SM %{MULTIPART_MISSING_SEMICOLON}, \
+IQ %{MULTIPART_INVALID_QUOTING}, \
+IP %{MULTIPART_INVALID_PART}, \
+IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+# Did we see anything that might be a boundary?
+#
+SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+# PCRE Tuning
+# We want to avoid a potential RegEx DoS condition
+#
+SecPcreMatchLimit 1000
+SecPcreMatchLimitRecursion 1000
+
+# Some internal errors will set flags in TX and we will need to look for these.
+# All of these are prefixed with "MSC_".  The following flags currently exist:
+#
+# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
+#
+SecRule TX:/^MSC_/ "!@streq 0" \
+        "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+
+# -- Response body handling --------------------------------------------------
+
+# Allow ModSecurity to access response bodies. 
+# You should have this directive enabled in order to identify errors
+# and data leakage issues.
+# 
+# Do keep in mind that enabling this directive does increases both
+# memory consumption and response latency.
+#
+SecResponseBodyAccess On
+
+# Which response MIME types do you want to inspect? You should adjust the
+# configuration below to catch documents but avoid static files
+# (e.g., images and archives).
+#
+SecResponseBodyMimeType text/plain text/html text/xml
+
+# Buffer response bodies of up to 512 KB in length.
+SecResponseBodyLimit 524288
+
+# What happens when we encounter a response body larger than the configured
+# limit? By default, we process what we have and let the rest through.
+# That's somewhat less secure, but does not break any legitimate pages.
+#
+SecResponseBodyLimitAction ProcessPartial
+
+
+# -- Filesystem configuration ------------------------------------------------
+
+# The location where ModSecurity stores temporary files (for example, when
+# it needs to handle a file upload that is larger than the configured limit).
+# 
+# This default setting is chosen due to all systems have /tmp available however, 
+# this is less than ideal. It is recommended that you specify a location that's private.
+#
+SecTmpDir /tmp/
+
+# The location where ModSecurity will keep its persistent data.  This default setting 
+# is chosen due to all systems have /tmp available however, it
+# too should be updated to a place that other users can't access.
+#
+SecDataDir /tmp/
+
+
+# -- File uploads handling configuration -------------------------------------
+
+# The location where ModSecurity stores intercepted uploaded files. This
+# location must be private to ModSecurity. You don't want other users on
+# the server to access the files, do you?
+#
+#SecUploadDir /opt/modsecurity/var/upload/
+
+# By default, only keep the files that were determined to be unusual
+# in some way (by an external inspection script). For this to work you
+# will also need at least one file inspection rule.
+#
+#SecUploadKeepFiles RelevantOnly
+
+# Uploaded files are by default created with permissions that do not allow
+# any other user to access them. You may need to relax that if you want to
+# interface ModSecurity to an external program (e.g., an anti-virus).
+#
+#SecUploadFileMode 0600
+
+
+# -- Debug log configuration -------------------------------------------------
+
+# The default debug log configuration is to duplicate the error, warning
+# and notice messages from the error log.
+#
+#SecDebugLog /var/log/apache2/modsec_debug.log
+#SecDebugLogLevel 3
+
+# -- Audit log configuration -------------------------------------------------
+
+# Log the transactions that are marked by a rule, as well as those that
+# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
+# level response status codes).
+#
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+
+# Log everything we know about a transaction.
+SecAuditLogParts ABIJDEFHZ
+
+# Use a single file for logging. This is much easier to look at, but
+# assumes that you will use the audit log only ocassionally.
+#
+SecAuditLogType Serial
+SecAuditLog /var/log/apache2/modsec_audit.log
+
+# Specify the path for concurrent audit logging.
+#SecAuditLogStorageDir /opt/modsecurity/var/audit/
+
+
+# -- Miscellaneous -----------------------------------------------------------
+
+# Use the most commonly used application/x-www-form-urlencoded parameter
+# separator. There's probably only one application somewhere that uses
+# something else so don't expect to change this value.
+#
+SecArgumentSeparator &
+
+# Settle on version 0 (zero) cookies, as that is what most applications
+# use. Using an incorrect cookie version may open your installation to
+# evasion attacks (against the rules that examine named cookies).
+#
+SecCookieFormat 0
+
+# Specify your Unicode Code Point.
+# This mapping is used by the t:urlDecodeUni transformation function
+# to properly map encoded data to your language. Properly setting
+# these directives helps to reduce false positives and negatives.
+#
+#SecUnicodeCodePage 20127
+#SecUnicodeMapFile unicode.mapping
+
+
+
+
+
+
+Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
+# as set up with symlinks for files that are placed here:
+Include /etc/apache2/mod_security2.d/*.conf
+
 </IfModule>

modsecurity-2.8.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5cbbc7fc993d39106b653213753d25c4ec21771eee17b01b69122ccf3f73460e
+size 3940357

modsecurity-apache_2.6.7.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3fa05e2be9e8a6e99747defe0df35ace99ba44683afef5205819db9706c03f29
-size 785852

modsecurity_diagram_apache_request_cycle.jpg

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4366e727c511bccbf56ec646dd0961c65c8054fdc235ab26e06e3faf08052f6d
+size 46799

rules.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5b025dd7e2fc74aebf4bbf671ef238325737cc8a5da9e1eda6c9f739d5d2226b
-size 33001