- update to 2.9.7:
* Fix: FILES_TMP_CONTENT may sometimes lack complete content
* Support configurable limit on number of arguments processed
* Silence compiler warning about discarded const
* Support for JIT option for PCRE2
* Use uid for user if apr_uid_name_get() fails
* Fix: handle error with SecConnReadStateLimit configuration
* Only check for pcre2 install if required
* Adjustment of previous fix for log messages
* Mark apache error log messages as from mod_security2
* Use pkg-config to find libxml2 first
* Support for PCRE2 in mlogc
* Support for PCRE2
* Adjust parser activation rules in modsecurity.conf-
recommended
* Multipart parsing fixes and new MULTIPART_PART_HEADERS
collection
* Limit rsub null termination to where necessary
* IIS: Update dependencies for next planned release
* XML parser cleanup: NULL duplicate pointer
* Properly cleanup XML parser contexts upon completion
* Fix memory leak in streams
* Fix: negative usec on log line when data type long is 32b
* mlogc log-line parsing fails due to enhanced timestamp
* Allow no-key, single-value JSON body
* Set SecStatusEngine Off in modsecurity.conf-recommended
* Fix memory leak that occurs on JSON parsing error
* Multipart names/filenames may include single quote if double-
quote enclosed
* Add SecRequestBodyJsonDepthLimit to modsecurity.conf-
OBS-URL: https://build.opensuse.org/request/show/1098838
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=87
- Update to 2.9.4:
* Add microsec timestamp resolution to the formatted log timestamp
* Added missing Geo Countries
* Store temporaries in the request pool for regexes compiled per-request.
* Fix other usage of the global pool for request temporaries in re_operators.c
* Adds a sanity check before use ctl:ruleRemoveTargetById and ctl:ruleRemoveTargetByMsg.
* Fix the order of error_msg validation
* When the input filter finishes, check whether we returned data
* fix: care non-null terminated chunk data
* Fix for apr_global_mutex_create() crashes with mod_security
* Fix inet addr handling on 64 bit big endian systems
- Run spec-cleaner
- Remove if/else for older version of SUSE distribution
OBS-URL: https://build.opensuse.org/request/show/907282
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=85
- update to 2.9.2
* release notes
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2
* refresh apache2-mod_security2-no_rpath.diff
* remove apache2-mod_security2-lua-5.3.patch that was applied
upstream
- remove outdated html pages and diagram (they can be accessed
online at https://github.com/SpiderLabs/ModSecurity/wiki)
* Reference-Manual.html.bz2
* ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2
* modsecurity_diagram_apache_request_cycle.jpg
- don't pack the whole doc directory as it contains also Makefiles
or doxygen configuration files
- disable mlogc as we don't pack it and it also can't be built for
curl <=7.34
- add basic and regression test suite (but disabled for now)
* add apache2-mod_security2_tests_conf.patch for apache2
configuration file used for tests that was trying to load
mpm_worker_module (it's static for our apache2 package)
* add "BuildRequires: perl-libwww-perl" needed for the test suite
OBS-URL: https://build.opensuse.org/request/show/556963
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=75
- spec, build: Respect optflags
- spec: buildrequire pkgconfig
- modsecurity-fixes.patch: mod_security fails at:
* building with optflags enabled due to undefined behaviour
and implicit declarations.
* It abuses it apr_allocator api, creating one allocator
per request and then destroying it, flooding the system
with mmap() , munmap requests, this is particularly nasty
with threaded mpms. it should instead use the allocator
from the request pool.
OBS-URL: https://build.opensuse.org/request/show/287448
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=61
- Portability: provide /etc/apache2/mod_security2.d/empty.conf
to avoid a non-match of the file-glob in the Include statement
from /etc/apache2/conf.d/mod_security2.conf . This restores
the Include back from the IncludeOptional, which is not portable.
- Source URL set to (expanded)
https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
- Fixed spec file to work with older distribution versions.
Before openSuSE 13.1 aclocal doesn't work, instead autoreconf
has to be called.
- last changelog does not say that
apache2-mod_security2-libtool-fix.diff was obsoleted.
- BuildRequires: libtool missing
- apache2-mod_security2-libtool-fix.diff: initialize libtool.
- apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath
in autoconf m4 macros. Obsoletes patch
modsecurity-apache_2.8.0-build_fix_pcre.diff
- use automake for build, add autoconf and automake to
BuildRequires:. This fix is combined with [bnc#876878].
- turn on --enable-htaccess-config
- use %{?_smp_mflags} for build
- OWASP rule set. [bnc#876878]
new in 2.8.0 (more complete changelog to add to last changelog):
* Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit)
now support white and suspicious list
OBS-URL: https://build.opensuse.org/request/show/246670
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=16
in autoconf m4 macros. Obsoletes patch
modsecurity-apache_2.8.0-build_fix_pcre.diff
- use automake for build, add autoconf and automake to
BuildRequires:. This fix is combined with [bnc#876878].
- turn on --enable-htaccess-config
- use %{?_smp_mflags} for build
- OWASP rule set. [bnc#876878]
new in 2.8.0 (more complete changelog to add to last changelog):
* Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit)
now support white and suspicious list
* New variables: FULL_REQUEST and FULL_REQUEST_LENGTH
* GPLv2 replaced by Apache License v2
* rules are not part of the source tarball any longer, but
maintaned upstream externally, and included in this package.
* documentation was externalized to a wiki. Package contains
the FAQ and the reference manual in html form.
* renamed the term "Encryption" in directives that actually refer
to hashes. See CHANGES file for more details.
* byte conversion issues on s390x when logging fixed.
* many small issues fixed that were discovered by a Coverity scanner
* updated reference manual
* wrong time calculation when logging for some timezones fixed.
* replaced time-measuring mechanism with finer granularity for
measured request/answer phases. (Stopwatch remains for compat.)
* cookie parser memory leak fix
* parsing of quoted strings in multipart Content-Disposition
headers fixed.
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=46
