forked from pool/apache2-mod_security2
43623123c6
Use correct source Url OBS-URL: https://build.opensuse.org/request/show/214773 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=43
166 lines
6.7 KiB
Plaintext
166 lines
6.7 KiB
Plaintext
-------------------------------------------------------------------
|
|
Thu Jan 23 13:06:09 UTC 2014 - aj@ajaissle.de
|
|
|
|
- Use correct source Url
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 2 14:18:39 CEST 2013 - draht@suse.de
|
|
|
|
- complete overhaul of this package, with update to 2.7.5.
|
|
- ruleset update to 2.2.8-0-g0f07cbb.
|
|
- new configuration framework private to mod_security2:
|
|
/etc/apache2/conf.d/mod_security2.conf loads
|
|
/usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf,
|
|
then /etc/apache2/mod_security2.d/*.conf , as set up based on
|
|
advice in /etc/apache2/conf.d/mod_security2.conf
|
|
Your configuration starting point is
|
|
/etc/apache2/conf.d/mod_security2.conf
|
|
- !!! Please note that mod_unique_id is needed for mod_security2 to run!
|
|
- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous
|
|
linker parameter, preventing rpath in shared object.
|
|
- fixes contained for the following bugs:
|
|
* CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling
|
|
* [bnc#768293] multi-part bypass, minor threat
|
|
* CVE-2013-1915 [bnc#813190] XML external entity vulnerability
|
|
* CVE-2012-4528 [bnc#789393] rule bypass
|
|
* CVE-2013-2765 [bnc#822664] null pointer dereference crash
|
|
- new from 2.5.9 to 2.7.5, only major changes:
|
|
* GPLv2 replaced by Apache License v2
|
|
* rules are not part of the source tarball any longer, but
|
|
maintaned upstream externally, and included in this package.
|
|
* documentation was externalized to a wiki. Package contains
|
|
the FAQ and the reference manual in html form.
|
|
* renamed the term "Encryption" in directives that actually refer
|
|
to hashes. See CHANGES file for more details.
|
|
* new directive SecXmlExternalEntity, default off
|
|
* byte conversion issues on s390x when logging fixed.
|
|
* many small issues fixed that were discovered by a Coverity scanner
|
|
* updated reference manual
|
|
* wrong time calculation when logging for some timezones fixed.
|
|
* replaced time-measuring mechanism with finer granularity for
|
|
measured request/answer phases. (Stopwatch remains for compat.)
|
|
* cookie parser memory leak fix
|
|
* parsing of quoted strings in multipart Content-Disposition
|
|
headers fixed.
|
|
* SDBM deadlock fix
|
|
* @rsub memory leak fix
|
|
* cookie separator code improvements
|
|
* build failure fixes
|
|
* compile time option --enable-htaccess-config (set)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 27 11:43:47 UTC 2012 - cfarrell@suse.com
|
|
|
|
- license update: Apache-2.0 and GPL-2.0
|
|
Many of the files in the rules/ subdirectory are GPL-2.0 licensed
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 6 20:59:45 UTC 2012 - crrodriguez@opensuse.org
|
|
|
|
- Update to version 2.6.7, fixes build in apache 2.4
|
|
- Update spec file macros.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Sep 17 11:20:39 UTC 2011 - jengelh@medozas.de
|
|
|
|
- Remove redundant tags/sections from specfile
|
|
- Use %_smp_mflags for parallel build
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 6 04:33:49 CEST 2011 - draht@suse.de
|
|
|
|
- update to version 2.6.1-rc1 for submission to SLE11-SP2 (fate#309433):
|
|
- SecUnicodeCodePage and SecUnicodeMapFile directives added
|
|
- fixed bug: SecRequestBodyLimit was truncating the real request
|
|
body
|
|
additional fixes from 2.6.0:
|
|
- buffering filter problems fixed
|
|
- memory leak fix when using MATCHED_VAR_NAMES
|
|
- SecWriteStateLimit added against slow DoS
|
|
additional fixes from 2.6.0 release candidates:
|
|
- optimizations
|
|
- bug in logging code fixed
|
|
- cleanup
|
|
- google safe browsing support
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 14 18:05:26 CEST 2009 - mrueckert@suse.de
|
|
|
|
- update to version 2.5.9
|
|
- Fixed parsing multipart content with a missing part header name
|
|
which would crash Apache. Discovered by "Internet Security
|
|
Auditors" (isecauditors.com).
|
|
- Added ability to specify the config script directly using
|
|
--with-apr and --with-apu.
|
|
- Added macro expansion for append/prepend action.
|
|
- Fixed race condition in concurrent updates of persistent
|
|
counters. Updates are now atomic.
|
|
- Cleaned up build, adding an option for verbose configure output
|
|
and making the mlogc build more portable.
|
|
- additional changes from 2.5.8
|
|
- Fixed PDF XSS issue where a non-GET request for a PDF file
|
|
would crash the Apache httpd process. Discovered by Steve
|
|
Grubb at Red Hat.
|
|
- Removed an invalid "Internal error: Issuing "%s" for
|
|
unspecified error." message that was logged when denying with
|
|
nolog/noauditlog set and causing the request to be audited.
|
|
- additional changes from 2.5.7
|
|
- Fixed XML DTD/Schema validation which will now fail after
|
|
request body processing errors, even if the XML parser returns
|
|
a document tree.
|
|
- Added ctl:forceRequestBodyVariable=on|off which, when enabled,
|
|
will force the REQUEST_BODY variable to be set when a request
|
|
body processor is not set. Previously the REQUEST_BODY target
|
|
was only populated by the URLENCODED request body processor.
|
|
- Integrated mlogc source.
|
|
- Fixed logging the hostname in the error_log which was logging
|
|
the request hostname instead of the Apache resolved hostname.
|
|
- Allow for disabling request body limit checks in phase:1.
|
|
- Added transformations for processing parity for legacy
|
|
protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit,
|
|
t:parityZero7bit
|
|
- Added t:cssDecode transformation to decode CSS escapes.
|
|
- Now log XML parsing/validation warnings and errors to be in the
|
|
debug log at levels 3 and 4, respectivly.
|
|
- build and package mlogc
|
|
- remove --with-apxs from the configure args as it breaks the build
|
|
configure now finds our apxs2
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 23 16:56:55 CET 2009 - skh@suse.de
|
|
|
|
- fix broken config [bnc#457200]
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 15 14:05:05 CEST 2008 - skh@suse.de
|
|
|
|
- update to version 2.5.6
|
|
- initial submit to FACTORY
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 12 05:25:07 CEST 2008 - jg@internetx.de
|
|
|
|
-update to 2.1.7
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 3 05:44:12 CEST 2008 - jg@internetx.de
|
|
|
|
-update to 2.1.6
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 8 05:36:42 CEST 2007 - mrueckert@suse.de
|
|
|
|
- update to 2.1.2
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 16 10:34:05 CEST 2007 - mrueckert@suse.de
|
|
|
|
- update to 2.1.1
|
|
- switched to perl based patching instead of cmdline params for make
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 22 08:31:51 CEST 2006 - poeml@suse.de
|
|
|
|
- fix build (./install was vanished)
|
|
|