Merge branch 'master' into el6

Conflicts: .gitignore mod_security.conf mod_security.spec sources
2012-11-15 10:56:34 +01:00 · 2012-11-15 10:56:34 +01:00 · a4d02532a4
commit a4d02532a4
parent 516bd4be33 b4feb280b3
5 changed files with 169 additions and 86 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,11 @@
 modsecurity-apache_2.5.12.tar.gz
+<<<<<<< HEAD
 /modsecurity-apache_2.6.7.tar.gz
+=======
+/modsecurity-apache_2.5.13.tar.gz
+/modsecurity-apache_2.6.5.tar.gz
+/modsecurity-apache_2.6.6.tar.gz
+/modsecurity-apache_2.6.8.tar.gz
+/modsecurity-apache_2.7.0.tar.gz
+/modsecurity-apache_2.7.1.tar.gz
+>>>>>>> master
--- a/mod_security-fix-build-with-libxml29.patch
+++ b/mod_security-fix-build-with-libxml29.patch
@ -0,0 +1,82 @@
+--- apache2/msc_crypt.c.orig	2012-10-18 10:42:43.381000000 +0100
+++ apache2/msc_crypt.c	2012-10-18 10:46:52.442000000 +0100
+@@ -1079,6 +1079,70 @@
+ 
+     htmlDocContentDumpFormatOutput(output_buf, msr->crypto_html_tree, NULL, 0);
+ 
+#ifdef  LIBXML2_NEW_BUFFER
+
+    if (output_buf->conv == NULL || (output_buf->conv && xmlOutputBufferGetSize(output_buf) == 0)) {
+
+        if(output_buf->buffer == NULL || xmlOutputBufferGetSize(output_buf) == 0)  {
+            xmlOutputBufferClose(output_buf);
+            xmlFreeDoc(msr->crypto_html_tree);
+            msr->of_stream_changed = 0;
+            return -1;
+        }
+
+        if(msr->stream_output_data != NULL) {
+            free(msr->stream_output_data);
+            msr->stream_output_data =  NULL;
+        }
+
+        msr->stream_output_length = xmlOutputBufferGetSize(output_buf);
+        msr->stream_output_data = (char *)malloc(msr->stream_output_length+1);
+
+        if (msr->stream_output_data == NULL) {
+            xmlOutputBufferClose(output_buf);
+            xmlFreeDoc(msr->crypto_html_tree);
+            return -1;
+        }
+
+        memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
+        memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
+
+        if (msr->txcfg->debuglog_level >= 4)
+            msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONTENT to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf));
+
+    } else {
+
+        if(output_buf->conv == NULL || xmlOutputBufferGetSize(output_buf) == 0)  {
+            xmlOutputBufferClose(output_buf);
+            xmlFreeDoc(msr->crypto_html_tree);
+            msr->of_stream_changed = 0;
+            return -1;
+        }
+
+        if(msr->stream_output_data != NULL) {
+            free(msr->stream_output_data);
+            msr->stream_output_data =  NULL;
+        }
+
+        msr->stream_output_length = xmlOutputBufferGetSize(output_buf);
+        msr->stream_output_data = (char *)malloc(msr->stream_output_length+1);
+
+        if (msr->stream_output_data == NULL) {
+            xmlOutputBufferClose(output_buf);
+            xmlFreeDoc(msr->crypto_html_tree);
+            return -1;
+        }
+
+        memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
+        memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
+
+        if (msr->txcfg->debuglog_level >= 4)
+            msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONV to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf));
+
+    }
+
+#else
+
+     if (output_buf->conv == NULL || (output_buf->conv && output_buf->conv->use == 0)) {
+ 
+         if(output_buf->buffer == NULL || output_buf->buffer->use == 0)  {
+@@ -1139,6 +1203,8 @@
+ 
+     }
+ 
+#endif
+
+     xmlOutputBufferClose(output_buf);
+ 
+     content_value = (char*)apr_psprintf(msr->mp, "%"APR_SIZE_T_FMT, msr->stream_output_length);
--- a/mod_security.conf
+++ b/mod_security.conf
@ -1,92 +1,57 @@
-
 LoadModule security2_module modules/mod_security2.so
 LoadModule unique_id_module modules/mod_unique_id.so

 <IfModule mod_security2.c>
-	# This is the ModSecurity Core Rules Set.
-
-	# Basic configuration goes in here
+    # ModSecurity Core Rules Set configuration
 	Include modsecurity.d/*.conf
 	Include modsecurity.d/activated_rules/*.conf
+    
+    # Default recommended configuration
+    SecRuleEngine On
+    SecRequestBodyAccess On
+    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+    SecRequestBodyLimit 13107200
+    SecRequestBodyNoFilesLimit 131072
+    SecRequestBodyInMemoryLimit 131072
+    SecRequestBodyLimitAction Reject
+    SecRule REQBODY_ERROR "!@eq 0" \
+    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+    "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
+    failed strict validation: \
+    PE %{REQBODY_PROCESSOR_ERROR}, \
+    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+    DB %{MULTIPART_DATA_BEFORE}, \
+    DA %{MULTIPART_DATA_AFTER}, \
+    HF %{MULTIPART_HEADER_FOLDING}, \
+    LF %{MULTIPART_LF_LINE}, \
+    SM %{MULTIPART_MISSING_SEMICOLON}, \
+    IQ %{MULTIPART_INVALID_QUOTING}, \
+    IP %{MULTIPART_INVALID_PART}, \
+    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

-	# Additional items taken from new minimal modsecurity conf
-	# Basic configuration options
-	SecRuleEngine On
-	SecRequestBodyAccess On
-	SecResponseBodyAccess Off
-	
-	# Handling of file uploads
-	# TODO Choose a folder private to Apache.
-	# SecUploadDir /opt/apache-frontend/tmp/
-	SecUploadKeepFiles Off
-	SecUploadFileLimit 10
+    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

-	# Debug log
-	SecDebugLog /var/log/httpd/modsec_debug.log
-	SecDebugLogLevel 0
+    SecPcreMatchLimit 1000
+    SecPcreMatchLimitRecursion 1000

-	# Audit log
-	SecAuditEngine RelevantOnly
-	SecAuditLogRelevantStatus ^5
-	SecAuditLogType Serial
-	SecAuditLogParts ABIFHZ
-	SecAuditLog /var/log/httpd/modsec_audit.log
+    SecRule TX:/^MSC_/ "!@streq 0" \
+            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

-	# Alternative mlogc configuration
-	#SecAuditLogType Concurrent
-	#SecAuditLogParts ABIDEFGHZ
-	#SecAuditLogStorageDir /var/log/mlogc/data
-	#SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
-
-	# Set Data Directory
-	SecDataDir /var/log/httpd/
-
-	# Maximum request body size we will
-	# accept for buffering
-	SecRequestBodyLimit 131072
-
-	# Store up to 128 KB in memory
-	SecRequestBodyInMemoryLimit 131072
-
-	# Buffer response bodies of up to
-	# 512 KB in length
-	SecResponseBodyLimit 524288
-
-	# Verify that we've correctly processed the request body.
-	# As a rule of thumb, when failing to process a request body
-	# you should reject the request (when deployed in blocking mode)
-	# or log a high-severity alert (when deployed in detection-only mode).
-	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
-	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
-
-	# By default be strict with what we accept in the multipart/form-data
-	# request body. If the rule below proves to be too strict for your
-	# environment consider changing it to detection-only. You are encouraged
-	# _not_ to remove it altogether.
-	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-	"phase:2,t:none,log,deny,msg:'Multipart request body \
-	failed strict validation: \
-	PE %{REQBODY_PROCESSOR_ERROR}, \
-	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
-	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
-	DB %{MULTIPART_DATA_BEFORE}, \
-	DA %{MULTIPART_DATA_AFTER}, \
-	HF %{MULTIPART_HEADER_FOLDING}, \
-	LF %{MULTIPART_LF_LINE}, \
-	SM %{MULTIPART_SEMICOLON_MISSING}, \
-	IQ %{MULTIPART_INVALID_QUOTING}, \
-	IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
-	IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
-	
-	# Did we see anything that might be a boundary?
-	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
-	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
-	
-	# Some internal errors will set flags in TX and we will need to look for these.
-	# All of these are prefixed with "MSC_".  The following flags currently exist:
-	#
-	# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
-	#
-	SecRule TX:/^MSC_/ "!@streq 0" \
-	        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+    SecResponseBodyAccess Off
+    SecDebugLog /var/log/httpd/modsec_debug.log
+    SecDebugLogLevel 0
+    SecAuditEngine RelevantOnly
+    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+    SecAuditLogParts ABIJDEFHZ
+    SecAuditLogType Serial
+    SecAuditLog /var/log/httpd/modsec_audit.log
+    SecArgumentSeparator &
+    SecCookieFormat 0
+    SecTmpDir /var/lib/mod_security
+    SecDataDir /var/lib/mod_security
 </IfModule>
--- a/mod_security.spec
+++ b/mod_security.spec
@ -7,16 +7,15 @@

 Summary: Security module for the Apache HTTP Server
 Name: mod_security 
-Version: 2.6.7
-Release: 2%{?dist}
+Version: 2.7.1
+Release: 3%{?dist}
 License: ASL 2.0
 URL: http://www.modsecurity.org/
 Group: System Environment/Daemons
-Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz
+Source: https://github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_%{version}.tar.gz
 Source1: mod_security.conf
 Requires: httpd httpd-mmn = %{_httpd_mmn}
 BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 %description
 ModSecurity is an open source intrusion detection and prevention engine
@ -66,6 +65,7 @@ install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_
 # 2.2-style
 install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
 %endif
+install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/%{name}

 # mlogc
 install -d %{buildroot}%{_localstatedir}/log/mlogc
@ -74,6 +74,7 @@ install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
 install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
 install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf

+
 %clean
 rm -rf %{buildroot}

@ -87,6 +88,7 @@ rm -rf %{buildroot}
 %endif
 %dir %{_sysconfdir}/httpd/modsecurity.d
 %dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules
+%attr(770,apache,root) %dir %{_localstatedir}/lib/%{name}

 %files -n mlogc
 %defattr (-,root,root)
@ -98,8 +100,33 @@ rm -rf %{buildroot}
 %attr(0755,root,root) %{_bindir}/mlogc-batch-load

 %changelog
+* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-3
+- Add some missing directives RHBZ #569360
+- Fix multipart/invalid part ruleset bypass issue (CVE-2012-4528)
+  (RHBZ #867424, #867773, #867774)
+
+* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-2
+- Fix mod_security.conf
+
+* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-1
+- Update to 2.7.1
+- Remove libxml2 build patch (upstreamed)
+- Update spec since upstream moved to github
+
+* Thu Oct 18 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-2
+- Add a patch to fix failed build against libxml2 >= 2.9.0
+
+* Wed Oct 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-1
+- Update to 2.7.0
+
+* Fri Sep 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-1
+- Update to 2.6.8
+
 * Wed Sep 12 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-2
 - Re-add mlogc sub-package for epel (#856525)
+ 
+* Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
+- Update to 2.6.7

 * Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
 - Update to 2.6.7
--- a/2
+++ b/2
@ -1 +1 @@
-b3ffc5886f7126d012b60e1d5c6b0a1f  modsecurity-apache_2.6.7.tar.gz
+dbd30b714abe831098993213f30c1b96  modsecurity-apache_2.7.1.tar.gz