From 6955722d80f68fc039ac8f821806591f273b21b9 Mon Sep 17 00:00:00 2001 From: Michael Fleming Date: Thu, 8 Oct 2009 08:11:41 +0000 Subject: [PATCH 01/27] - Upgrade to 2.5.10 (with Core Rules v2) --- .cvsignore | 2 +- mod_security.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.cvsignore b/.cvsignore index c84aaa3..790cf40 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -modsecurity-apache_2.5.9.tar.gz +modsecurity-apache_2.5.10.tar.gz diff --git a/mod_security.spec b/mod_security.spec index 84a6454..dc4194b 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,7 +1,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security -Version: 2.5.9 -Release: 2%{?dist} +Version: 2.5.10 +Release: 1%{?dist} License: GPLv2 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -54,6 +54,9 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/optional_rules/*.conf %changelog +* Thu Oct 8 2009 Michael Fleming - 2.5.10-1 +- Upgrade to 2.5.10 (with Core Rules v2) + * Sat Jul 25 2009 Fedora Release Engineering - 2.5.9-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild diff --git a/sources b/sources index 2f784ba..b896884 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -b7bf44a7e041b49b0da5043495660375 modsecurity-apache_2.5.9.tar.gz +a049f858e297fb16579b5dbb0d5d692d modsecurity-apache_2.5.10.tar.gz From be8802154c73b8443b03d6a67f6c522bfd321f25 Mon Sep 17 00:00:00 2001 From: Michael Fleming Date: Fri, 6 Nov 2009 09:38:11 +0000 Subject: [PATCH 02/27] - Fix rules and Apache configuration (bz#533124) --- mod_security.conf | 27 ++------------------------- mod_security.spec | 12 ++++++++---- 2 files changed, 10 insertions(+), 29 deletions(-) diff --git a/mod_security.conf b/mod_security.conf index 5df0af7..cebcdf3 100644 --- a/mod_security.conf +++ b/mod_security.conf @@ -7,30 +7,7 @@ LoadModule unique_id_module modules/mod_unique_id.so # This is the ModSecurity Core Rules Set. # Basic configuration goes in here - Include modsecurity.d/modsecurity_crs_10_config.conf - - # Protocol violation and anomalies. - - Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf - Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf - - # HTTP policy rules - - Include modsecurity.d/modsecurity_crs_30_http_policy.conf - - # Here comes the Bad Stuff... - - Include modsecurity.d/modsecurity_crs_35_bad_robots.conf - Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf - Include modsecurity.d/modsecurity_crs_45_trojans.conf - Include modsecurity.d/modsecurity_crs_50_outbound.conf - - # Search engines and other crawlers. Only useful if you want to track - # Google / Yahoo et. al. - - # Include modsecurity.d/modsecurity_crs_55_marketing.conf - - # Put your local rules in here. - + Include modsecurity.d/*.conf + Include modsecurity.d/base_rules/*.conf Include modsecurity.d/modsecurity_localrules.conf diff --git a/mod_security.spec b/mod_security.spec index dc4194b..6cf7ed3 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,7 +1,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.5.10 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -31,9 +31,8 @@ make %{_smp_mflags} mlogc rm -rf %{buildroot} install -D -m755 apache2/.libs/mod_security2.so %{buildroot}/%{_libdir}/httpd/modules/mod_security2.so install -D -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/mod_security.conf -install -d %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/optional_rules/ -cp -r rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ -cp -r rules/optional_rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/optional_rules/ +install -d %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ +cp -r rules/ %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ install -D -m644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/modsecurity_localrules.conf install -Dp tools/mlogc %{buildroot}/%{_bindir}/mlogc install -D -m644 apache2/mlogc-src/mlogc-default.conf %{buildroot}/%{_sysconfdir}/mlogc.conf @@ -50,10 +49,15 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/httpd/conf.d/mod_security.conf %dir %{_sysconfdir}/httpd/modsecurity.d %dir %{_sysconfdir}/httpd/modsecurity.d/optional_rules +%dir %{_sysconfdir}/httpd/modsecurity.d/base_rules %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/optional_rules/*.conf +%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/base_rules/*.conf %changelog +* Fri Nov 6 2009 Michael Fleming - 2.5.10-2 +- Fix rules and Apache configuration (bz#533124) + * Thu Oct 8 2009 Michael Fleming - 2.5.10-1 - Upgrade to 2.5.10 (with Core Rules v2) From 6c93fdf6f4f29467839bff44eb9eebf1710b851f Mon Sep 17 00:00:00 2001 From: Michael Fleming Date: Sat, 7 Nov 2009 00:57:28 +0000 Subject: [PATCH 03/27] - Fix rules and Apache configuration (bz#533124) --- mod_security.spec | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/mod_security.spec b/mod_security.spec index 6cf7ed3..40f258d 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -32,7 +32,9 @@ rm -rf %{buildroot} install -D -m755 apache2/.libs/mod_security2.so %{buildroot}/%{_libdir}/httpd/modules/mod_security2.so install -D -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/mod_security.conf install -d %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ -cp -r rules/ %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ +install -D -m644 rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ +cp -R rules/base_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ +cp -R rules/optional_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ install -D -m644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/modsecurity_localrules.conf install -Dp tools/mlogc %{buildroot}/%{_bindir}/mlogc install -D -m644 apache2/mlogc-src/mlogc-default.conf %{buildroot}/%{_sysconfdir}/mlogc.conf @@ -42,17 +44,15 @@ rm -rf %{buildroot} %files %defattr (-,root,root) -%doc CHANGES LICENSE README.* modsecurity* doc MODSECURITY_LICENSING_EXCEPTION +%doc rules/util CHANGES LICENSE README.* modsecurity* doc MODSECURITY_LICENSING_EXCEPTION %{_libdir}/httpd/modules/mod_security2.so %{_bindir}/mlogc %config(noreplace) %{_sysconfdir}/mlogc.conf %config(noreplace) %{_sysconfdir}/httpd/conf.d/mod_security.conf %dir %{_sysconfdir}/httpd/modsecurity.d -%dir %{_sysconfdir}/httpd/modsecurity.d/optional_rules -%dir %{_sysconfdir}/httpd/modsecurity.d/base_rules +%{_sysconfdir}/httpd/modsecurity.d/optional_rules +%{_sysconfdir}/httpd/modsecurity.d/base_rules %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf -%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/optional_rules/*.conf -%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/base_rules/*.conf %changelog * Fri Nov 6 2009 Michael Fleming - 2.5.10-2 From 5d749f67f63124502ef6484eebdfd3a16d80c110 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Wed, 25 Nov 2009 23:18:55 +0000 Subject: [PATCH 04/27] Fix typo that causes a failure to update the common directory. (releng #2781) --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index f411f6c..0518dbe 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ NAME := mod_security SPECFILE = $(firstword $(wildcard *.spec)) define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done endef MAKEFILE_COMMON := $(shell $(find-makefile-common)) From 7f3e5778e06f26374dc20a99adeaeaf5af44c818 Mon Sep 17 00:00:00 2001 From: Michael Fleming Date: Sat, 13 Feb 2010 10:27:03 +0000 Subject: [PATCH 05/27] - Update to latest upstream release - SECURITY: Fix potential rules bypass and denial of service (bz#563576) --- .cvsignore | 2 +- mod_security.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.cvsignore b/.cvsignore index 790cf40..83ffc43 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -modsecurity-apache_2.5.10.tar.gz +modsecurity-apache_2.5.12.tar.gz diff --git a/mod_security.spec b/mod_security.spec index 40f258d..669fb1d 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,7 +1,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security -Version: 2.5.10 -Release: 2%{?dist} +Version: 2.5.12 +Release: 1%{?dist} License: GPLv2 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -55,6 +55,10 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf %changelog +* Sat Feb 13 2010 Michael Fleming - 2.5.12-1 +- Update to latest upstream release +- SECURITY: Fix potential rules bypass and denial of service (bz#563576) + * Fri Nov 6 2009 Michael Fleming - 2.5.10-2 - Fix rules and Apache configuration (bz#533124) diff --git a/sources b/sources index b896884..5745ecc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -a049f858e297fb16579b5dbb0d5d692d modsecurity-apache_2.5.10.tar.gz +f7d14b97bbe54ecb953125b0f9b87a24 modsecurity-apache_2.5.12.tar.gz From c50316f2698149cea63cd08510321495c6ce1a29 Mon Sep 17 00:00:00 2001 From: Michael Fleming Date: Thu, 29 Apr 2010 11:22:27 +0000 Subject: [PATCH 06/27] - Update to latest upstream release - SECURITY: Fix potential rules bypass and denial of service (bz#563576) --- mod_security.conf | 80 +++++++++++++++++++++++++++++++++++++++++++++++ mod_security.spec | 5 ++- 2 files changed, 84 insertions(+), 1 deletion(-) diff --git a/mod_security.conf b/mod_security.conf index cebcdf3..ad67068 100644 --- a/mod_security.conf +++ b/mod_security.conf @@ -10,4 +10,84 @@ LoadModule unique_id_module modules/mod_unique_id.so Include modsecurity.d/*.conf Include modsecurity.d/base_rules/*.conf Include modsecurity.d/modsecurity_localrules.conf + + # Additional items taken from new minimal modsecurity conf + # Basic configuration options + SecRuleEngine On + SecRequestBodyAccess On + SecResponseBodyAccess Off + + # PCRE Tuning + SecPcreMatchLimit 1000 + SecPcreMatchLimitRecursion 1000 + + # Handling of file uploads + # TODO Choose a folder private to Apache. + # SecUploadDir /opt/apache-frontend/tmp/ + SecUploadKeepFiles Off + SecUploadFileLimit 10 + + # Debug log + SecDebugLog logs/modsec_debug.log + SecDebugLogLevel 0 + + # Serial audit log + SecAuditEngine RelevantOnly + SecAuditLogRelevantStatus ^5 + SecAuditLogParts ABIFHZ + SecAuditLogType Serial + SecAuditLog logs/modsec_audit.log + + # Set Data Directory + SecDataDir logs/ + + # Maximum request body size we will + # accept for buffering + SecRequestBodyLimit 131072 + + # Store up to 128 KB in memory + SecRequestBodyInMemoryLimit 131072 + + # Buffer response bodies of up to + # 512 KB in length + SecResponseBodyLimit 524288 + + # Verify that we've correctly processed the request body. + # As a rule of thumb, when failing to process a request body + # you should reject the request (when deployed in blocking mode) + # or log a high-severity alert (when deployed in detection-only mode). + SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \ + "phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2" + + # By default be strict with what we accept in the multipart/form-data + # request body. If the rule below proves to be too strict for your + # environment consider changing it to detection-only. You are encouraged + # _not_ to remove it altogether. + SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ + "phase:2,t:none,log,deny,msg:'Multipart request body \ + failed strict validation: \ + PE %{REQBODY_PROCESSOR_ERROR}, \ + BQ %{MULTIPART_BOUNDARY_QUOTED}, \ + BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ + DB %{MULTIPART_DATA_BEFORE}, \ + DA %{MULTIPART_DATA_AFTER}, \ + HF %{MULTIPART_HEADER_FOLDING}, \ + LF %{MULTIPART_LF_LINE}, \ + SM %{MULTIPART_SEMICOLON_MISSING}, \ + IQ %{MULTIPART_INVALID_QUOTING}, \ + IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ + IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + + # Did we see anything that might be a boundary? + SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ + "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" + + # Some internal errors will set flags in TX and we will need to look for these. + # All of these are prefixed with "MSC_". The following flags currently exist: + # + # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. + # + SecRule TX:/^MSC_/ "!@streq 0" \ + "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + diff --git a/mod_security.spec b/mod_security.spec index 669fb1d..b4f9365 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,7 +1,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.5.12 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -55,6 +55,9 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf %changelog +* Thu Apr 29 2010 Michael Fleming - 2.5.12-2 +- Fix SecDatadir and minimal config per bz #569360 + * Sat Feb 13 2010 Michael Fleming - 2.5.12-1 - Update to latest upstream release - SECURITY: Fix potential rules bypass and denial of service (bz#563576) From ab897d37166fe75d98c0893e0f381a02b5d57b80 Mon Sep 17 00:00:00 2001 From: Michael Fleming Date: Wed, 30 Jun 2010 09:45:47 +0000 Subject: [PATCH 07/27] - Fix log dirs and files ordering per bz#569360 --- mod_security.conf | 10 ++++++---- mod_security.spec | 5 ++++- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/mod_security.conf b/mod_security.conf index ad67068..b868f6b 100644 --- a/mod_security.conf +++ b/mod_security.conf @@ -9,7 +9,6 @@ LoadModule unique_id_module modules/mod_unique_id.so # Basic configuration goes in here Include modsecurity.d/*.conf Include modsecurity.d/base_rules/*.conf - Include modsecurity.d/modsecurity_localrules.conf # Additional items taken from new minimal modsecurity conf # Basic configuration options @@ -28,7 +27,7 @@ LoadModule unique_id_module modules/mod_unique_id.so SecUploadFileLimit 10 # Debug log - SecDebugLog logs/modsec_debug.log + SecDebugLog /var/log/httpd/modsec_debug.log SecDebugLogLevel 0 # Serial audit log @@ -36,10 +35,10 @@ LoadModule unique_id_module modules/mod_unique_id.so SecAuditLogRelevantStatus ^5 SecAuditLogParts ABIFHZ SecAuditLogType Serial - SecAuditLog logs/modsec_audit.log + SecAuditLog /var/log/httpd/modsec_audit.log # Set Data Directory - SecDataDir logs/ + SecDataDir /var/log/httpd/ # Maximum request body size we will # accept for buffering @@ -90,4 +89,7 @@ LoadModule unique_id_module modules/mod_unique_id.so SecRule TX:/^MSC_/ "!@streq 0" \ "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + # Local rules + Include modsecurity.d/modsecurity_localrules.conf + diff --git a/mod_security.spec b/mod_security.spec index b4f9365..4af73ed 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,7 +1,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.5.12 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -55,6 +55,9 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf %changelog +* Wed Jun 30 2010 Michael Fleming - 2.5.12-3 +- Fix log dirs and files ordering per bz#569360 + * Thu Apr 29 2010 Michael Fleming - 2.5.12-2 - Fix SecDatadir and minimal config per bz #569360 From b5a184d0edd4ed0cab4bef27df1e061a7bbcdec8 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 29 Jul 2010 03:34:44 +0000 Subject: [PATCH 08/27] dist-git conversion --- .cvsignore => .gitignore | 0 Makefile | 21 --------------------- 2 files changed, 21 deletions(-) rename .cvsignore => .gitignore (100%) delete mode 100644 Makefile diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index 0518dbe..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: mod_security -# $Id$ -NAME := mod_security -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attept a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) From d286070b04a52d2dd99a821b1144b5304e9aa163 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Tue, 8 Feb 2011 14:04:59 -0600 Subject: [PATCH 09/27] - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild --- mod_security.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mod_security.spec b/mod_security.spec index 4af73ed..8aba7de 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,7 +1,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.5.12 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -55,6 +55,9 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf %changelog +* Tue Feb 08 2011 Fedora Release Engineering - 2.5.12-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + * Wed Jun 30 2010 Michael Fleming - 2.5.12-3 - Fix log dirs and files ordering per bz#569360 From 58fe94cc671a06fc6dd39de92b51f7cf6b06fb52 Mon Sep 17 00:00:00 2001 From: Michael Fleming Date: Tue, 3 May 2011 20:01:43 +1000 Subject: [PATCH 10/27] Newer upstream version --- .gitignore | 1 + mod_security.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 83ffc43..63a2158 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ modsecurity-apache_2.5.12.tar.gz +/modsecurity-apache_2.5.13.tar.gz diff --git a/mod_security.spec b/mod_security.spec index 4af73ed..2ea64f4 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,7 +1,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security -Version: 2.5.12 -Release: 3%{?dist} +Version: 2.5.13 +Release: 1%{?dist} License: GPLv2 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -55,6 +55,9 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf %changelog +* Wed May 3 2011 Michael Fleming - 2.5.13-1 +- Newer upstream version + * Wed Jun 30 2010 Michael Fleming - 2.5.12-3 - Fix log dirs and files ordering per bz#569360 diff --git a/sources b/sources index 5745ecc..7b5eaaa 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f7d14b97bbe54ecb953125b0f9b87a24 modsecurity-apache_2.5.12.tar.gz +92b0ed7dec188650ea9d78dfc326e8ec modsecurity-apache_2.5.13.tar.gz From c22edeb7b884a26e4fed9c643a6bc9309de3881a Mon Sep 17 00:00:00 2001 From: Michael Fleming Date: Tue, 3 May 2011 20:06:38 +1000 Subject: [PATCH 11/27] Fix broken commit --- mod_security.spec | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/mod_security.spec b/mod_security.spec index 5aa3d24..2ea64f4 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,12 +1,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security -<<<<<<< HEAD Version: 2.5.13 Release: 1%{?dist} -======= -Version: 2.5.12 -Release: 4%{?dist} ->>>>>>> d286070b04a52d2dd99a821b1144b5304e9aa163 License: GPLv2 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -60,13 +55,8 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf %changelog -<<<<<<< HEAD * Wed May 3 2011 Michael Fleming - 2.5.13-1 - Newer upstream version -======= -* Tue Feb 08 2011 Fedora Release Engineering - 2.5.12-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild ->>>>>>> d286070b04a52d2dd99a821b1144b5304e9aa163 * Wed Jun 30 2010 Michael Fleming - 2.5.12-3 - Fix log dirs and files ordering per bz#569360 From 8b994912e2f764a18790fbd131f9938bfcb88945 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Fri, 13 Jan 2012 04:20:00 -0600 Subject: [PATCH 12/27] - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild --- mod_security.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mod_security.spec b/mod_security.spec index 2ea64f4..5afb4fc 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,7 +1,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.5.13 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -55,6 +55,9 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf %changelog +* Fri Jan 13 2012 Fedora Release Engineering - 2.5.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + * Wed May 3 2011 Michael Fleming - 2.5.13-1 - Newer upstream version From 8aa0522aa98a00f3faa6dd6debf674ba20b3c388 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Fri, 10 Feb 2012 14:54:23 +0100 Subject: [PATCH 13/27] Rebuild against PCRE 8.30 --- mod_security.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mod_security.spec b/mod_security.spec index 5afb4fc..3335cc5 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,7 +1,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.5.13 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -55,6 +55,9 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf %changelog +* Fri Feb 10 2012 Petr Pisar - 2.5.13-3 +- Rebuild against PCRE 8.30 + * Fri Jan 13 2012 Fedora Release Engineering - 2.5.13-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild From b6be9fdc6290325cf2b39d58d3426752f1c3305b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Thu, 16 Feb 2012 16:29:25 +0100 Subject: [PATCH 14/27] Do not install non-existing files --- mod_security.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mod_security.spec b/mod_security.spec index 3335cc5..7cffd3f 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -32,7 +32,8 @@ rm -rf %{buildroot} install -D -m755 apache2/.libs/mod_security2.so %{buildroot}/%{_libdir}/httpd/modules/mod_security2.so install -D -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/mod_security.conf install -d %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ -install -D -m644 rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ +test -e rules/*.conf && install -D -m644 rules/*.conf \ + %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ cp -R rules/base_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ cp -R rules/optional_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ install -D -m644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/modsecurity_localrules.conf @@ -57,6 +58,7 @@ rm -rf %{buildroot} %changelog * Fri Feb 10 2012 Petr Pisar - 2.5.13-3 - Rebuild against PCRE 8.30 +- Do not install non-existing files * Fri Jan 13 2012 Fedora Release Engineering - 2.5.13-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild From d206ef54fbf07e7a1d0fbfbcad76c056d5dd64fa Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Mon, 7 May 2012 11:40:10 +0200 Subject: [PATCH 15/27] upgrade --- .gitignore | 1 + mod_security.conf | 23 ++++++-------- mod_security.spec | 78 +++++++++++++++++++++++++++++++---------------- sources | 2 +- 4 files changed, 63 insertions(+), 41 deletions(-) diff --git a/.gitignore b/.gitignore index 63a2158..e056704 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ modsecurity-apache_2.5.12.tar.gz /modsecurity-apache_2.5.13.tar.gz +/modsecurity-apache_2.6.5.tar.gz diff --git a/mod_security.conf b/mod_security.conf index b868f6b..7468a05 100644 --- a/mod_security.conf +++ b/mod_security.conf @@ -1,14 +1,13 @@ -# Example configuration file for the mod_security Apache module LoadModule security2_module modules/mod_security2.so LoadModule unique_id_module modules/mod_unique_id.so # This is the ModSecurity Core Rules Set. - + # Basic configuration goes in here Include modsecurity.d/*.conf - Include modsecurity.d/base_rules/*.conf + Include modsecurity.d/activated_rules/*.conf # Additional items taken from new minimal modsecurity conf # Basic configuration options @@ -16,10 +15,6 @@ LoadModule unique_id_module modules/mod_unique_id.so SecRequestBodyAccess On SecResponseBodyAccess Off - # PCRE Tuning - SecPcreMatchLimit 1000 - SecPcreMatchLimitRecursion 1000 - # Handling of file uploads # TODO Choose a folder private to Apache. # SecUploadDir /opt/apache-frontend/tmp/ @@ -30,13 +25,19 @@ LoadModule unique_id_module modules/mod_unique_id.so SecDebugLog /var/log/httpd/modsec_debug.log SecDebugLogLevel 0 - # Serial audit log + # Audit log SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^5 - SecAuditLogParts ABIFHZ SecAuditLogType Serial + SecAuditLogParts ABIFHZ SecAuditLog /var/log/httpd/modsec_audit.log + # Alternative mlogc configuration + #SecAuditLogType Concurrent + #SecAuditLogParts ABIDEFGHZ + #SecAuditLogStorageDir /var/log/mlogc/data + #SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf" + # Set Data Directory SecDataDir /var/log/httpd/ @@ -88,8 +89,4 @@ LoadModule unique_id_module modules/mod_unique_id.so # SecRule TX:/^MSC_/ "!@streq 0" \ "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" - - # Local rules - Include modsecurity.d/modsecurity_localrules.conf - diff --git a/mod_security.spec b/mod_security.spec index 7cffd3f..3da4886 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,14 +1,12 @@ Summary: Security module for the Apache HTTP Server Name: mod_security -Version: 2.5.13 -Release: 3%{?dist} -License: GPLv2 +Version: 2.6.5 +Release: 2%{?dist} +License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz Source1: mod_security.conf -Source2: modsecurity_localrules.conf -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: httpd httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing) BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel @@ -17,45 +15,71 @@ ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding web applications from attacks. -%prep +%package -n mlogc +Summary: ModSecurity Audit Log Collector +Group: System Environment/Daemons +Requires: mod_security -%setup -n modsecurity-apache_%{version} +%description -n mlogc +This package contains the ModSecurity Audit Log Collector. + +%prep +%setup -q -n modsecurity-apache_%{version} %build -cd apache2 -%configure +%configure --enable-pcre-match-limit=1000000 --enable-pcre-match-limit-recursion=1000000 +# remove rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + make %{_smp_mflags} -make %{_smp_mflags} mlogc %install rm -rf %{buildroot} -install -D -m755 apache2/.libs/mod_security2.so %{buildroot}/%{_libdir}/httpd/modules/mod_security2.so -install -D -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/mod_security.conf -install -d %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ -test -e rules/*.conf && install -D -m644 rules/*.conf \ - %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ -cp -R rules/base_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ -cp -R rules/optional_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ -install -D -m644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/modsecurity_localrules.conf -install -Dp tools/mlogc %{buildroot}/%{_bindir}/mlogc -install -D -m644 apache2/mlogc-src/mlogc-default.conf %{buildroot}/%{_sysconfdir}/mlogc.conf + +install -d %{buildroot}%{_sbindir} +install -d %{buildroot}%{_bindir} +install -d %{buildroot}%{_libdir}/httpd/modules +install -d %{buildroot}%{_sysconfdir}/httpd/conf.d/ +install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/ +install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules + +install -m0755 apache2/.libs/mod_security2.so %{buildroot}%{_libdir}/httpd/modules/mod_security2.so +install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/httpd/conf.d/mod_security.conf + +# mlogc +install -d %{buildroot}%{_localstatedir}/log/mlogc +install -d %{buildroot}%{_localstatedir}/log/mlogc/data +install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc +install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load +install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf %clean rm -rf %{buildroot} %files -%defattr (-,root,root) -%doc rules/util CHANGES LICENSE README.* modsecurity* doc MODSECURITY_LICENSING_EXCEPTION +%doc CHANGES LICENSE README.TXT NOTICE %{_libdir}/httpd/modules/mod_security2.so -%{_bindir}/mlogc -%config(noreplace) %{_sysconfdir}/mlogc.conf %config(noreplace) %{_sysconfdir}/httpd/conf.d/mod_security.conf %dir %{_sysconfdir}/httpd/modsecurity.d -%{_sysconfdir}/httpd/modsecurity.d/optional_rules -%{_sysconfdir}/httpd/modsecurity.d/base_rules -%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf +%dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules + +%files -n mlogc +%doc mlogc/INSTALL +%attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/mlogc.conf +%attr(0755,root,root) %dir %{_localstatedir}/log/mlogc +%attr(0770,root,apache) %dir %{_localstatedir}/log/mlogc/data +%attr(0755,root,root) %{_bindir}/mlogc +%attr(0755,root,root) %{_bindir}/mlogc-batch-load + %changelog +* Fri Apr 27 2012 Peter Vrabec 2.6.5-2 +- fix license tag + +* Thu Apr 05 2012 Peter Vrabec 2.6.5-1 +- upgrade & move rules into new package mod_security_crs + * Fri Feb 10 2012 Petr Pisar - 2.5.13-3 - Rebuild against PCRE 8.30 - Do not install non-existing files diff --git a/sources b/sources index 7b5eaaa..7a2b90e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -92b0ed7dec188650ea9d78dfc326e8ec modsecurity-apache_2.5.13.tar.gz +2e1c6456f0dacae7206021d0ae8674e1 modsecurity-apache_2.6.5.tar.gz From a03445667e6fef6f7e6793a0bbe3106c752c8467 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Mon, 7 May 2012 13:15:28 +0100 Subject: [PATCH 16/27] packaging fixes --- mod_security.spec | 45 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 9 deletions(-) diff --git a/mod_security.spec b/mod_security.spec index 3da4886..74420e2 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,13 +1,20 @@ +%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}} +%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo missing-httpd-devel)}} +# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4 +%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} +%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}} +%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}} + Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.6.5 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz Source1: mod_security.conf -Requires: httpd httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing) +Requires: httpd httpd-mmn = %{_httpd_mmn} BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel %description @@ -27,7 +34,9 @@ This package contains the ModSecurity Audit Log Collector. %setup -q -n modsecurity-apache_%{version} %build -%configure --enable-pcre-match-limit=1000000 --enable-pcre-match-limit-recursion=1000000 +%configure --enable-pcre-match-limit=1000000 \ + --enable-pcre-match-limit-recursion=1000000 \ + --with-apxs=%{_httpd_apxs} # remove rpath sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool @@ -39,13 +48,23 @@ rm -rf %{buildroot} install -d %{buildroot}%{_sbindir} install -d %{buildroot}%{_bindir} -install -d %{buildroot}%{_libdir}/httpd/modules -install -d %{buildroot}%{_sysconfdir}/httpd/conf.d/ +install -d %{buildroot}%{_httpd_moddir} install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/ install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules -install -m0755 apache2/.libs/mod_security2.so %{buildroot}%{_libdir}/httpd/modules/mod_security2.so -install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/httpd/conf.d/mod_security.conf +install -m0755 apache2/.libs/mod_security2.so %{buildroot}%{_httpd_moddir}/mod_security2.so + +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +# 2.4-style +sed -n /^LoadModule/p %{SOURCE1} > 10-mod_security.conf +sed /LoadModule/d %{SOURCE1} > mod_security.conf +touch -r %{SOURCE1} *.conf +install -Dp -m0644 mod_security.conf %{buildroot}%{_httpd_confdir}/mod_security.conf +install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_security.conf +%else +# 2.2-style +install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf +%endif # mlogc install -d %{buildroot}%{_localstatedir}/log/mlogc @@ -58,13 +77,18 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf rm -rf %{buildroot} %files +%defattr (-,root,root) %doc CHANGES LICENSE README.TXT NOTICE -%{_libdir}/httpd/modules/mod_security2.so -%config(noreplace) %{_sysconfdir}/httpd/conf.d/mod_security.conf +%{_httpd_moddir}/mod_security2.so +%config(noreplace) %{_httpd_confdir}/*.conf +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +%config(noreplace) %{_httpd_modconfdir}/*.conf +%endif %dir %{_sysconfdir}/httpd/modsecurity.d %dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules %files -n mlogc +%defattr (-,root,root) %doc mlogc/INSTALL %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/mlogc.conf %attr(0755,root,root) %dir %{_localstatedir}/log/mlogc @@ -74,6 +98,9 @@ rm -rf %{buildroot} %changelog +* Mon May 7 2012 Joe Orton - 2.6.5-3 +- packaging fixes + * Fri Apr 27 2012 Peter Vrabec 2.6.5-2 - fix license tag From 06923313726d2b2acf3b9afd2a640c5aa11d86b7 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 21 Jun 2012 11:05:39 +0200 Subject: [PATCH 17/27] upgrade --- .gitignore | 1 + mod_security.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index e056704..d8c949c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ modsecurity-apache_2.5.12.tar.gz /modsecurity-apache_2.5.13.tar.gz /modsecurity-apache_2.6.5.tar.gz +/modsecurity-apache_2.6.6.tar.gz diff --git a/mod_security.spec b/mod_security.spec index 74420e2..c4ba1e5 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -7,8 +7,8 @@ Summary: Security module for the Apache HTTP Server Name: mod_security -Version: 2.6.5 -Release: 3%{?dist} +Version: 2.6.6 +Release: 1%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -98,6 +98,9 @@ rm -rf %{buildroot} %changelog +* Thu Jun 21 2012 Peter Vrabec - 2.6.6-1 +- upgrade + * Mon May 7 2012 Joe Orton - 2.6.5-3 - packaging fixes diff --git a/sources b/sources index 7a2b90e..a905892 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2e1c6456f0dacae7206021d0ae8674e1 modsecurity-apache_2.6.5.tar.gz +bc2ebcf326589c67fb6b53f630768c4e modsecurity-apache_2.6.6.tar.gz From 0d2b8e68d761876090d3793ea631305621811c83 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Fri, 22 Jun 2012 10:31:25 +0200 Subject: [PATCH 18/27] mlogc subpackage is not provided on RHEL --- mod_security.spec | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/mod_security.spec b/mod_security.spec index c4ba1e5..d8f3c09 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -8,7 +8,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.6.6 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -22,6 +22,7 @@ ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding web applications from attacks. +%if 0%{?fedora} %package -n mlogc Summary: ModSecurity Audit Log Collector Group: System Environment/Daemons @@ -29,6 +30,7 @@ Requires: mod_security %description -n mlogc This package contains the ModSecurity Audit Log Collector. +%endif %prep %setup -q -n modsecurity-apache_%{version} @@ -66,12 +68,14 @@ install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_ install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf %endif +%if 0%{?fedora} # mlogc install -d %{buildroot}%{_localstatedir}/log/mlogc install -d %{buildroot}%{_localstatedir}/log/mlogc/data install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf +%endif %clean rm -rf %{buildroot} @@ -87,6 +91,7 @@ rm -rf %{buildroot} %dir %{_sysconfdir}/httpd/modsecurity.d %dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules +%if 0%{?fedora} %files -n mlogc %defattr (-,root,root) %doc mlogc/INSTALL @@ -95,9 +100,12 @@ rm -rf %{buildroot} %attr(0770,root,apache) %dir %{_localstatedir}/log/mlogc/data %attr(0755,root,root) %{_bindir}/mlogc %attr(0755,root,root) %{_bindir}/mlogc-batch-load - +%endif %changelog +* Fri Jun 22 2012 Peter Vrabec - 2.6.6-2 +- mlogc subpackage is not provided on RHEL + * Thu Jun 21 2012 Peter Vrabec - 2.6.6-1 - upgrade From 55d1760abfa8062b94eaf5357d71d87da92aa517 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Thu, 19 Jul 2012 21:27:17 -0500 Subject: [PATCH 19/27] - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild --- mod_security.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mod_security.spec b/mod_security.spec index d8f3c09..c9f60ad 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -8,7 +8,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.6.6 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -103,6 +103,9 @@ rm -rf %{buildroot} %endif %changelog +* Fri Jul 20 2012 Fedora Release Engineering - 2.6.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + * Fri Jun 22 2012 Peter Vrabec - 2.6.6-2 - mlogc subpackage is not provided on RHEL From bf0a9aea7ad56ff3c56a048d212aa1ebea8d5a36 Mon Sep 17 00:00:00 2001 From: Athmane Madjoudj Date: Wed, 29 Aug 2012 18:15:08 +0100 Subject: [PATCH 20/27] Update to 2.6.7 --- mod_security.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/mod_security.spec b/mod_security.spec index c9f60ad..320f0af 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -7,8 +7,8 @@ Summary: Security module for the Apache HTTP Server Name: mod_security -Version: 2.6.6 -Release: 3%{?dist} +Version: 2.6.7 +Release: 1%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -103,6 +103,9 @@ rm -rf %{buildroot} %endif %changelog +* Sat Aug 25 2012 Athmane Madjoudj 2.6.7-1 +- Update to 2.6.7 + * Fri Jul 20 2012 Fedora Release Engineering - 2.6.6-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild From 8c09e42a87b11606ebb306a7e59db180f0e0f65a Mon Sep 17 00:00:00 2001 From: Athmane Madjoudj Date: Wed, 29 Aug 2012 18:23:02 +0100 Subject: [PATCH 21/27] Update to 2.6.7 (2) --- sources | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources b/sources index a905892..1c74662 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -bc2ebcf326589c67fb6b53f630768c4e modsecurity-apache_2.6.6.tar.gz +b3ffc5886f7126d012b60e1d5c6b0a1f modsecurity-apache_2.6.7.tar.gz From 6abd27eb325e3aad31cbae49405df6e6ab12bcfe Mon Sep 17 00:00:00 2001 From: Athmane Madjoudj Date: Fri, 28 Sep 2012 12:59:14 +0100 Subject: [PATCH 22/27] Update to 2.6.8 --- .gitignore | 1 + mod_security.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index d8c949c..91bf7d1 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ modsecurity-apache_2.5.12.tar.gz /modsecurity-apache_2.5.13.tar.gz /modsecurity-apache_2.6.5.tar.gz /modsecurity-apache_2.6.6.tar.gz +/modsecurity-apache_2.6.8.tar.gz diff --git a/mod_security.spec b/mod_security.spec index 320f0af..c8869f6 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -7,7 +7,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security -Version: 2.6.7 +Version: 2.6.8 Release: 1%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ @@ -103,6 +103,9 @@ rm -rf %{buildroot} %endif %changelog +* Fri Sep 28 2012 Athmane Madjoudj 2.6.8-1 +- Update to 2.6.8 + * Sat Aug 25 2012 Athmane Madjoudj 2.6.7-1 - Update to 2.6.7 diff --git a/sources b/sources index 1c74662..8d5c6ea 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -b3ffc5886f7126d012b60e1d5c6b0a1f modsecurity-apache_2.6.7.tar.gz +430449ab9ee906c464aa70b79f9c2230 modsecurity-apache_2.6.8.tar.gz From ea35d25a1739619c6237d49dd82a97db74b9fa8e Mon Sep 17 00:00:00 2001 From: Athmane Madjoudj Date: Wed, 17 Oct 2012 16:05:36 +0100 Subject: [PATCH 23/27] Update to 2.7.0 --- .gitignore | 1 + mod_security.conf | 124 +++++++++++++++------------------------------- mod_security.spec | 17 ++++--- sources | 2 +- 4 files changed, 53 insertions(+), 91 deletions(-) diff --git a/.gitignore b/.gitignore index 91bf7d1..ac07cf2 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ modsecurity-apache_2.5.12.tar.gz /modsecurity-apache_2.6.5.tar.gz /modsecurity-apache_2.6.6.tar.gz /modsecurity-apache_2.6.8.tar.gz +/modsecurity-apache_2.7.0.tar.gz diff --git a/mod_security.conf b/mod_security.conf index 7468a05..092758b 100644 --- a/mod_security.conf +++ b/mod_security.conf @@ -1,92 +1,50 @@ - LoadModule security2_module modules/mod_security2.so LoadModule unique_id_module modules/mod_unique_id.so - # This is the ModSecurity Core Rules Set. + SecRuleEngine On + SecRequestBodyAccess On + SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + SecRequestBodyLimit 13107200 + SecRequestBodyNoFilesLimit 131072 + SecRequestBodyInMemoryLimit 131072 + SecRequestBodyLimitAction Reject + SecRule REQBODY_ERROR "!@eq 0" \ + "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" + SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ + "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \ + failed strict validation: \ + PE %{REQBODY_PROCESSOR_ERROR}, \ + BQ %{MULTIPART_BOUNDARY_QUOTED}, \ + BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ + DB %{MULTIPART_DATA_BEFORE}, \ + DA %{MULTIPART_DATA_AFTER}, \ + HF %{MULTIPART_HEADER_FOLDING}, \ + LF %{MULTIPART_LF_LINE}, \ + SM %{MULTIPART_MISSING_SEMICOLON}, \ + IQ %{MULTIPART_INVALID_QUOTING}, \ + IP %{MULTIPART_INVALID_PART}, \ + IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ + FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" - # Basic configuration goes in here - Include modsecurity.d/*.conf - Include modsecurity.d/activated_rules/*.conf + SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ + "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" - # Additional items taken from new minimal modsecurity conf - # Basic configuration options - SecRuleEngine On - SecRequestBodyAccess On - SecResponseBodyAccess Off - - # Handling of file uploads - # TODO Choose a folder private to Apache. - # SecUploadDir /opt/apache-frontend/tmp/ - SecUploadKeepFiles Off - SecUploadFileLimit 10 + SecPcreMatchLimit 1000 + SecPcreMatchLimitRecursion 1000 - # Debug log - SecDebugLog /var/log/httpd/modsec_debug.log - SecDebugLogLevel 0 + SecRule TX:/^MSC_/ "!@streq 0" \ + "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" - # Audit log - SecAuditEngine RelevantOnly - SecAuditLogRelevantStatus ^5 - SecAuditLogType Serial - SecAuditLogParts ABIFHZ - SecAuditLog /var/log/httpd/modsec_audit.log - - # Alternative mlogc configuration - #SecAuditLogType Concurrent - #SecAuditLogParts ABIDEFGHZ - #SecAuditLogStorageDir /var/log/mlogc/data - #SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf" - - # Set Data Directory - SecDataDir /var/log/httpd/ - - # Maximum request body size we will - # accept for buffering - SecRequestBodyLimit 131072 - - # Store up to 128 KB in memory - SecRequestBodyInMemoryLimit 131072 - - # Buffer response bodies of up to - # 512 KB in length - SecResponseBodyLimit 524288 - - # Verify that we've correctly processed the request body. - # As a rule of thumb, when failing to process a request body - # you should reject the request (when deployed in blocking mode) - # or log a high-severity alert (when deployed in detection-only mode). - SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2" - - # By default be strict with what we accept in the multipart/form-data - # request body. If the rule below proves to be too strict for your - # environment consider changing it to detection-only. You are encouraged - # _not_ to remove it altogether. - SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Multipart request body \ - failed strict validation: \ - PE %{REQBODY_PROCESSOR_ERROR}, \ - BQ %{MULTIPART_BOUNDARY_QUOTED}, \ - BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ - DB %{MULTIPART_DATA_BEFORE}, \ - DA %{MULTIPART_DATA_AFTER}, \ - HF %{MULTIPART_HEADER_FOLDING}, \ - LF %{MULTIPART_LF_LINE}, \ - SM %{MULTIPART_SEMICOLON_MISSING}, \ - IQ %{MULTIPART_INVALID_QUOTING}, \ - IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ - IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'" - - # Did we see anything that might be a boundary? - SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" - - # Some internal errors will set flags in TX and we will need to look for these. - # All of these are prefixed with "MSC_". The following flags currently exist: - # - # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. - # - SecRule TX:/^MSC_/ "!@streq 0" \ - "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + SecResponseBodyAccess Off + SecDebugLog /var/log/httpd/modsec_debug.log + SecDebugLogLevel 0 + SecAuditEngine RelevantOnly + SecAuditLogRelevantStatus "^(?:5|4(?!04))" + SecAuditLogParts ABIJDEFHZ + SecAuditLogType Serial + SecAuditLog /var/log/httpd/modsec_audit.log + SecArgumentSeparator & + SecCookieFormat 0 diff --git a/mod_security.spec b/mod_security.spec index c8869f6..c0573c2 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -7,7 +7,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security -Version: 2.6.8 +Version: 2.7.0 Release: 1%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ @@ -22,7 +22,6 @@ ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding web applications from attacks. -%if 0%{?fedora} %package -n mlogc Summary: ModSecurity Audit Log Collector Group: System Environment/Daemons @@ -30,7 +29,6 @@ Requires: mod_security %description -n mlogc This package contains the ModSecurity Audit Log Collector. -%endif %prep %setup -q -n modsecurity-apache_%{version} @@ -68,14 +66,12 @@ install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_ install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf %endif -%if 0%{?fedora} # mlogc install -d %{buildroot}%{_localstatedir}/log/mlogc install -d %{buildroot}%{_localstatedir}/log/mlogc/data install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf -%endif %clean rm -rf %{buildroot} @@ -91,7 +87,6 @@ rm -rf %{buildroot} %dir %{_sysconfdir}/httpd/modsecurity.d %dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules -%if 0%{?fedora} %files -n mlogc %defattr (-,root,root) %doc mlogc/INSTALL @@ -100,12 +95,20 @@ rm -rf %{buildroot} %attr(0770,root,apache) %dir %{_localstatedir}/log/mlogc/data %attr(0755,root,root) %{_bindir}/mlogc %attr(0755,root,root) %{_bindir}/mlogc-batch-load -%endif %changelog +* Wed Oct 17 2012 Athmane Madjoudj 2.7.0-1 +- Update to 2.7.0 + * Fri Sep 28 2012 Athmane Madjoudj 2.6.8-1 - Update to 2.6.8 +* Wed Sep 12 2012 Athmane Madjoudj 2.6.7-2 +- Re-add mlogc sub-package for epel (#856525) + +* Sat Aug 25 2012 Athmane Madjoudj 2.6.7-1 +- Update to 2.6.7 + * Sat Aug 25 2012 Athmane Madjoudj 2.6.7-1 - Update to 2.6.7 diff --git a/sources b/sources index 8d5c6ea..d4376ca 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -430449ab9ee906c464aa70b79f9c2230 modsecurity-apache_2.6.8.tar.gz +8e608bdc01a619219f35c6125f1d9860 modsecurity-apache_2.7.0.tar.gz From 77b343a0a3131575d7ea5d841faf394288e5b924 Mon Sep 17 00:00:00 2001 From: Athmane Madjoudj Date: Thu, 18 Oct 2012 11:12:01 +0100 Subject: [PATCH 24/27] Add a patch to fix failed build against libxml2 >= 2.9.0 --- mod_security-fix-build-with-libxml29.patch | 82 ++++++++++++++++++++++ mod_security.spec | 9 ++- 2 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 mod_security-fix-build-with-libxml29.patch diff --git a/mod_security-fix-build-with-libxml29.patch b/mod_security-fix-build-with-libxml29.patch new file mode 100644 index 0000000..f857e46 --- /dev/null +++ b/mod_security-fix-build-with-libxml29.patch @@ -0,0 +1,82 @@ +--- apache2/msc_crypt.c.orig 2012-10-18 10:42:43.381000000 +0100 ++++ apache2/msc_crypt.c 2012-10-18 10:46:52.442000000 +0100 +@@ -1079,6 +1079,70 @@ + + htmlDocContentDumpFormatOutput(output_buf, msr->crypto_html_tree, NULL, 0); + ++#ifdef LIBXML2_NEW_BUFFER ++ ++ if (output_buf->conv == NULL || (output_buf->conv && xmlOutputBufferGetSize(output_buf) == 0)) { ++ ++ if(output_buf->buffer == NULL || xmlOutputBufferGetSize(output_buf) == 0) { ++ xmlOutputBufferClose(output_buf); ++ xmlFreeDoc(msr->crypto_html_tree); ++ msr->of_stream_changed = 0; ++ return -1; ++ } ++ ++ if(msr->stream_output_data != NULL) { ++ free(msr->stream_output_data); ++ msr->stream_output_data = NULL; ++ } ++ ++ msr->stream_output_length = xmlOutputBufferGetSize(output_buf); ++ msr->stream_output_data = (char *)malloc(msr->stream_output_length+1); ++ ++ if (msr->stream_output_data == NULL) { ++ xmlOutputBufferClose(output_buf); ++ xmlFreeDoc(msr->crypto_html_tree); ++ return -1; ++ } ++ ++ memset(msr->stream_output_data, 0x0, msr->stream_output_length+1); ++ memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length); ++ ++ if (msr->txcfg->debuglog_level >= 4) ++ msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONTENT to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf)); ++ ++ } else { ++ ++ if(output_buf->conv == NULL || xmlOutputBufferGetSize(output_buf) == 0) { ++ xmlOutputBufferClose(output_buf); ++ xmlFreeDoc(msr->crypto_html_tree); ++ msr->of_stream_changed = 0; ++ return -1; ++ } ++ ++ if(msr->stream_output_data != NULL) { ++ free(msr->stream_output_data); ++ msr->stream_output_data = NULL; ++ } ++ ++ msr->stream_output_length = xmlOutputBufferGetSize(output_buf); ++ msr->stream_output_data = (char *)malloc(msr->stream_output_length+1); ++ ++ if (msr->stream_output_data == NULL) { ++ xmlOutputBufferClose(output_buf); ++ xmlFreeDoc(msr->crypto_html_tree); ++ return -1; ++ } ++ ++ memset(msr->stream_output_data, 0x0, msr->stream_output_length+1); ++ memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length); ++ ++ if (msr->txcfg->debuglog_level >= 4) ++ msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONV to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf)); ++ ++ } ++ ++#else ++ + if (output_buf->conv == NULL || (output_buf->conv && output_buf->conv->use == 0)) { + + if(output_buf->buffer == NULL || output_buf->buffer->use == 0) { +@@ -1139,6 +1203,8 @@ + + } + ++#endif ++ + xmlOutputBufferClose(output_buf); + + content_value = (char*)apr_psprintf(msr->mp, "%"APR_SIZE_T_FMT, msr->stream_output_length); diff --git a/mod_security.spec b/mod_security.spec index c0573c2..2173ad0 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -8,7 +8,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.7.0 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -17,6 +17,9 @@ Source1: mod_security.conf Requires: httpd httpd-mmn = %{_httpd_mmn} BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel +# Reported to upstream +Patch0: mod_security-fix-build-with-libxml29.patch + %description ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting @@ -32,6 +35,7 @@ This package contains the ModSecurity Audit Log Collector. %prep %setup -q -n modsecurity-apache_%{version} +%patch0 -p0 %build %configure --enable-pcre-match-limit=1000000 \ @@ -97,6 +101,9 @@ rm -rf %{buildroot} %attr(0755,root,root) %{_bindir}/mlogc-batch-load %changelog +* Thu Oct 18 2012 Athmane Madjoudj 2.7.0-2 +- Add a patch to fix failed build against libxml2 >= 2.9.0 + * Wed Oct 17 2012 Athmane Madjoudj 2.7.0-1 - Update to 2.7.0 From 27a54356ee98faa38780d79f2b498d4e4b8fd1a2 Mon Sep 17 00:00:00 2001 From: Athmane Madjoudj Date: Thu, 15 Nov 2012 04:53:47 +0100 Subject: [PATCH 25/27] - Update to 2.7.1 - Remove libxml2 build patch (upstreamed) - Update spec since upstream moved to github --- .gitignore | 1 + mod_security.spec | 15 ++++++++------- sources | 2 +- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index ac07cf2..1eab4d5 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ modsecurity-apache_2.5.12.tar.gz /modsecurity-apache_2.6.6.tar.gz /modsecurity-apache_2.6.8.tar.gz /modsecurity-apache_2.7.0.tar.gz +/modsecurity-apache_2.7.1.tar.gz diff --git a/mod_security.spec b/mod_security.spec index 2173ad0..3b25e39 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -7,19 +7,16 @@ Summary: Security module for the Apache HTTP Server Name: mod_security -Version: 2.7.0 -Release: 2%{?dist} +Version: 2.7.1 +Release: 1%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons -Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz +Source: https://github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_%{version}.tar.gz Source1: mod_security.conf Requires: httpd httpd-mmn = %{_httpd_mmn} BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel -# Reported to upstream -Patch0: mod_security-fix-build-with-libxml29.patch - %description ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting @@ -35,7 +32,6 @@ This package contains the ModSecurity Audit Log Collector. %prep %setup -q -n modsecurity-apache_%{version} -%patch0 -p0 %build %configure --enable-pcre-match-limit=1000000 \ @@ -101,6 +97,11 @@ rm -rf %{buildroot} %attr(0755,root,root) %{_bindir}/mlogc-batch-load %changelog +* Thu Nov 15 2012 Athmane Madjoudj 2.7.1-1 +- Update to 2.7.1 +- Remove libxml2 build patch (upstreamed) +- Update spec since upstream moved to github + * Thu Oct 18 2012 Athmane Madjoudj 2.7.0-2 - Add a patch to fix failed build against libxml2 >= 2.9.0 diff --git a/sources b/sources index d4376ca..d778a9e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -8e608bdc01a619219f35c6125f1d9860 modsecurity-apache_2.7.0.tar.gz +dbd30b714abe831098993213f30c1b96 modsecurity-apache_2.7.1.tar.gz From 7f15e7fb90ca84ebf6e6eaca24d9b806aafa5ba2 Mon Sep 17 00:00:00 2001 From: Athmane Madjoudj Date: Thu, 15 Nov 2012 05:43:58 +0100 Subject: [PATCH 26/27] Fix mod_security config --- mod_security.conf | 5 +++++ mod_security.spec | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/mod_security.conf b/mod_security.conf index 092758b..9a98bbc 100644 --- a/mod_security.conf +++ b/mod_security.conf @@ -2,6 +2,11 @@ LoadModule security2_module modules/mod_security2.so LoadModule unique_id_module modules/mod_unique_id.so + # ModSecurity Core Rules Set configuration + Include modsecurity.d/*.conf + Include modsecurity.d/activated_rules/*.conf + + # Default recommended configuration SecRuleEngine On SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "text/xml" \ diff --git a/mod_security.spec b/mod_security.spec index 3b25e39..892be51 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -8,7 +8,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.7.1 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -97,6 +97,9 @@ rm -rf %{buildroot} %attr(0755,root,root) %{_bindir}/mlogc-batch-load %changelog +* Thu Nov 15 2012 Athmane Madjoudj 2.7.1-2 +- Fix mod_security.conf + * Thu Nov 15 2012 Athmane Madjoudj 2.7.1-1 - Update to 2.7.1 - Remove libxml2 build patch (upstreamed) From b4feb280b3f3b1025be543884028bc752c52fa75 Mon Sep 17 00:00:00 2001 From: Athmane Madjoudj Date: Thu, 15 Nov 2012 09:23:16 +0100 Subject: [PATCH 27/27] - Add some missing directives RHBZ #569360 - Fix multipart/invalid part ruleset bypass issue (CVE-2012-4528) (RHBZ #867424, #867773, #867774) --- mod_security.conf | 2 ++ mod_security.spec | 10 +++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/mod_security.conf b/mod_security.conf index 9a98bbc..607e169 100644 --- a/mod_security.conf +++ b/mod_security.conf @@ -52,4 +52,6 @@ LoadModule unique_id_module modules/mod_unique_id.so SecAuditLog /var/log/httpd/modsec_audit.log SecArgumentSeparator & SecCookieFormat 0 + SecTmpDir /var/lib/mod_security + SecDataDir /var/lib/mod_security diff --git a/mod_security.spec b/mod_security.spec index 892be51..7491f54 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -8,7 +8,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.7.1 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -65,6 +65,7 @@ install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_ # 2.2-style install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf %endif +install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/%{name} # mlogc install -d %{buildroot}%{_localstatedir}/log/mlogc @@ -73,6 +74,7 @@ install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf + %clean rm -rf %{buildroot} @@ -86,6 +88,7 @@ rm -rf %{buildroot} %endif %dir %{_sysconfdir}/httpd/modsecurity.d %dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules +%attr(770,apache,root) %dir %{_localstatedir}/lib/%{name} %files -n mlogc %defattr (-,root,root) @@ -97,6 +100,11 @@ rm -rf %{buildroot} %attr(0755,root,root) %{_bindir}/mlogc-batch-load %changelog +* Thu Nov 15 2012 Athmane Madjoudj 2.7.1-3 +- Add some missing directives RHBZ #569360 +- Fix multipart/invalid part ruleset bypass issue (CVE-2012-4528) + (RHBZ #867424, #867773, #867774) + * Thu Nov 15 2012 Athmane Madjoudj 2.7.1-2 - Fix mod_security.conf