From c50316f2698149cea63cd08510321495c6ce1a29 Mon Sep 17 00:00:00 2001 From: Michael Fleming Date: Thu, 29 Apr 2010 11:22:27 +0000 Subject: [PATCH] - Update to latest upstream release - SECURITY: Fix potential rules bypass and denial of service (bz#563576) --- mod_security.conf | 80 +++++++++++++++++++++++++++++++++++++++++++++++ mod_security.spec | 5 ++- 2 files changed, 84 insertions(+), 1 deletion(-) diff --git a/mod_security.conf b/mod_security.conf index cebcdf3..ad67068 100644 --- a/mod_security.conf +++ b/mod_security.conf @@ -10,4 +10,84 @@ LoadModule unique_id_module modules/mod_unique_id.so Include modsecurity.d/*.conf Include modsecurity.d/base_rules/*.conf Include modsecurity.d/modsecurity_localrules.conf + + # Additional items taken from new minimal modsecurity conf + # Basic configuration options + SecRuleEngine On + SecRequestBodyAccess On + SecResponseBodyAccess Off + + # PCRE Tuning + SecPcreMatchLimit 1000 + SecPcreMatchLimitRecursion 1000 + + # Handling of file uploads + # TODO Choose a folder private to Apache. + # SecUploadDir /opt/apache-frontend/tmp/ + SecUploadKeepFiles Off + SecUploadFileLimit 10 + + # Debug log + SecDebugLog logs/modsec_debug.log + SecDebugLogLevel 0 + + # Serial audit log + SecAuditEngine RelevantOnly + SecAuditLogRelevantStatus ^5 + SecAuditLogParts ABIFHZ + SecAuditLogType Serial + SecAuditLog logs/modsec_audit.log + + # Set Data Directory + SecDataDir logs/ + + # Maximum request body size we will + # accept for buffering + SecRequestBodyLimit 131072 + + # Store up to 128 KB in memory + SecRequestBodyInMemoryLimit 131072 + + # Buffer response bodies of up to + # 512 KB in length + SecResponseBodyLimit 524288 + + # Verify that we've correctly processed the request body. + # As a rule of thumb, when failing to process a request body + # you should reject the request (when deployed in blocking mode) + # or log a high-severity alert (when deployed in detection-only mode). + SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \ + "phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2" + + # By default be strict with what we accept in the multipart/form-data + # request body. If the rule below proves to be too strict for your + # environment consider changing it to detection-only. You are encouraged + # _not_ to remove it altogether. + SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ + "phase:2,t:none,log,deny,msg:'Multipart request body \ + failed strict validation: \ + PE %{REQBODY_PROCESSOR_ERROR}, \ + BQ %{MULTIPART_BOUNDARY_QUOTED}, \ + BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ + DB %{MULTIPART_DATA_BEFORE}, \ + DA %{MULTIPART_DATA_AFTER}, \ + HF %{MULTIPART_HEADER_FOLDING}, \ + LF %{MULTIPART_LF_LINE}, \ + SM %{MULTIPART_SEMICOLON_MISSING}, \ + IQ %{MULTIPART_INVALID_QUOTING}, \ + IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ + IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + + # Did we see anything that might be a boundary? + SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ + "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" + + # Some internal errors will set flags in TX and we will need to look for these. + # All of these are prefixed with "MSC_". The following flags currently exist: + # + # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. + # + SecRule TX:/^MSC_/ "!@streq 0" \ + "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + diff --git a/mod_security.spec b/mod_security.spec index 669fb1d..b4f9365 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,7 +1,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.5.12 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -55,6 +55,9 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf %changelog +* Thu Apr 29 2010 Michael Fleming - 2.5.12-2 +- Fix SecDatadir and minimal config per bz #569360 + * Sat Feb 13 2010 Michael Fleming - 2.5.12-1 - Update to latest upstream release - SECURITY: Fix potential rules bypass and denial of service (bz#563576)