Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild

Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>

.cvsignore

@@ -1 +0,0 @@
-modsecurity-apache_1.9.4.tar.gz

.gitignore

@@ -0,0 +1,25 @@
+modsecurity-apache_2.5.12.tar.gz
+/modsecurity-apache_2.5.13.tar.gz
+/modsecurity-apache_2.6.5.tar.gz
+/modsecurity-apache_2.6.6.tar.gz
+/modsecurity-apache_2.6.8.tar.gz
+/modsecurity-apache_2.7.0.tar.gz
+/modsecurity-apache_2.7.1.tar.gz
+/modsecurity-apache_2.7.2.tar.gz
+/modsecurity-apache_2.7.3.tar.gz
+/modsecurity-apache_2.7.4.tar.gz
+/modsecurity-apache_2.7.5.tar.gz
+/modsecurity-apache_2.7.5.tar.gz.sha256
+/v2.7.6.tar.gz
+/modsecurity-apache_2.7.7.tar.gz
+/modsecurity-apache_2.7.7.tar.gz.sha256
+/modsecurity-2.8.0.tar.gz
+/modsecurity-2.8.0.tar.gz.sha256
+/modsecurity-2.9.0.tar.gz
+/modsecurity-2.9.1.tar.gz
+/modsecurity-2.9.2.tar.gz
+/modsecurity-2.9.3.tar.gz
+/modsecurity-2.9.4.tar.gz
+/modsecurity-2.9.5.tar.gz
+/modsecurity-2.9.6.tar.gz
+/modsecurity-2.9.7.tar.gz

10-mod_security.conf

@@ -0,0 +1,5 @@
+LoadModule security2_module modules/mod_security2.so
+
+<IfModule !mod_unique_id.c>
+    LoadModule unique_id_module modules/mod_unique_id.so
+</IfModule>

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: mod_security
-# $Id$
-NAME := mod_security
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attept a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

mod_security-2.9.3-remote-rules-timeout.patch

@@ -0,0 +1,85 @@
+diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
+index 80f8f2b..7912d84 100644
+--- a/apache2/apache2_config.c
++++ b/apache2/apache2_config.c
+@@ -2354,6 +2354,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
+ }
+ 
+ 
++static const char *cmd_remote_timeout(cmd_parms *cmd, void *_dcfg, const char *p1)
++{
++    directory_config *dcfg = (directory_config *)_dcfg;
++    long int timeout;
++
++    if (dcfg == NULL) return NULL;
++
++    timeout = strtol(p1, NULL, 10);
++    if ((timeout == LONG_MAX)||(timeout == LONG_MIN)||(timeout < 0)) {
++        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRemoteTimeout: %s", p1);
++    }
++
++    remote_rules_timeout = timeout;
++
++    return NULL;
++}
++
++
+ static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
+ {
+     if (strcasecmp(p1, "on") == 0) {
+@@ -3667,6 +3685,14 @@ const command_rec module_directives[] = {
+         "Abort or Warn"
+     ),
+ 
++    AP_INIT_TAKE1 (
++        "SecRemoteTimeout",
++        cmd_remote_timeout,
++        NULL,
++        CMD_SCOPE_ANY,
++        "timeout in seconds"
++    ),
++
+ 
+     AP_INIT_TAKE1 (
+         "SecXmlExternalEntity",
+diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
+index 7bb215e..c155495 100644
+--- a/apache2/mod_security2.c
++++ b/apache2/mod_security2.c
+@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
+ #endif
+ int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
+ char DSOLOCAL *remote_rules_fail_message = NULL;
++unsigned long int DSOLOCAL remote_rules_timeout = NOT_SET;
++
+ 
+ int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
+ 
+diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
+index f24bc75..8bcd453 100644
+--- a/apache2/modsecurity.h
++++ b/apache2/modsecurity.h
+@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
+ #endif
+ extern DSOLOCAL int remote_rules_fail_action;
+ extern DSOLOCAL char *remote_rules_fail_message;
++extern DSOLOCAL unsigned long int remote_rules_timeout;
+ 
+ extern DSOLOCAL int status_engine_state;
+ 
+diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
+index 99968f0..b8db13e 100644
+--- a/apache2/msc_remote_rules.c
++++ b/apache2/msc_remote_rules.c
+@@ -358,6 +358,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
+         /* We want Curl to return error in case there is an HTTP error code */
+         curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
+ 
++        /* In case we want different timeout than a default one */
++        if (remote_rules_timeout != NOT_SET){
++            curl_easy_setopt(curl, CURLOPT_TIMEOUT, remote_rules_timeout);
++        }
++
+         res = curl_easy_perform(curl);
+ 
+         if (res != CURLE_OK)

mod_security-2.9.7-send_error_bucket.patch

@@ -0,0 +1,30 @@
+From b2fa083522c70368c7ab911696dcb87dde5dc688 Mon Sep 17 00:00:00 2001
+From: Tomas Korbar <tkorbar@redhat.com>
+Date: Thu, 22 Dec 2022 14:49:34 +0100
+Subject: [PATCH] Clear original response code in send_error_bucket function
+
+If this is left intact, then apache thinks that this code
+was generated during processing of ErrorDocument and does not
+handle it properly
+
+Fix #2849
+---
+ apache2/apache2_util.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/apache2/apache2_util.c b/apache2/apache2_util.c
+index cdae2b580..520a30f2f 100644
+--- a/apache2/apache2_util.c
++++ b/apache2/apache2_util.c
+@@ -31,6 +31,11 @@ apr_status_t send_error_bucket(modsec_rec *msr, ap_filter_t *f, int status) {
+     /* Set the status line explicitly for the error document */
+     f->r->status_line = ap_get_status_line(status);
+ 
++    /* Clear previously set response code to make clear that this is
++     * not a recursive error
++     */
++    f->r->status = 200;
++
+     brigade = apr_brigade_create(f->r->pool, f->r->connection->bucket_alloc);
+     if (brigade == NULL) return APR_EGENERAL;
+ 

mod_security.conf

@@ -1,107 +1,56 @@
-# Example configuration file for the mod_security Apache module
+<IfModule mod_security2.c>
+    # Default recommended configuration
+    SecRuleEngine On
+    SecRequestBodyAccess On
+    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+    SecRequestBodyLimit 13107200
+    SecRequestBodyNoFilesLimit 131072
+    SecRequestBodyInMemoryLimit 131072
+    SecRequestBodyLimitAction Reject
+    SecRule REQBODY_ERROR "!@eq 0" \
+    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+    "id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \
+    failed strict validation: \
+    PE %{REQBODY_PROCESSOR_ERROR}, \
+    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+    DB %{MULTIPART_DATA_BEFORE}, \
+    DA %{MULTIPART_DATA_AFTER}, \
+    HF %{MULTIPART_HEADER_FOLDING}, \
+    LF %{MULTIPART_LF_LINE}, \
+    SM %{MULTIPART_MISSING_SEMICOLON}, \
+    IQ %{MULTIPART_INVALID_QUOTING}, \
+    IP %{MULTIPART_INVALID_PART}, \
+    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
 
-LoadModule security_module modules/mod_security.so
+    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
 
-<IfModule mod_security.c>
+    SecPcreMatchLimit 1000
+    SecPcreMatchLimitRecursion 1000
 
-    # Turn the filtering engine On or Off
-    SecFilterEngine On
+    SecRule TX:/^MSC_/ "!@streq 0" \
+            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
 
-    # The audit engine works independently and
-    # can be turned On of Off on the per-server or
-    # on the per-directory basis
+    SecResponseBodyAccess Off
+    SecDebugLog /var/log/httpd/modsec_debug.log
+    SecDebugLogLevel 0
     SecAuditEngine RelevantOnly
+    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+    SecAuditLogParts ABIJDEFHZ
+    SecAuditLogType Serial
+    SecAuditLog /var/log/httpd/modsec_audit.log
+    SecArgumentSeparator &
+    SecCookieFormat 0
+    SecTmpDir /var/lib/mod_security
+    SecDataDir /var/lib/mod_security
 
-    # Make sure that URL encoding is valid
-    SecFilterCheckURLEncoding On
+    # ModSecurity Core Rules Set and Local configuration
+	Include modsecurity.d/*.conf
+	Include modsecurity.d/activated_rules/*.conf
+	Include modsecurity.d/local_rules/*.conf
     
-    # Unicode encoding check
-    SecFilterCheckUnicodeEncoding On
-    
-    # Only allow bytes from this range
-    SecFilterForceByteRange 1 255
-
-    # Cookie format checks.
-    SecFilterCheckCookieFormat On	
- 
-    # The name of the audit log file
-    SecAuditLog logs/audit_log
-
-    # Should mod_security inspect POST payloads
-    SecFilterScanPOST On
-
-    # Default action set
-    SecFilterDefaultAction "deny,log,status:406"
-
-    # Simple example filter
-    # SecFilter 111
-   
-    # Prevent path traversal (..) attacks
-    # SecFilter "\.\./"
-
-    # Weaker XSS protection but allows common HTML tags
-    # SecFilter "<( |\n)*script"
-
-    # Prevent XSS atacks (HTML/Javascript injection)
-    # SecFilter "<(.|\n)+>"
-
-    # Very crude filters to prevent SQL injection attacks
-    # SecFilter "delete[[:space:]]+from"
-    # SecFilter "insert[[:space:]]+into"
-    # SecFilter "select.+from"
-
-    # Require HTTP_USER_AGENT and HTTP_HOST headers
-    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
-
-    # Only accept request encodings we know how to handle
-    # we exclude GET requests from this because some (automated)
-    # clients supply "text/html" as Content-Type
-    SecFilterSelective REQUEST_METHOD "!^GET$" chain
-    SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded|^multipart/form-data)"
-
-    # Require Content-Length to be provided with
-    # every POST request
-    SecFilterSelective REQUEST_METHOD "^POST$" chain
-    SecFilterSelective HTTP_Content-Length "^$"
-
-    # Don't accept transfer encodings we know we don't handle
-    # (and you don't need it anyway)
-    SecFilterSelective HTTP_Transfer-Encoding "!^$"
-
-    # Some common application-related rules from
-    # http://modsecrules.monkeydev.org/rules.php?safety=safe
-
-    #Nuke Bookmarks XSS
-    SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)"
-
-    #Nuke Bookmarks Marks.php SQL Injection Vulnerability
-    SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)"
-
-    #PHPNuke general XSS attempt
-    #/modules.php?name=News&file=article&sid=1&optionbox=
-    SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script"
-
-    # PHPNuke SQL injection attempt
-    SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory="
-
-    #phpnuke sql insertion
-    SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/"
-
-    # WEB-PHP phpbb quick-reply.php arbitrary command attempt
-
-    SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
-    SecFilter "phpbb_root_path="
-
-    #Topic Calendar Mod for phpBB Cross-Site Scripting Attack
-    SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)"
-    
-    # phpMyAdmin: Safe
-
-    #phpMyAdmin Export.PHP File Disclosure Vulnerability
-    SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
-    SecFilterSelective ARG_what "\.\."
-
-    #phpMyAdmin path vln
-    SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"
-    	
 </IfModule>

mod_security.spec

@@ -1,45 +1,492 @@
+%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}}
+%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo 0-0)}}
+# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
+%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
+%{!?_httpd_confdir:    %{expand: %%global _httpd_confdir    %%{_sysconfdir}/httpd/conf.d}}
+%{!?_httpd_moddir:    %{expand: %%global _httpd_moddir    %%{_libdir}/httpd/modules}}
+
+%bcond_without mlogc
+
 Summary: Security module for the Apache HTTP Server
-Name: mod_security 
-Version: 1.9.4
-Release: 2%{?dist}
-License: GPL
+Name: mod_security
+Version: 2.9.7
+Release: 6%{?dist}
+License: Apache-2.0
 URL: http://www.modsecurity.org/
-Group: System Environment/Daemons
-Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz
+Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/modsecurity-%{version}.tar.gz
 Source1: mod_security.conf
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Requires: httpd  httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing)
+Source2: 10-mod_security.conf
+Source3: modsecurity_localrules.conf
+Patch0: modsecurity-2.9.3-lua-54.patch
+Patch1: modsecurity-2.9.3-apulibs.patch
+Patch2: mod_security-2.9.3-remote-rules-timeout.patch
+Patch3: mod_security-2.9.7-send_error_bucket.patch
+
+Requires: httpd httpd-mmn = %{_httpd_mmn}
+%if 0%{?fedora} || 0%{?rhel} > 7
+# Ensure apache user exists for file ownership
+Requires(pre): httpd-filesystem
+%endif
+
+BuildRequires: gcc, make, autoconf, automake, libtool
 BuildRequires: httpd-devel
+BuildRequires: perl-generators
+BuildRequires: pcre2-devel
+BuildRequires: pkgconfig(libcurl)
+BuildRequires: pkgconfig(libxml-2.0)
+BuildRequires: pkgconfig(lua)
+
+# Workarround for EL6
+%if 0%{?el6}
+BuildRequires: yajl-devel
+%else
+BuildRequires: pkgconfig(yajl)
+%endif
+
 
 %description
 ModSecurity is an open source intrusion detection and prevention engine
 for web applications. It operates embedded into the web server, acting
 as a powerful umbrella - shielding web applications from attacks.
 
-%prep
+%if %{with mlogc}
+%package        mlogc
+Summary:        ModSecurity Audit Log Collector
+Requires:       mod_security
+%if 0%{?fedora} || 0%{?rhel} > 7
+# Ensure apache user exists for file ownership
+Requires(pre):  httpd-filesystem
+%endif
 
-%setup -q -n modsecurity-apache_%{version}
+%description mlogc
+This package contains the ModSecurity Audit Log Collector.
+%endif
+
+%prep
+%autosetup -p1 -n modsecurity-%{version}
 
 %build
-/usr/sbin/apxs -Wc,"%{optflags}" -c apache2/mod_security.c
+./autogen.sh
+%configure --enable-pcre-match-limit=1000000 \
+           --enable-pcre-match-limit-recursion=1000000 \
+           --with-apxs=%{_httpd_apxs} \
+           --with-yajl \
+           --with-pcre2 \
+           --disable-static
+
+# remove rpath
+sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
+sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
+
+make %{_smp_mflags}
+
+%check
+# Test suite does not start because of some issue in shipped httpd config (fix upstreamed in PR #669)
+# After the fix, the test suite starts but still fails
+#make test
+#make test-regression
 
 %install
-rm -rf %{buildroot}
-mkdir -p %{buildroot}%{_libdir}/httpd/modules/
-mkdir -p %{buildroot}/%{_sysconfdir}/httpd/conf.d/
-install -p apache2/.libs/mod_security.so %{buildroot}/%{_libdir}/httpd/modules/
-install -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/
+install -d %{buildroot}%{_sbindir}
+install -d %{buildroot}%{_bindir}
+install -d %{buildroot}%{_httpd_moddir}
+install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/
+install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules
+install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/local_rules
+
+install -m0755 apache2/.libs/mod_security2.so %{buildroot}%{_httpd_moddir}/mod_security2.so
+
+%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
+# 2.4-style
+install -Dp -m0644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir}/10-mod_security.conf
+install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
+sed  -i 's/Include/IncludeOptional/'  %{buildroot}%{_httpd_confdir}/mod_security.conf
+%else
+# 2.2-style
+install -d -m0755 %{buildroot}%{_httpd_confdir}
+cat %{SOURCE2} %{SOURCE1} > %{buildroot}%{_httpd_confdir}/mod_security.conf
+%endif
+install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/%{name}
+
+# Local rules example
+install -Dp -m0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/local_rules/
+
+# mlogc
+%if %{with mlogc}
+install -d %{buildroot}%{_localstatedir}/log/mlogc
+install -d %{buildroot}%{_localstatedir}/log/mlogc/data
+install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
+install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
+install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
+%endif
 
-%clean
-rm -rf %{buildroot}
 
 %files
-%defattr (-,root,root)
-%doc CHANGES LICENSE INSTALL README httpd* util doc
-%{_libdir}/httpd/modules/mod_security.so
-%config(noreplace) %{_sysconfdir}/httpd/conf.d/mod_security.conf
+%doc CHANGES LICENSE README.* NOTICE
+%{_httpd_moddir}/mod_security2.so
+%config(noreplace) %{_httpd_confdir}/*.conf
+%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
+%config(noreplace) %{_httpd_modconfdir}/*.conf
+%endif
+%dir %{_sysconfdir}/httpd/modsecurity.d
+%dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules
+%dir %{_sysconfdir}/httpd/modsecurity.d/local_rules
+%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/local_rules/*.conf
+%attr(770,apache,root) %dir %{_localstatedir}/lib/%{name}
+
+%if %{with mlogc}
+%files mlogc
+%doc mlogc/INSTALL
+%attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/mlogc.conf
+%attr(0755,root,root) %dir %{_localstatedir}/log/mlogc
+%attr(0770,root,apache) %dir %{_localstatedir}/log/mlogc/data
+%attr(0755,root,root) %{_bindir}/mlogc
+%attr(0755,root,root) %{_bindir}/mlogc-batch-load
+%endif
 
 %changelog
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.7-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.7-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Tue Jan 02 2024 Tomas Korbar <tkorbar@redhat.com> - 2.9.7-4
+- Clear original response code in send_error_bucket function
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Jun 02 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.9.7-2
+- SPDX migration
+
+* Thu Apr 13 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.9.7-1
+- new version 2.9.7
+- use pcre2 instead of deprecated pcre (rhbz #2128330)
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Sep 14 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.9.6-1
+- new version 2.9.6
+
+* Wed Aug 31 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.9.5-1
+- new version 2.9.5
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Aug 18 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.9.4-1
+- new version 2.9.4
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-10
+- Resolves: #1930664 - RFE: Add a feature that can set a mod_security/libcurl
+  timeout for retrieving the rules
+- rename mlogc to mod_security-mlogc
+
+* Fri Jan 22 2021 Joe Orton <jorton@redhat.com> - 2.9.3-8
+- don't link against redundant apr-util dependent libraries
+
+* Sat Aug 08 2020 Othman Madjoudj <athmane@fedoraproject.org> - 2.9.3-7
+- Add a patch to fix build with Lua 5.4 until we completely switch to mod_sec3 as default
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-6
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sun Dec 09 2018 Athmane Madjoudj <athmane@fedoraproject.org> - 2.9.3-1
+- Update to 2.9.3
+
+* Fri Nov 16 2018 Joe Orton <jorton@redhat.com> - 2.9.2-7
+- Requires(pre): httpd-filesystem to ensure apache user exists
+- enable mlogc everywhere, use buildcond to disable
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.2-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Sun Feb 18 2018 Athmane Madjoudj <athmane@fedoraproject.org> - 2.9.2-5
+- Add gcc and make as BR (minimal buildroot change)
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jul 21 2017 Athmane Madjoudj <athmane@fedoraproject.org> - 2.9.2-1
+- Update to 2.9.2
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Mar 09 2016 Athmane Madjoudj <athmane@fedoraproject.org> 2.9.1-1
+- Update to final 2.9.1
+- Minor spec fix.
+
+* Tue Mar 08 2016 Athmane Madjoudj <athmane@fedoraproject.org> 2.9.1-0.1.rc1
+- Add workaround for el6
+
+* Tue Mar 08 2016 Athmane Madjoudj <athmane@fedoraproject.org> 2.9.1-0.rc1
+- Update to 2.9.1-rc1
+- Remove upstreamed patch
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Oct 02 2015 Athmane Madjoudj <athmane@fedoraproject.org> 2.9.0-5
+- Update BuildRequires using pkgconfig name schema
+
+* Tue Sep 01 2015 Athmane Madjoudj <athmane@fedoraproject.org>  2.9.0-4
+- Add yajl support
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Fri Feb 13 2015 Athmane Madjoudj <athmane@fedoraproject.org> 2.9.0-2
+- Remove curl version dep. since it no longer required
+
+* Fri Feb 13 2015 Athmane Madjoudj <athmane@fedoraproject.org>  2.9.0-1
+- Update to 2.9.0
+- Remove backported patch
+- Add patch to fix lua 5.3 build issue (PR #837)
+
+* Tue Nov 04 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.8.0-7
+- Make sure mod_security is built with correct curl version
+
+* Mon Nov 03 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.8.0-6
+- Changes the default SSL version to TLS 1.2 since SSLv3 is vulnerable to poodle
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.8.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Fri Aug 15 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.8.0-4
+- Add support for user-provided configurations and rules (rhbz #1129843)
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.8.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed Apr 16 2014  Athmane Madjoudj <athmane@fedoraproject.org> 2.8.0-1
+- Update to 2.8.0 Final
+
+* Thu Apr 03 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.8.0-0.rc1
+- Update to 2.8.0-RC1
+
+* Tue Mar 04 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.7-6
+- Fix status code in the configuration file (upstream PR #666)
+
+* Sat Mar 01 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.7-5
+- Fix rpmlint warnings
+
+* Thu Feb 27 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.7-4
+- Add check section
+
+* Sat Feb 22 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.7-3
+- Fix bogus date in chanelog
+
+* Thu Jan 23 2014 Joe Orton <jorton@redhat.com> - 2.7.7-2
+- fix _httpd_mmn expansion in absence of httpd-devel
+
+* Thu Dec 19 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.7-1
+- Update to 2.7.7
+- Fix the spec file since upstream fixed the bugs reported.
+
+* Tue Dec 17 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.6-2
+- Add autotools deps
+
+* Tue Dec 17 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.6-1
+- Update to 2.7.6
+- Fix spec since upstream will only provide tarball via Github
+
+* Sat Aug 03 2013 Petr Pisar <ppisar@redhat.com> - 2.7.5-2
+- Perl 5.18 rebuild
+
+* Tue Jul 30 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.5-1
+- Update to 2.7.5
+
+* Thu Jul 18 2013 Petr Pisar <ppisar@redhat.com> - 2.7.4-2
+- Perl 5.18 rebuild
+
+* Tue May 28 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.4-1
+- Update to 2.7.4
+- Drop non required patch
+
+* Tue May 28 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.3-2
+- Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) (RHBZ #967615)
+- Fix a possible memory leak.
+
+* Sat Mar 30 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.3-1
+- Update to 2.7.3
+
+* Fri Jan 25 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.2-1
+- Update to 2.7.2
+- Update source url in the spec.
+
+* Thu Nov 22 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-5
+- Use conditional for loading mod_unique_id (rhbz #879264)
+- Fix syntax errors on httpd 2.4.x by using IncludeOptional (rhbz #879264, comment #2)
+
+* Mon Nov 19 2012 Peter Vrabec <pvrabec@redhat.com> 2.7.1-4
+- mlogc subpackage is not provided on RHEL7
+
+* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-3
+- Add some missing directives RHBZ #569360
+- Fix multipart/invalid part ruleset bypass issue (CVE-2012-4528)
+  (RHBZ #867424, #867773, #867774)
+
+* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-2
+- Fix mod_security.conf
+
+* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-1
+- Update to 2.7.1
+- Remove libxml2 build patch (upstreamed)
+- Update spec since upstream moved to github
+
+* Thu Oct 18 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-2
+- Add a patch to fix failed build against libxml2 >= 2.9.0
+
+* Wed Oct 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-1
+- Update to 2.7.0
+
+* Fri Sep 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-1
+- Update to 2.6.8
+
+* Wed Sep 12 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-2
+- Re-add mlogc sub-package for epel (#856525)
+ 
+* Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
+- Update to 2.6.7
+
+* Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
+- Update to 2.6.7
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.6.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Fri Jun 22 2012 Peter Vrabec <pvrabec@redhat.com> - 2.6.6-2
+- mlogc subpackage is not provided on RHEL
+ 
+* Thu Jun 21 2012 Peter Vrabec <pvrabec@redhat.com> - 2.6.6-1
+- upgrade
+
+* Mon May  7 2012 Joe Orton <jorton@redhat.com> - 2.6.5-3
+- packaging fixes
+
+* Fri Apr 27 2012 Peter Vrabec <pvrabec@redhat.com> 2.6.5-2
+- fix license tag
+
+* Thu Apr 05 2012 Peter Vrabec <pvrabec@redhat.com> 2.6.5-1
+- upgrade & move rules into new package mod_security_crs
+
+* Fri Feb 10 2012 Petr Pisar <ppisar@redhat.com> - 2.5.13-3
+- Rebuild against PCRE 8.30
+- Do not install non-existing files
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.13-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue  May 3 2011 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.13-1
+- Newer upstream version
+
+* Wed Jun 30 2010 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.12-3
+- Fix log dirs and files ordering per bz#569360
+
+* Thu Apr 29 2010 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.12-2
+- Fix SecDatadir and minimal config per bz #569360
+
+* Sat Feb 13 2010 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.12-1
+- Update to latest upstream release
+- SECURITY: Fix potential rules bypass and denial of service (bz#563576)
+
+* Fri Nov 6 2009 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.10-2
+- Fix rules and Apache configuration (bz#533124)
+
+* Thu Oct 8 2009 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.10-1
+- Upgrade to 2.5.10 (with Core Rules v2)
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Thu Mar 12 2009 Michael Fleming <mfleming+rpm@thatfleminggent.com> 2.5.9-1
+- Update to upstream release 2.5.9
+- Fixes potential DoS' in multipart request and PDF XSS handling
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Mon Dec 29 2008 Michael Fleming <mfleming+rpm@enlartenment.com> 2.5.7-1
+- Update to upstream 2.5.7
+- Reinstate mlogc
+
+* Sat Aug 2 2008 Michael Fleming <mfleming+rpm@enlartenment.com> 2.5.6-1
+- Update to upstream 2.5.6
+- Remove references to mlogc, it no longer ships in the main tarball.
+- Link correctly vs. libxml2 and lua (bz# 445839)
+- Remove bogus LoadFile directives as they're no longer needed.
+
+* Sun Apr 13 2008 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.7-1
+- Update to upstream 2.1.7
+
+* Sat Feb 23 2008 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.6-1
+- Update to upstream 2.1.6 (Extra features including SecUploadFileMode)
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 2.1.5-3
+- Autorebuild for GCC 4.3
+
+* Sun Jan 27 2008 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.5-2
+- Update to 2.1.5 (bz#425986)
+- "blocking" -> "optional_rules" per tarball ;-)
+
+
+* Thu Sep  13 2007 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.3-1
+- Update to 2.1.3
+- Update License tag per guidelines.
+
+* Mon Sep  3 2007 Joe Orton <jorton@redhat.com> 2.1.1-3
+- rebuild for fixed 32-bit APR (#254241)
+
+* Wed Aug 29 2007 Fedora Release Engineering <rel-eng at fedoraproject dot org> - 2.1.1-2
+- Rebuild for selinux ppc32 issue.
+
+* Tue Jun 19 2007 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.1-1
+- New upstream release
+- Drop ASCIIZ rule (fixed upstream)
+- Re-enable protocol violation/anomalies rules now that REQUEST_FILENAME
+  is fixed upstream.
+
+* Sun Apr 1 2007 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.0-3
+- Automagically configure correct library path for libxml2 library.
+- Add LoadModule for mod_unique_id as the logging wants this at runtime
+
+* Mon Mar 26 2007 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.0-2
+- Fix DSO permissions (bz#233733)
+
+* Tue Mar 13 2007 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.0-1
+- New major release - 2.1.0
+- Fix CVE-2007-1359 with a local rule courtesy of Ivan Ristic
+- Addition of core ruleset
+- (Build)Requires libxml2 and pcre added.
+
 * Sun Sep 3 2006 Michael Fleming <mfleming+rpm@enlartenment.com> 1.9.4-2
 - Rebuild
 - Fix minor longstanding braino in included sample configuration (bz #203972)

modsecurity-2.9.3-apulibs.patch

@@ -0,0 +1,14 @@
+
+Strip redundant APR-util dependent libraries, it is sufficient to link against -laprutil-1.
+
+--- modsecurity-2.9.3/build/find_apu.m4.apulibs
++++ modsecurity-2.9.3/build/find_apu.m4
+@@ -59,7 +59,7 @@
+     APU_CFLAGS="`${APU_CONFIG} --includes`"
+     if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu CFLAGS: $APU_CFLAGS); fi
+     APU_LDFLAGS="`${APU_CONFIG} --ldflags`"
+-    APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --libs`"
++    APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --avoid-ldap --avoid-dbm --libs`"
+     if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDFLAGS: $APU_LDFLAGS); fi
+     APU_LDADD="`${APU_CONFIG} --link-libtool`"
+     if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDADD: $APU_LDADD); fi

modsecurity-2.9.3-lua-54.patch

@@ -0,0 +1,31 @@
+diff -ru modsecurity-2.9.3/apache2/msc_lua.c modsecurity-2.9.3-lua-patch/apache2/msc_lua.c
+--- modsecurity-2.9.3/apache2/msc_lua.c	2018-12-04 18:49:37.000000000 +0000
++++ modsecurity-2.9.3-lua-patch/apache2/msc_lua.c	2020-08-08 16:55:14.936045777 +0000
+@@ -429,12 +429,12 @@
+ #else
+ 
+     /* Create new state. */
+-#if LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 501
++#if LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 501 || LUA_VERSION_NUM == 504
+     L = luaL_newstate();
+ #elif LUA_VERSION_NUM == 500
+     L = lua_open();
+ #else
+-#error We are only tested under Lua 5.0, 5.1, 5.2, or 5.3.
++#error We are only tested under Lua 5.0, 5.1, 5.2, 5.3 or 5.4.
+ #endif
+     luaL_openlibs(L);
+ 
+@@ -459,10 +459,10 @@
+     /* Register functions. */
+ #if LUA_VERSION_NUM == 500 || LUA_VERSION_NUM == 501
+     luaL_register(L, "m", mylib);
+-#elif LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503
++#elif LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 504
+     luaL_setfuncs(L, mylib, 0);
+ #else
+-#error We are only tested under Lua 5.0, 5.1, 5.2, or 5.3.
++#error We are only tested under Lua 5.0, 5.1, 5.2, 5.3 or 5.4.
+ #endif
+ 
+     lua_setglobal(L, "m");

modsecurity_localrules.conf

@@ -0,0 +1,9 @@
+# User defined rules and settings .
+#
+# You can use this file/directory to drop your local rules or
+# to remove some rules provided by mod_security_crs package with SecRuleRemoveById
+#
+# You can also disable mod_security for some incompatible web applications (eg. phpMyAdmin).
+#
+#
+

sources

@@ -1 +1 @@
-74d2317781bab619cd7b6b376b978107  modsecurity-apache_1.9.4.tar.gz
+SHA512 (modsecurity-2.9.7.tar.gz) = a333d142f0dedf332a3cccca8267ccf9193cd4ad5a026b3cdbe0713dd1f3edde33739eae8baced2c63409cc0b220001e0a226ea032874a97c08e4065eb1fbdd5