dist-git conversion

- SECURITY: Fix potential rules bypass and denial of service (bz#563576)

.cvsignore

@@ -1 +0,0 @@
-modsecurity-1.8.7.tar.gz

.gitignore

@@ -0,0 +1 @@
+modsecurity-apache_2.5.12.tar.gz

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: mod_security
-# $Id$
-NAME := mod_security
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attept a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

mod_security.conf

@@ -1,107 +1,93 @@
 # Example configuration file for the mod_security Apache module
 
-LoadModule security_module modules/mod_security.so
+LoadModule security2_module modules/mod_security2.so
+LoadModule unique_id_module modules/mod_unique_id.so
 
-<IfModule mod_security.c>
+<IfModule mod_security2.c>
+	# This is the ModSecurity Core Rules Set.
 	
-    # Turn the filtering engine On or Off
+	# Basic configuration goes in here
-    SecFilterEngine On
+	Include modsecurity.d/*.conf
+	Include modsecurity.d/base_rules/*.conf
+	Include modsecurity.d/modsecurity_localrules.conf
 
-    # The audit engine works independently and
+	# Additional items taken from new minimal modsecurity conf
-    # can be turned On of Off on the per-server or
+	# Basic configuration options
-    # on the per-directory basis
+	SecRuleEngine On
+	SecRequestBodyAccess On
+	SecResponseBodyAccess Off
+	
+	# PCRE Tuning
+	SecPcreMatchLimit 1000
+	SecPcreMatchLimitRecursion 1000
+
+	# Handling of file uploads
+	# TODO Choose a folder private to Apache.
+	# SecUploadDir /opt/apache-frontend/tmp/
+	SecUploadKeepFiles Off
+	SecUploadFileLimit 10
+
+	# Debug log
+	SecDebugLog logs/modsec_debug.log
+	SecDebugLogLevel 0
+
+	# Serial audit log
 	SecAuditEngine RelevantOnly
+	SecAuditLogRelevantStatus ^5
+	SecAuditLogParts ABIFHZ
+	SecAuditLogType Serial
+	SecAuditLog logs/modsec_audit.log
 
-    # Make sure that URL encoding is valid
+	# Set Data Directory
-    SecFilterCheckURLEncoding On
+	SecDataDir logs/
 
-    # Unicode encoding check
+	# Maximum request body size we will
-    SecFilterCheckUnicodeEncoding On
+	# accept for buffering
+	SecRequestBodyLimit 131072
 
-    # Only allow bytes from this range
+	# Store up to 128 KB in memory
-    SecFilterForceByteRange 1 255
+	SecRequestBodyInMemoryLimit 131072
 
-    # Cookie format checks.
+	# Buffer response bodies of up to
-    SecFilterCheckCookieFormat On	
+	# 512 KB in length
+	SecResponseBodyLimit 524288
 
-    # The name of the audit log file
+	# Verify that we've correctly processed the request body.
-    SecAuditLog logs/audit_log
+	# As a rule of thumb, when failing to process a request body
+	# you should reject the request (when deployed in blocking mode)
+	# or log a high-severity alert (when deployed in detection-only mode).
+	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
 
-    # Should mod_security inspect POST payloads
+	# By default be strict with what we accept in the multipart/form-data
-    SecFilterScanPOST On
+	# request body. If the rule below proves to be too strict for your
+	# environment consider changing it to detection-only. You are encouraged
+	# _not_ to remove it altogether.
+	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Multipart request body \
+	failed strict validation: \
+	PE %{REQBODY_PROCESSOR_ERROR}, \
+	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+	DB %{MULTIPART_DATA_BEFORE}, \
+	DA %{MULTIPART_DATA_AFTER}, \
+	HF %{MULTIPART_HEADER_FOLDING}, \
+	LF %{MULTIPART_LF_LINE}, \
+	SM %{MULTIPART_SEMICOLON_MISSING}, \
+	IQ %{MULTIPART_INVALID_QUOTING}, \
+	IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+	IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
 	
-    # Default action set
+	# Did we see anything that might be a boundary?
-    SecFilterDefaultAction "deny,log,status:406"
+	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
 	
-    # Simple example filter
+	# Some internal errors will set flags in TX and we will need to look for these.
-    # SecFilter 111
+	# All of these are prefixed with "MSC_".  The following flags currently exist:
-   
+	#
-    # Prevent path traversal (..) attacks
+	# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
-    # SecFilter "\.\./"
+	#
-
+	SecRule TX:/^MSC_/ "!@streq 0" \
-    # Weaker XSS protection but allows common HTML tags
+	        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
-    # SecFilter "<( |\n)*script"
-
-    # Prevent XSS atacks (HTML/Javascript injection)
-    # SecFilter "<(.|\n)+>"
-
-    # Very crude filters to prevent SQL injection attacks
-    # SecFilter "delete[[:space:]]+from"
-    # SecFilter "insert[[:space:]]+into"
-    # SecFilter "select.+from"
-
-    # Require HTTP_USER_AGENT and HTTP_HOST headers
-    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
-
-    # Only accept request encodings we know how to handle
-    # we exclude GET requests from this because some (automated)
-    # clients supply "text/html" as Content-Type
-    SecFilterSelective REQUEST_METHOD "!^GET$" chain
-    SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
-
-    # Require Content-Length to be provided with
-    # every POST request
-    SecFilterSelective REQUEST_METHOD "^POST$" chain
-    SecFilterSelective HTTP_Content-Length "^$"
-
-    # Don't accept transfer encodings we know we don't handle
-    # (and you don't need it anyway)
-    SecFilterSelective HTTP_Transfer-Encoding "!^$"
-
-    # Some common application-related rules from
-    # http://modsecrules.monkeydev.org/rules.php?safety=safe
-
-    #Nuke Bookmarks XSS
-    SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)"
-
-    #Nuke Bookmarks Marks.php SQL Injection Vulnerability
-    SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)"
-
-    #PHPNuke general XSS attempt
-    #/modules.php?name=News&file=article&sid=1&optionbox=
-    SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script"
-
-    # PHPNuke SQL injection attempt
-    SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory="
-
-    #phpnuke sql insertion
-    SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/"
-
-    # WEB-PHP phpbb quick-reply.php arbitrary command attempt
-
-    SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
-    SecFilter "phpbb_root_path="
-
-    #Topic Calendar Mod for phpBB Cross-Site Scripting Attack
-    SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)"
-    
-    # phpMyAdmin: Safe
-
-    #phpMyAdmin Export.PHP File Disclosure Vulnerability
-    SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
-    SecFilterSelective ARG_what "\.\."
-
-    #phpMyAdmin path vln
-    SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"
 
 </IfModule>

mod_security.spec

@@ -1,15 +1,16 @@
 Summary: Security module for the Apache HTTP Server
 Name: mod_security 
-Version: 1.8.7
+Version: 2.5.12
-Release: 4%{?dist}
+Release: 3%{?dist}
-License: GPL
+License: GPLv2
 URL: http://www.modsecurity.org/
 Group: System Environment/Daemons
-Source: http://www.modsecurity.org/download/modsecurity-%{version}.tar.gz
+Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz
 Source1: mod_security.conf
+Source2: modsecurity_localrules.conf
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: httpd httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing)
-BuildRequires: httpd-devel
+BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
 
 %description
 ModSecurity is an open source intrusion detection and prevention engine
@@ -18,31 +19,150 @@ as a powerful umbrella - shielding web applications from attacks.
 
 %prep
 
-%setup -q -n modsecurity-%{version}
+%setup -n modsecurity-apache_%{version}
 
 %build
-/usr/sbin/apxs -Wc,"%{optflags}" -c apache2/mod_security.c
+cd apache2
+%configure
+make %{_smp_mflags}
+make %{_smp_mflags} mlogc
 
 %install
 rm -rf %{buildroot}
-mkdir -p %{buildroot}%{_libdir}/httpd/modules/
+install -D -m755 apache2/.libs/mod_security2.so %{buildroot}/%{_libdir}/httpd/modules/mod_security2.so
-mkdir -p %{buildroot}/%{_sysconfdir}/httpd/conf.d/
+install -D -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/mod_security.conf
-install -p apache2/.libs/mod_security.so %{buildroot}/%{_libdir}/httpd/modules/
+install -d %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
-install -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/
+install -D -m644 rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
+cp -R rules/base_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
+cp -R rules/optional_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
+install -D -m644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/modsecurity_localrules.conf
+install -Dp tools/mlogc %{buildroot}/%{_bindir}/mlogc
+install -D -m644 apache2/mlogc-src/mlogc-default.conf %{buildroot}/%{_sysconfdir}/mlogc.conf
 
 %clean
 rm -rf %{buildroot}
 
 %files
 %defattr (-,root,root)
-%doc CHANGES LICENSE INSTALL README httpd* *.pdf util
+%doc rules/util CHANGES LICENSE README.* modsecurity* doc MODSECURITY_LICENSING_EXCEPTION
-%{_libdir}/httpd/modules/mod_security.so
+%{_libdir}/httpd/modules/mod_security2.so
-%config(noreplace) /etc/httpd/conf.d/mod_security.conf
+%{_bindir}/mlogc
+%config(noreplace) %{_sysconfdir}/mlogc.conf
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/mod_security.conf
+%dir %{_sysconfdir}/httpd/modsecurity.d
+%{_sysconfdir}/httpd/modsecurity.d/optional_rules
+%{_sysconfdir}/httpd/modsecurity.d/base_rules
+%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf
 
 %changelog
+* Thu Apr 29 2010 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.12-3
+- Fix SecDatadir and minimal config per bz #569360
+
+* Sat Feb 13 2010 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.12-1
+- Update to latest upstream release
+- SECURITY: Fix potential rules bypass and denial of service (bz#563576)
+
+* Fri Nov 6 2009 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.10-2
+- Fix rules and Apache configuration (bz#533124)
+
+* Thu Oct 8 2009 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.10-1
+- Upgrade to 2.5.10 (with Core Rules v2)
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Thu Mar 12 2009 Michael Fleming <mfleming+rpm@thatfleminggent.com> 2.5.9-1
+- Update to upstream release 2.5.9
+- Fixes potential DoS' in multipart request and PDF XSS handling
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Mon Dec 29 2008 Michael Fleming <mfleming+rpm@enlartenment.com> 2.5.7-1
+- Update to upstream 2.5.7
+- Reinstate mlogc
+
+* Sat Aug 2 2008 Michael Fleming <mfleming+rpm@enlartenment.com> 2.5.6-1
+- Update to upstream 2.5.6
+- Remove references to mlogc, it no longer ships in the main tarball.
+- Link correctly vs. libxml2 and lua (bz# 445839)
+- Remove bogus LoadFile directives as they're no longer needed.
+
+* Sun Apr 13 2008 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.7-1
+- Update to upstream 2.1.7
+
+* Sat Feb 23 2008 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.6-1
+- Update to upstream 2.1.6 (Extra features including SecUploadFileMode)
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 2.1.5-3
+- Autorebuild for GCC 4.3
+
+* Sat Jan 27 2008 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.5-2
+- Update to 2.1.5 (bz#425986)
+- "blocking" -> "optional_rules" per tarball ;-)
+
+
+* Thu Sep  13 2007 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.3-1
+- Update to 2.1.3
+- Update License tag per guidelines.
+
+* Mon Sep  3 2007 Joe Orton <jorton@redhat.com> 2.1.1-3
+- rebuild for fixed 32-bit APR (#254241)
+
+* Wed Aug 29 2007 Fedora Release Engineering <rel-eng at fedoraproject dot org> - 2.1.1-2
+- Rebuild for selinux ppc32 issue.
+
+* Tue Jun 19 2007 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.1-1
+- New upstream release
+- Drop ASCIIZ rule (fixed upstream)
+- Re-enable protocol violation/anomalies rules now that REQUEST_FILENAME
+  is fixed upstream.
+
+* Sun Apr 1 2007 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.0-3
+- Automagically configure correct library path for libxml2 library.
+- Add LoadModule for mod_unique_id as the logging wants this at runtime
+
+* Mon Mar 26 2007 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.0-2
+- Fix DSO permissions (bz#233733)
+
+* Tue Mar 13 2007 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.0-1
+- New major release - 2.1.0
+- Fix CVE-2007-1359 with a local rule courtesy of Ivan Ristic
+- Addition of core ruleset
+- (Build)Requires libxml2 and pcre added.
+
+* Sun Sep 3 2006 Michael Fleming <mfleming+rpm@enlartenment.com> 1.9.4-2
+- Rebuild
+- Fix minor longstanding braino in included sample configuration (bz #203972)
+
+* Mon May 15 2006 Michael Fleming <mfleming+rpm@enlartenment.com> 1.9.4-1
+- New upstream release
+
+* Tue Apr 11 2006 Michael Fleming <mfleming+rpm@enlartenment.com> 1.9.3-1
+- New upstream release
+- Trivial spec tweaks
+
+* Wed Mar 1 2006 Michael Fleming <mfleming+rpm@enlartenment.com> 1.9.2-3
+- Bump for FC5
+
+* Fri Feb 10 2006 Michael Fleming <mfleming+rpm@enlartenment.com> 1.9.2-2
+- Bump for newer gcc/glibc
+
+* Wed Jan 18 2006 Michael Fleming <mfleming+rpm@enlartenment.com> 1.9.2-1
+- New upstream release
+
+* Fri Dec 16 2005 Michael Fleming <mfleming+rpm@enlartenment.com> 1.9.1-2
+- Bump for new httpd
+
+* Thu Dec 1 2005 Michael Fleming <mfleming+rpm@enlartenment.com> 1.9.1-1
+- New release 1.9.1 
+
+* Wed Nov 9 2005 Michael Fleming <mfleming+rpm@enlartenment.com> 1.9-1
+- New stable upstream release 1.9
+
 * Sat Jul 9 2005 Michael Fleming <mfleming+rpm@enlartenment.com> 1.8.7-4
 - Add Requires: httpd-mmn to get the appropriate "module magic" version
-  (thanks Ville Skyttä)
+  (thanks Ville Skytta)
 - Disabled an overly-agressive rule or two..
 
 * Sat Jul 9 2005 Michael Fleming <mfleming+rpm@enlartenment.com> 1.8.7-3

modsecurity_localrules.conf

@@ -0,0 +1,2 @@
+# Drop your local rules in here.
+

sources

@@ -1 +1 @@
-0dd48656e451c711358c097dc80e0369  modsecurity-1.8.7.tar.gz
+f7d14b97bbe54ecb953125b0f9b87a24  modsecurity-apache_2.5.12.tar.gz