Fix m_strcasestr not defined in old mod_security branch issue (RHBZ #1089343)

- Backport the fix multipart/invalid part ruleset bypass issue (CVE-2012-4528) (RHBZ #867424, #867773, #867774)

.gitignore

@@ -3,5 +3,3 @@ modsecurity-apache_2.5.12.tar.gz
 /modsecurity-apache_2.6.5.tar.gz
 /modsecurity-apache_2.6.6.tar.gz
 /modsecurity-apache_2.6.8.tar.gz
-/modsecurity-apache_2.7.0.tar.gz
-/modsecurity-apache_2.7.1.tar.gz

mod_security-2.6.8-fix-m_strcasestr-issue-rhbz1089343.patch

@@ -0,0 +1,38 @@
+diff -ru modsecurity-apache_2.6.8/apache2/msc_util.c modsecurity-apache_2.6.8-patched/apache2/msc_util.c
+--- modsecurity-apache_2.6.8/apache2/msc_util.c	2012-09-25 14:05:00.000000000 +0100
++++ modsecurity-apache_2.6.8-patched/apache2/msc_util.c	2014-04-18 16:11:02.765000000 +0100
+@@ -368,6 +368,24 @@
+     return d;
+ }
+ 
++char *m_strcasestr(const char *haystack, const char *needle) {
++    char aux, lower_aux;
++    int length;
++
++    if ((aux = *needle++) != 0) {
++        aux = (char)tolower((unsigned char)aux);
++        length = strlen(needle);
++        do {
++            do {
++                if ((lower_aux = *haystack++) == 0)
++                    return NULL;
++            } while ((char)tolower((unsigned char)lower_aux) != aux);
++        } while (strncasecmp(haystack, needle, length) != 0);
++        haystack--;
++    }
++    return ((char *)haystack);
++}
++
+ /**
+  *
+  */
+diff -ru modsecurity-apache_2.6.8/apache2/msc_util.h modsecurity-apache_2.6.8-patched/apache2/msc_util.h
+--- modsecurity-apache_2.6.8/apache2/msc_util.h	2012-09-25 14:05:00.000000000 +0100
++++ modsecurity-apache_2.6.8-patched/apache2/msc_util.h	2014-04-18 16:09:40.007000000 +0100
+@@ -111,4 +111,6 @@
+ 
+ char DSOLOCAL *format_all_performance_variables(modsec_rec *msr, apr_pool_t *mp);
+ 
++char DSOLOCAL *m_strcasestr(const char *haystack, const char *needle);
++
+ #endif

mod_security-2.6.8-rhbz947842.patch

@@ -0,0 +1,133 @@
+diff -ru modsecurity-apache_2.6.8.orig/apache2/apache2_config.c modsecurity-apache_2.6.8/apache2/apache2_config.c
+--- modsecurity-apache_2.6.8.orig/apache2/apache2_config.c	2012-09-25 14:05:00.000000000 +0100
++++ modsecurity-apache_2.6.8/apache2/apache2_config.c	2013-04-09 14:46:47.000000000 +0100
+@@ -128,6 +128,10 @@
+     /* Collection timeout */
+     dcfg->col_timeout = NOT_SET;
+ 
++    /* xml external entity */
++    dcfg->xml_external_entity = NOT_SET;
++
++
+     return dcfg;
+ }
+ 
+@@ -517,6 +521,11 @@
+ 
+     merged->col_timeout = (child->col_timeout == NOT_SET
+         ? parent->col_timeout : child->col_timeout);
++    
++
++    /* xml external entity */
++    merged->xml_external_entity = (child->xml_external_entity == NOT_SET
++        ? parent->xml_external_entity : child->xml_external_entity);
+ 
+     return merged;
+ }
+@@ -615,6 +624,9 @@
+     if (dcfg->disable_backend_compression == NOT_SET) dcfg->disable_backend_compression = 0;
+ 
+     if (dcfg->col_timeout == NOT_SET) dcfg->col_timeout = 3600;
++
++    /* xml external entity */
++    if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0;
+ }
+ 
+ /**
+@@ -1705,6 +1717,34 @@
+     return NULL;
+ }
+ 
++/**
++* \brief Add SecXmlExternalEntity configuration option
++*
++* \param cmd Pointer to configuration data
++* \param _dcfg Pointer to directory configuration
++* \param p1 Pointer to configuration option
++*
++* \retval NULL On failure
++* \retval apr_psprintf On Success
++*/
++static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1)
++{
++    directory_config *dcfg = (directory_config *)_dcfg;
++    if (dcfg == NULL) return NULL;
++
++    if (strcasecmp(p1, "on") == 0)  {
++        dcfg->xml_external_entity = 1;
++    }
++    else if (strcasecmp(p1, "off") == 0)    {
++        dcfg->xml_external_entity = 0;
++    }
++    else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1);
++
++    return NULL;
++}
++
++
++
+ /*
+ * \brief Add SecRuleUpdateTargetById
+ *
+@@ -2680,5 +2720,16 @@
+         "id"
+     ),
+ 
++    AP_INIT_TAKE1 (
++        "SecXmlExternalEntity",
++        cmd_xml_external_entity,
++        NULL,
++        CMD_SCOPE_ANY,
++        "On or Off"
++    ),
++
++
++    
++
+     { NULL }
+ };
+diff -ru modsecurity-apache_2.6.8.orig/apache2/modsecurity.h modsecurity-apache_2.6.8/apache2/modsecurity.h
+--- modsecurity-apache_2.6.8.orig/apache2/modsecurity.h	2012-09-25 14:05:00.000000000 +0100
++++ modsecurity-apache_2.6.8/apache2/modsecurity.h	2013-04-09 14:48:34.000000000 +0100
+@@ -523,6 +523,9 @@
+ 
+     /* Collection timeout */
+     int col_timeout;
++
++    /* xml */
++    int                 xml_external_entity;
+ };
+ 
+ struct error_message {
+diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_xml.c modsecurity-apache_2.6.8/apache2/msc_xml.c
+--- modsecurity-apache_2.6.8.orig/apache2/msc_xml.c	2012-09-25 14:05:00.000000000 +0100
++++ modsecurity-apache_2.6.8/apache2/msc_xml.c	2013-04-09 14:39:48.000000000 +0100
+@@ -14,17 +14,28 @@
+ 
+ #include "msc_xml.h"
+ 
++static xmlParserInputBufferPtr
++xml_unload_external_entity(const char *URI, xmlCharEncoding enc)    {
++    return NULL;
++}
++
+ 
+ /**
+  * Initialise XML parser.
+  */
+ int xml_init(modsec_rec *msr, char **error_msg) {
++    xmlParserInputBufferCreateFilenameFunc entity;
++
+     if (error_msg == NULL) return -1;
+     *error_msg = NULL;
+ 
+     msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data));
+     if (msr->xml == NULL) return -1;
+ 
++    if(msr->txcfg->xml_external_entity == 0)    {
++        entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity);
++    }
++
+     return 1;
+ }
+ 

mod_security-2.6.8_fix_cve-2013-2765.patch

@@ -0,0 +1,11 @@
+diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_reqbody.c modsecurity-apache_2.6.8/apache2/msc_reqbody.c
+--- modsecurity-apache_2.6.8.orig/apache2/msc_reqbody.c	2012-09-25 14:05:00.000000000 +0100
++++ modsecurity-apache_2.6.8/apache2/msc_reqbody.c	2013-05-28 15:18:49.000000000 +0100
+@@ -170,6 +170,7 @@
+ 
+     /* Would storing this chunk mean going over the limit? */
+     if ((msr->msc_reqbody_spilltodisk)
++        && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON)
+         && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit))
+     {
+         msc_data_chunk **chunks;

mod_security-2.7.6-fix_chunked_string_case_sensitive_issue-cve-2013-5705.patch

@@ -0,0 +1,25 @@
+From f8d441cd25172fdfe5b613442fedfc0da3cc333d Mon Sep 17 00:00:00 2001
+From: Breno Silva <breno.silva@gmail.com>
+Date: Wed, 4 Sep 2013 08:57:07 -0300
+Subject: [PATCH] Fix Chunked string case sensitive issue - CVE-2013-5705
+
+---
+ apache2/modsecurity.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c
+index 6b77132..b36775d 100644
+--- a/apache2/modsecurity.c
++++ b/apache2/modsecurity.c
+@@ -297,7 +297,7 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
+     if (msr->request_content_length == -1) {
+         /* There's no C-L, but is chunked encoding used? */
+         char *transfer_encoding = (char *)apr_table_get(msr->request_headers, "Transfer-Encoding");
+-        if ((transfer_encoding != NULL)&&(strstr(transfer_encoding, "chunked") != NULL)) {
++        if ((transfer_encoding != NULL)&&(m_strcasestr(transfer_encoding, "chunked") != NULL)) {
+             msr->reqbody_should_exist = 1;
+             msr->reqbody_chunked = 1;
+         }
+-- 
+1.9.1
+

mod_security-fix-build-with-libxml29.patch

@@ -1,82 +0,0 @@
---- apache2/msc_crypt.c.orig	2012-10-18 10:42:43.381000000 +0100
-+++ apache2/msc_crypt.c	2012-10-18 10:46:52.442000000 +0100
-@@ -1079,6 +1079,70 @@
- 
-     htmlDocContentDumpFormatOutput(output_buf, msr->crypto_html_tree, NULL, 0);
- 
-+#ifdef  LIBXML2_NEW_BUFFER
-+
-+    if (output_buf->conv == NULL || (output_buf->conv && xmlOutputBufferGetSize(output_buf) == 0)) {
-+
-+        if(output_buf->buffer == NULL || xmlOutputBufferGetSize(output_buf) == 0)  {
-+            xmlOutputBufferClose(output_buf);
-+            xmlFreeDoc(msr->crypto_html_tree);
-+            msr->of_stream_changed = 0;
-+            return -1;
-+        }
-+
-+        if(msr->stream_output_data != NULL) {
-+            free(msr->stream_output_data);
-+            msr->stream_output_data =  NULL;
-+        }
-+
-+        msr->stream_output_length = xmlOutputBufferGetSize(output_buf);
-+        msr->stream_output_data = (char *)malloc(msr->stream_output_length+1);
-+
-+        if (msr->stream_output_data == NULL) {
-+            xmlOutputBufferClose(output_buf);
-+            xmlFreeDoc(msr->crypto_html_tree);
-+            return -1;
-+        }
-+
-+        memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
-+        memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
-+
-+        if (msr->txcfg->debuglog_level >= 4)
-+            msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONTENT to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf));
-+
-+    } else {
-+
-+        if(output_buf->conv == NULL || xmlOutputBufferGetSize(output_buf) == 0)  {
-+            xmlOutputBufferClose(output_buf);
-+            xmlFreeDoc(msr->crypto_html_tree);
-+            msr->of_stream_changed = 0;
-+            return -1;
-+        }
-+
-+        if(msr->stream_output_data != NULL) {
-+            free(msr->stream_output_data);
-+            msr->stream_output_data =  NULL;
-+        }
-+
-+        msr->stream_output_length = xmlOutputBufferGetSize(output_buf);
-+        msr->stream_output_data = (char *)malloc(msr->stream_output_length+1);
-+
-+        if (msr->stream_output_data == NULL) {
-+            xmlOutputBufferClose(output_buf);
-+            xmlFreeDoc(msr->crypto_html_tree);
-+            return -1;
-+        }
-+
-+        memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
-+        memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
-+
-+        if (msr->txcfg->debuglog_level >= 4)
-+            msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONV to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf));
-+
-+    }
-+
-+#else
-+
-     if (output_buf->conv == NULL || (output_buf->conv && output_buf->conv->use == 0)) {
- 
-         if(output_buf->buffer == NULL || output_buf->buffer->use == 0)  {
-@@ -1139,6 +1203,8 @@
- 
-     }
- 
-+#endif
-+
-     xmlOutputBufferClose(output_buf);
- 
-     content_value = (char*)apr_psprintf(msr->mp, "%"APR_SIZE_T_FMT, msr->stream_output_length);

mod_security-fix-cve-2012-4528.patch

@@ -0,0 +1,82 @@
+diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_multipart.c modsecurity-apache_2.6.8/apache2/msc_multipart.c
+--- modsecurity-apache_2.6.8.orig/apache2/msc_multipart.c	2012-11-17 09:30:50.499143902 +0100
++++ modsecurity-apache_2.6.8/apache2/msc_multipart.c	2012-11-17 09:42:41.362779780 +0100
+@@ -653,6 +653,7 @@
+             }
+         }
+         else {
++            msr->mpd->flag_invalid_part = 1;
+             msr_log(msr, 3, "Multipart: Skipping invalid part %pp (part name missing): "
+                 "(offset %u, length %u)", msr->mpd->mpp,
+                 msr->mpd->mpp->offset, msr->mpd->mpp->length);
+@@ -961,6 +962,11 @@
+             msr_log(msr, 4, "Multipart: Warning: invalid quoting used.");
+         }
+ 
++        if (msr->mpd->flag_invalid_part) {
++            msr_log(msr, 4, "Multipart: Warning: invalid part parsing.");
++        }
++
++
+         if (msr->mpd->flag_invalid_header_folding) {
+             msr_log(msr, 4, "Multipart: Warning: invalid header folding used.");
+         }        
+diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_multipart.h modsecurity-apache_2.6.8/apache2/msc_multipart.h
+--- modsecurity-apache_2.6.8.orig/apache2/msc_multipart.h	2012-11-17 09:30:50.499143902 +0100
++++ modsecurity-apache_2.6.8/apache2/msc_multipart.h	2012-11-17 09:44:04.235930720 +0100
+@@ -117,6 +117,7 @@
+     int                      flag_boundary_whitespace;
+     int                      flag_missing_semicolon;
+     int                      flag_invalid_quoting;
++    int                      flag_invalid_part;
+     int                      flag_invalid_header_folding;
+     int                      flag_file_limit_exceeded;
+ };
+diff -ru modsecurity-apache_2.6.8.orig/apache2/re_variables.c modsecurity-apache_2.6.8/apache2/re_variables.c
+--- modsecurity-apache_2.6.8.orig/apache2/re_variables.c	2012-11-17 09:30:50.499143902 +0100
++++ modsecurity-apache_2.6.8/apache2/re_variables.c	2012-11-17 09:48:11.176457660 +0100
+@@ -1377,6 +1377,18 @@
+     }
+ }
+ 
++/* MULTIPART_INVALID_PART */
++
++static int var_multipart_invalid_part_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
++    apr_table_t *vartab, apr_pool_t *mptmp)
++{
++    if ((msr->mpd != NULL)&&(msr->mpd->flag_invalid_part != 0)) {
++        return var_simple_generate(var, vartab, mptmp, "1");
++    } else {
++        return var_simple_generate(var, vartab, mptmp, "0");
++    }
++}
++
+ /* MULTIPART_INVALID_QUOTING */
+ 
+ static int var_multipart_invalid_quoting_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
+@@ -1429,6 +1441,7 @@
+             ||(msr->mpd->flag_lf_line != 0)
+             ||(msr->mpd->flag_missing_semicolon != 0)
+             ||(msr->mpd->flag_invalid_quoting != 0)
++            ||(msr->mpd->flag_invalid_part != 0)
+             ||(msr->mpd->flag_invalid_header_folding != 0)
+             ||(msr->mpd->flag_file_limit_exceeded != 0)
+         ) {
+@@ -2835,6 +2848,17 @@
+         VAR_DONT_CACHE, /* flag */
+         PHASE_REQUEST_BODY
+     );
++
++    /* MULTIPART_INVALID_PART */
++    msre_engine_variable_register(engine,
++        "MULTIPART_INVALID_PART",
++        VAR_SIMPLE,
++        0, 0,
++        NULL,
++        var_multipart_invalid_part_generate,
++        VAR_DONT_CACHE, /* flag */
++        PHASE_REQUEST_BODY
++    );
+ 
+     /* MULTIPART_INVALID_QUOTING */
+     msre_engine_variable_register(engine,

mod_security.conf

@@ -1,57 +1,94 @@
+
 LoadModule security2_module modules/mod_security2.so
 LoadModule unique_id_module modules/mod_unique_id.so
 
 <IfModule mod_security2.c>
-    # ModSecurity Core Rules Set configuration
+	# This is the ModSecurity Core Rules Set.
+
+	# Basic configuration goes in here
 	Include modsecurity.d/*.conf
 	Include modsecurity.d/activated_rules/*.conf
-    
-    # Default recommended configuration
-    SecRuleEngine On
-    SecRequestBodyAccess On
-    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
-         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
-    SecRequestBodyLimit 13107200
-    SecRequestBodyNoFilesLimit 131072
-    SecRequestBodyInMemoryLimit 131072
-    SecRequestBodyLimitAction Reject
-    SecRule REQBODY_ERROR "!@eq 0" \
-    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
-    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-    "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
-    failed strict validation: \
-    PE %{REQBODY_PROCESSOR_ERROR}, \
-    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
-    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
-    DB %{MULTIPART_DATA_BEFORE}, \
-    DA %{MULTIPART_DATA_AFTER}, \
-    HF %{MULTIPART_HEADER_FOLDING}, \
-    LF %{MULTIPART_LF_LINE}, \
-    SM %{MULTIPART_MISSING_SEMICOLON}, \
-    IQ %{MULTIPART_INVALID_QUOTING}, \
-    IP %{MULTIPART_INVALID_PART}, \
-    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
-    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
 
-    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
-    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+	# Additional items taken from new minimal modsecurity conf
+	# Basic configuration options
+	SecRuleEngine On
+	SecRequestBodyAccess On
+	SecResponseBodyAccess Off
+	
+	# Handling of file uploads
+	# TODO Choose a folder private to Apache.
+	# SecUploadDir /opt/apache-frontend/tmp/
+	SecUploadKeepFiles Off
+	SecUploadFileLimit 10
 
-    SecPcreMatchLimit 1000
-    SecPcreMatchLimitRecursion 1000
+	# Debug log
+	SecDebugLog /var/log/httpd/modsec_debug.log
+	SecDebugLogLevel 0
 
-    SecRule TX:/^MSC_/ "!@streq 0" \
-            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+	# Audit log
+	SecAuditEngine RelevantOnly
+	SecAuditLogRelevantStatus ^5
+	SecAuditLogType Serial
+	SecAuditLogParts ABIFHZ
+	SecAuditLog /var/log/httpd/modsec_audit.log
 
-    SecResponseBodyAccess Off
-    SecDebugLog /var/log/httpd/modsec_debug.log
-    SecDebugLogLevel 0
-    SecAuditEngine RelevantOnly
-    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
-    SecAuditLogParts ABIJDEFHZ
-    SecAuditLogType Serial
-    SecAuditLog /var/log/httpd/modsec_audit.log
-    SecArgumentSeparator &
-    SecCookieFormat 0
+	# Alternative mlogc configuration
+	#SecAuditLogType Concurrent
+	#SecAuditLogParts ABIDEFGHZ
+	#SecAuditLogStorageDir /var/log/mlogc/data
+	#SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
+
+	# Set Data Directory
     SecTmpDir /var/lib/mod_security
     SecDataDir /var/lib/mod_security
+
+	# Maximum request body size we will
+	# accept for buffering
+	SecRequestBodyLimit 131072
+
+	# Store up to 128 KB in memory
+	SecRequestBodyInMemoryLimit 131072
+
+	# Buffer response bodies of up to
+	# 512 KB in length
+	SecResponseBodyLimit 524288
+
+	# Verify that we've correctly processed the request body.
+	# As a rule of thumb, when failing to process a request body
+	# you should reject the request (when deployed in blocking mode)
+	# or log a high-severity alert (when deployed in detection-only mode).
+	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
+
+	# By default be strict with what we accept in the multipart/form-data
+	# request body. If the rule below proves to be too strict for your
+	# environment consider changing it to detection-only. You are encouraged
+	# _not_ to remove it altogether.
+	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Multipart request body \
+	failed strict validation: \
+	PE %{REQBODY_PROCESSOR_ERROR}, \
+	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+	DB %{MULTIPART_DATA_BEFORE}, \
+	DA %{MULTIPART_DATA_AFTER}, \
+	HF %{MULTIPART_HEADER_FOLDING}, \
+	LF %{MULTIPART_LF_LINE}, \
+	SM %{MULTIPART_SEMICOLON_MISSING}, \
+	IQ %{MULTIPART_INVALID_QUOTING}, \
+    IQ %{MULTIPART_INVALID_PART}, \
+	IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+	IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+	
+	# Did we see anything that might be a boundary?
+	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+	
+	# Some internal errors will set flags in TX and we will need to look for these.
+	# All of these are prefixed with "MSC_".  The following flags currently exist:
+	#
+	# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
+	#
+	SecRule TX:/^MSC_/ "!@streq 0" \
+	        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
 </IfModule>

mod_security.spec

@@ -7,15 +7,21 @@
 
 Summary: Security module for the Apache HTTP Server
 Name: mod_security 
-Version: 2.7.1
-Release: 3%{?dist}
+Version: 2.6.8
+Release: 6%{?dist}
 License: ASL 2.0
 URL: http://www.modsecurity.org/
 Group: System Environment/Daemons
-Source: https://github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_%{version}.tar.gz
+Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz
 Source1: mod_security.conf
+Patch0: mod_security-fix-cve-2012-4528.patch
+Patch1: mod_security-2.6.8-rhbz947842.patch
+Patch2: mod_security-2.6.8_fix_cve-2013-2765.patch
+Patch3: mod_security-2.7.6-fix_chunked_string_case_sensitive_issue-cve-2013-5705.patch
+Patch4: mod_security-2.6.8-fix-m_strcasestr-issue-rhbz1089343.patch
 Requires: httpd httpd-mmn = %{_httpd_mmn}
 BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %description
 ModSecurity is an open source intrusion detection and prevention engine
@@ -32,6 +38,11 @@ This package contains the ModSecurity Audit Log Collector.
 
 %prep
 %setup -q -n modsecurity-apache_%{version}
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 %build
 %configure --enable-pcre-match-limit=1000000 \
@@ -65,7 +76,7 @@ install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_
 # 2.2-style
 install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
 %endif
-install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/%{name}
+install -m 700 -d %{buildroot}%{_localstatedir}/lib/%{name}
 
 # mlogc
 install -d %{buildroot}%{_localstatedir}/log/mlogc
@@ -74,7 +85,6 @@ install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
 install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
 install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 
-
 %clean
 rm -rf %{buildroot}
 
@@ -100,34 +110,26 @@ rm -rf %{buildroot}
 %attr(0755,root,root) %{_bindir}/mlogc-batch-load
 
 %changelog
-* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-3
+* Fri Apr 18 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-6
+- Fix m_strcasestr not defined in old mod_security branch issue (RHBZ #1089343)
+
+* Tue Apr 01 2014 Athmane Madjoudj <athmane@fedoraproject.org>  2.6.8-5
+- Fix Chunked string case sensitive issue (CVE-2013-5705, RHBZ #1082904 #1082905 #1082906)
+
+* Tue May 28 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-4
+- Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) (RHBZ #967615)
+
+* Wed Apr  3 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-3
+- Backport security patch from 2.7.3 (RHBZ #947842)
+
+* Sat Nov 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-2
 - Add some missing directives RHBZ #569360
-- Fix multipart/invalid part ruleset bypass issue (CVE-2012-4528)
+- Backport the fix multipart/invalid part ruleset bypass issue (CVE-2012-4528)
   (RHBZ #867424, #867773, #867774)
 
-* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-2
-- Fix mod_security.conf
-
-* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-1
-- Update to 2.7.1
-- Remove libxml2 build patch (upstreamed)
-- Update spec since upstream moved to github
-
-* Thu Oct 18 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-2
-- Add a patch to fix failed build against libxml2 >= 2.9.0
-
-* Wed Oct 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-1
-- Update to 2.7.0
-
 * Fri Sep 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-1
 - Update to 2.6.8
 
-* Wed Sep 12 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-2
-- Re-add mlogc sub-package for epel (#856525)
- 
-* Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
-- Update to 2.6.7
-
 * Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
 - Update to 2.6.7
 

sources

@@ -1 +1 @@
-dbd30b714abe831098993213f30c1b96  modsecurity-apache_2.7.1.tar.gz
+430449ab9ee906c464aa70b79f9c2230  modsecurity-apache_2.6.8.tar.gz