Compare commits

...

37 Commits
rawhide ... el5

Author SHA1 Message Date
Athmane Madjoudj
b964b09c4d Fix m_strcasestr not defined in old mod_security branch issue (RHBZ #1089343) 2014-04-18 17:06:31 +01:00
Athmane Madjoudj
eff88774af Fix Chunked string case sensitive issue (CVE-2013-5705, RHBZ #1082904 #1082905 #1082906) 2014-04-01 19:37:52 +01:00
Athmane Madjoudj
fcffe49bdb Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) (RHBZ #967615). 2013-05-28 16:28:51 +01:00
Athmane Madjoudj
74bb5ef6ac Backport security patch from 2.7.3 (RHBZ #947842). 2013-04-09 15:56:20 +01:00
Athmane Madjoudj
5674c3eeb8 - Add some missing directives RHBZ #569360
- Backport the fix multipart/invalid part ruleset bypass issue (CVE-2012-4528) (RHBZ #867424, #867773, #867774)
2012-11-17 10:30:06 +01:00
Athmane Madjoudj
9f867be7f4 Revert to 2.6.8. 2012-11-17 09:13:45 +01:00
Athmane Madjoudj
1c04ae212a Merge branch 'master' into el5
Conflicts:
	.gitignore
	mod_security.conf
	mod_security.spec
	sources
2012-11-15 11:10:13 +01:00
Athmane Madjoudj
0a837562bb Merge branch 'el6' into el5 2012-09-12 12:42:26 +01:00
Athmane Madjoudj
ee4d4b6b08 Re-add mlogc sub-package for epel (#856525) 2012-09-12 12:42:03 +01:00
Athmane Madjoudj
516bd4be33 Re-add mlogc sub-package for epel (#856525) 2012-09-12 11:14:25 +01:00
Athmane Madjoudj
b6e1bc306b Define BuildRoot on EL5 2012-08-25 16:54:40 +01:00
Athmane Madjoudj
fea112790b Import epel6 changes 2012-08-25 16:26:47 +01:00
Athmane Madjoudj
91ccd3988e Update to 2.6.7 2012-08-25 16:04:43 +01:00
Athmane Madjoudj
d934a872f3 Import rawhide changes to epel6 2012-08-24 16:03:36 +01:00
Fedora Release Engineering
33b43334cf dist-git conversion 2010-07-29 03:34:48 +00:00
Fedora Release Engineering
7b62d15613 dist-git conversion 2010-07-29 03:34:42 +00:00
Michael Fleming
de6b96be9b - - Fix log dirs and files ordering per bz#569360 2010-06-30 09:35:16 +00:00
Dennis Gilmore
3aca1bcdc9 Initialize branch EL-6 for mod_security 2010-05-08 02:00:10 +00:00
Michael Fleming
8591cc1a40 - Fix SecDatadir and minimal config per bz #569360 2010-04-29 11:44:09 +00:00
Michael Fleming
96c9b51ade - Fix SecDatadir and minimal config per bz #569360 2010-04-29 11:11:46 +00:00
Michael Fleming
c9ed66101b - Update to latest upstream release
- SECURITY: Fix potential rules bypass and denial of service (bz#563576)
2010-02-13 10:33:12 +00:00
Michael Fleming
8c545ffa74 - Update to latest upstream release
- SECURITY: Fix potential rules bypass and denial of service (bz#563576)
2010-02-13 10:28:34 +00:00
Bill Nottingham
b0fa109735 Fix typo that causes a failure to update the common directory. (releng
#2781)
2009-11-26 01:38:58 +00:00
Bill Nottingham
e8e9a0c385 Fix typo that causes a failure to update the common directory. (releng
#2781)
2009-11-26 01:38:57 +00:00
Michael Fleming
a10f689594 Update conf to pull in new rules locations 2009-11-07 01:13:55 +00:00
Michael Fleming
dc4a57cecd - Fix rules and Apache configuration (bz#533124) 2009-11-07 01:00:17 +00:00
Michael Fleming
c078f6ef5f - Fix rules and Apache configuration (bz#533124) 2009-11-07 00:57:55 +00:00
Michael Fleming
9cbab86ceb - Fix rules and Apache configuration (bz#533124) 2009-11-06 09:39:42 +00:00
Michael Fleming
97c7d3ea80 - Upgrade to 2.5.10 (with Core Rules v2) 2009-10-26 06:55:28 +00:00
Michael Fleming
3c31e4d46c - Upgrade to 2.5.10 (with Core Rules v2) 2009-10-26 06:46:39 +00:00
Michael Fleming
c5b504983e - Update to upstream release 2.5.9
- Fixes potential DoS' in multipart request and PDF XSS handling
2009-03-12 10:50:33 +00:00
Michael Fleming
0419751394 - Update to upstream 2.5.7
- Reinstate mlogc
2009-03-08 10:32:21 +00:00
Michael Fleming
b10da42fb9 - New upstream release (bz #444794) 2008-05-01 01:30:14 +00:00
Michael Fleming
df1f19229c - New upstream release
- Update License tag per guidelines
2007-09-13 07:49:36 +00:00
Michael Fleming
33d10cb255 New upstream release 2007-06-19 09:59:15 +00:00
Dennis Gilmore
2b8e464cb8 Initialize branch EL-5 for mod_security 2007-05-19 14:21:01 +00:00
Michael Fleming
3a3819e6ac - Sync with devel
- Fix CVE-2007-1359 (bz #231728)
- Automagically configure correct library path for libxml2 library.
- Add LoadModule for mod_unique_id as the logging wants this at runtime
2007-04-02 10:33:48 +00:00
10 changed files with 400 additions and 156 deletions

2
.gitignore vendored
View File

@ -3,5 +3,3 @@ modsecurity-apache_2.5.12.tar.gz
/modsecurity-apache_2.6.5.tar.gz /modsecurity-apache_2.6.5.tar.gz
/modsecurity-apache_2.6.6.tar.gz /modsecurity-apache_2.6.6.tar.gz
/modsecurity-apache_2.6.8.tar.gz /modsecurity-apache_2.6.8.tar.gz
/modsecurity-apache_2.7.0.tar.gz
/modsecurity-apache_2.7.1.tar.gz

View File

@ -0,0 +1,38 @@
diff -ru modsecurity-apache_2.6.8/apache2/msc_util.c modsecurity-apache_2.6.8-patched/apache2/msc_util.c
--- modsecurity-apache_2.6.8/apache2/msc_util.c 2012-09-25 14:05:00.000000000 +0100
+++ modsecurity-apache_2.6.8-patched/apache2/msc_util.c 2014-04-18 16:11:02.765000000 +0100
@@ -368,6 +368,24 @@
return d;
}
+char *m_strcasestr(const char *haystack, const char *needle) {
+ char aux, lower_aux;
+ int length;
+
+ if ((aux = *needle++) != 0) {
+ aux = (char)tolower((unsigned char)aux);
+ length = strlen(needle);
+ do {
+ do {
+ if ((lower_aux = *haystack++) == 0)
+ return NULL;
+ } while ((char)tolower((unsigned char)lower_aux) != aux);
+ } while (strncasecmp(haystack, needle, length) != 0);
+ haystack--;
+ }
+ return ((char *)haystack);
+}
+
/**
*
*/
diff -ru modsecurity-apache_2.6.8/apache2/msc_util.h modsecurity-apache_2.6.8-patched/apache2/msc_util.h
--- modsecurity-apache_2.6.8/apache2/msc_util.h 2012-09-25 14:05:00.000000000 +0100
+++ modsecurity-apache_2.6.8-patched/apache2/msc_util.h 2014-04-18 16:09:40.007000000 +0100
@@ -111,4 +111,6 @@
char DSOLOCAL *format_all_performance_variables(modsec_rec *msr, apr_pool_t *mp);
+char DSOLOCAL *m_strcasestr(const char *haystack, const char *needle);
+
#endif

View File

@ -0,0 +1,133 @@
diff -ru modsecurity-apache_2.6.8.orig/apache2/apache2_config.c modsecurity-apache_2.6.8/apache2/apache2_config.c
--- modsecurity-apache_2.6.8.orig/apache2/apache2_config.c 2012-09-25 14:05:00.000000000 +0100
+++ modsecurity-apache_2.6.8/apache2/apache2_config.c 2013-04-09 14:46:47.000000000 +0100
@@ -128,6 +128,10 @@
/* Collection timeout */
dcfg->col_timeout = NOT_SET;
+ /* xml external entity */
+ dcfg->xml_external_entity = NOT_SET;
+
+
return dcfg;
}
@@ -517,6 +521,11 @@
merged->col_timeout = (child->col_timeout == NOT_SET
? parent->col_timeout : child->col_timeout);
+
+
+ /* xml external entity */
+ merged->xml_external_entity = (child->xml_external_entity == NOT_SET
+ ? parent->xml_external_entity : child->xml_external_entity);
return merged;
}
@@ -615,6 +624,9 @@
if (dcfg->disable_backend_compression == NOT_SET) dcfg->disable_backend_compression = 0;
if (dcfg->col_timeout == NOT_SET) dcfg->col_timeout = 3600;
+
+ /* xml external entity */
+ if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0;
}
/**
@@ -1705,6 +1717,34 @@
return NULL;
}
+/**
+* \brief Add SecXmlExternalEntity configuration option
+*
+* \param cmd Pointer to configuration data
+* \param _dcfg Pointer to directory configuration
+* \param p1 Pointer to configuration option
+*
+* \retval NULL On failure
+* \retval apr_psprintf On Success
+*/
+static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
+ directory_config *dcfg = (directory_config *)_dcfg;
+ if (dcfg == NULL) return NULL;
+
+ if (strcasecmp(p1, "on") == 0) {
+ dcfg->xml_external_entity = 1;
+ }
+ else if (strcasecmp(p1, "off") == 0) {
+ dcfg->xml_external_entity = 0;
+ }
+ else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1);
+
+ return NULL;
+}
+
+
+
/*
* \brief Add SecRuleUpdateTargetById
*
@@ -2680,5 +2720,16 @@
"id"
),
+ AP_INIT_TAKE1 (
+ "SecXmlExternalEntity",
+ cmd_xml_external_entity,
+ NULL,
+ CMD_SCOPE_ANY,
+ "On or Off"
+ ),
+
+
+
+
{ NULL }
};
diff -ru modsecurity-apache_2.6.8.orig/apache2/modsecurity.h modsecurity-apache_2.6.8/apache2/modsecurity.h
--- modsecurity-apache_2.6.8.orig/apache2/modsecurity.h 2012-09-25 14:05:00.000000000 +0100
+++ modsecurity-apache_2.6.8/apache2/modsecurity.h 2013-04-09 14:48:34.000000000 +0100
@@ -523,6 +523,9 @@
/* Collection timeout */
int col_timeout;
+
+ /* xml */
+ int xml_external_entity;
};
struct error_message {
diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_xml.c modsecurity-apache_2.6.8/apache2/msc_xml.c
--- modsecurity-apache_2.6.8.orig/apache2/msc_xml.c 2012-09-25 14:05:00.000000000 +0100
+++ modsecurity-apache_2.6.8/apache2/msc_xml.c 2013-04-09 14:39:48.000000000 +0100
@@ -14,17 +14,28 @@
#include "msc_xml.h"
+static xmlParserInputBufferPtr
+xml_unload_external_entity(const char *URI, xmlCharEncoding enc) {
+ return NULL;
+}
+
/**
* Initialise XML parser.
*/
int xml_init(modsec_rec *msr, char **error_msg) {
+ xmlParserInputBufferCreateFilenameFunc entity;
+
if (error_msg == NULL) return -1;
*error_msg = NULL;
msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data));
if (msr->xml == NULL) return -1;
+ if(msr->txcfg->xml_external_entity == 0) {
+ entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity);
+ }
+
return 1;
}

View File

@ -0,0 +1,11 @@
diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_reqbody.c modsecurity-apache_2.6.8/apache2/msc_reqbody.c
--- modsecurity-apache_2.6.8.orig/apache2/msc_reqbody.c 2012-09-25 14:05:00.000000000 +0100
+++ modsecurity-apache_2.6.8/apache2/msc_reqbody.c 2013-05-28 15:18:49.000000000 +0100
@@ -170,6 +170,7 @@
/* Would storing this chunk mean going over the limit? */
if ((msr->msc_reqbody_spilltodisk)
+ && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON)
&& (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit))
{
msc_data_chunk **chunks;

View File

@ -0,0 +1,25 @@
From f8d441cd25172fdfe5b613442fedfc0da3cc333d Mon Sep 17 00:00:00 2001
From: Breno Silva <breno.silva@gmail.com>
Date: Wed, 4 Sep 2013 08:57:07 -0300
Subject: [PATCH] Fix Chunked string case sensitive issue - CVE-2013-5705
---
apache2/modsecurity.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c
index 6b77132..b36775d 100644
--- a/apache2/modsecurity.c
+++ b/apache2/modsecurity.c
@@ -297,7 +297,7 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
if (msr->request_content_length == -1) {
/* There's no C-L, but is chunked encoding used? */
char *transfer_encoding = (char *)apr_table_get(msr->request_headers, "Transfer-Encoding");
- if ((transfer_encoding != NULL)&&(strstr(transfer_encoding, "chunked") != NULL)) {
+ if ((transfer_encoding != NULL)&&(m_strcasestr(transfer_encoding, "chunked") != NULL)) {
msr->reqbody_should_exist = 1;
msr->reqbody_chunked = 1;
}
--
1.9.1

View File

@ -1,82 +0,0 @@
--- apache2/msc_crypt.c.orig 2012-10-18 10:42:43.381000000 +0100
+++ apache2/msc_crypt.c 2012-10-18 10:46:52.442000000 +0100
@@ -1079,6 +1079,70 @@
htmlDocContentDumpFormatOutput(output_buf, msr->crypto_html_tree, NULL, 0);
+#ifdef LIBXML2_NEW_BUFFER
+
+ if (output_buf->conv == NULL || (output_buf->conv && xmlOutputBufferGetSize(output_buf) == 0)) {
+
+ if(output_buf->buffer == NULL || xmlOutputBufferGetSize(output_buf) == 0) {
+ xmlOutputBufferClose(output_buf);
+ xmlFreeDoc(msr->crypto_html_tree);
+ msr->of_stream_changed = 0;
+ return -1;
+ }
+
+ if(msr->stream_output_data != NULL) {
+ free(msr->stream_output_data);
+ msr->stream_output_data = NULL;
+ }
+
+ msr->stream_output_length = xmlOutputBufferGetSize(output_buf);
+ msr->stream_output_data = (char *)malloc(msr->stream_output_length+1);
+
+ if (msr->stream_output_data == NULL) {
+ xmlOutputBufferClose(output_buf);
+ xmlFreeDoc(msr->crypto_html_tree);
+ return -1;
+ }
+
+ memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
+ memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
+
+ if (msr->txcfg->debuglog_level >= 4)
+ msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONTENT to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf));
+
+ } else {
+
+ if(output_buf->conv == NULL || xmlOutputBufferGetSize(output_buf) == 0) {
+ xmlOutputBufferClose(output_buf);
+ xmlFreeDoc(msr->crypto_html_tree);
+ msr->of_stream_changed = 0;
+ return -1;
+ }
+
+ if(msr->stream_output_data != NULL) {
+ free(msr->stream_output_data);
+ msr->stream_output_data = NULL;
+ }
+
+ msr->stream_output_length = xmlOutputBufferGetSize(output_buf);
+ msr->stream_output_data = (char *)malloc(msr->stream_output_length+1);
+
+ if (msr->stream_output_data == NULL) {
+ xmlOutputBufferClose(output_buf);
+ xmlFreeDoc(msr->crypto_html_tree);
+ return -1;
+ }
+
+ memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
+ memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
+
+ if (msr->txcfg->debuglog_level >= 4)
+ msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONV to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf));
+
+ }
+
+#else
+
if (output_buf->conv == NULL || (output_buf->conv && output_buf->conv->use == 0)) {
if(output_buf->buffer == NULL || output_buf->buffer->use == 0) {
@@ -1139,6 +1203,8 @@
}
+#endif
+
xmlOutputBufferClose(output_buf);
content_value = (char*)apr_psprintf(msr->mp, "%"APR_SIZE_T_FMT, msr->stream_output_length);

View File

@ -0,0 +1,82 @@
diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_multipart.c modsecurity-apache_2.6.8/apache2/msc_multipart.c
--- modsecurity-apache_2.6.8.orig/apache2/msc_multipart.c 2012-11-17 09:30:50.499143902 +0100
+++ modsecurity-apache_2.6.8/apache2/msc_multipart.c 2012-11-17 09:42:41.362779780 +0100
@@ -653,6 +653,7 @@
}
}
else {
+ msr->mpd->flag_invalid_part = 1;
msr_log(msr, 3, "Multipart: Skipping invalid part %pp (part name missing): "
"(offset %u, length %u)", msr->mpd->mpp,
msr->mpd->mpp->offset, msr->mpd->mpp->length);
@@ -961,6 +962,11 @@
msr_log(msr, 4, "Multipart: Warning: invalid quoting used.");
}
+ if (msr->mpd->flag_invalid_part) {
+ msr_log(msr, 4, "Multipart: Warning: invalid part parsing.");
+ }
+
+
if (msr->mpd->flag_invalid_header_folding) {
msr_log(msr, 4, "Multipart: Warning: invalid header folding used.");
}
diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_multipart.h modsecurity-apache_2.6.8/apache2/msc_multipart.h
--- modsecurity-apache_2.6.8.orig/apache2/msc_multipart.h 2012-11-17 09:30:50.499143902 +0100
+++ modsecurity-apache_2.6.8/apache2/msc_multipart.h 2012-11-17 09:44:04.235930720 +0100
@@ -117,6 +117,7 @@
int flag_boundary_whitespace;
int flag_missing_semicolon;
int flag_invalid_quoting;
+ int flag_invalid_part;
int flag_invalid_header_folding;
int flag_file_limit_exceeded;
};
diff -ru modsecurity-apache_2.6.8.orig/apache2/re_variables.c modsecurity-apache_2.6.8/apache2/re_variables.c
--- modsecurity-apache_2.6.8.orig/apache2/re_variables.c 2012-11-17 09:30:50.499143902 +0100
+++ modsecurity-apache_2.6.8/apache2/re_variables.c 2012-11-17 09:48:11.176457660 +0100
@@ -1377,6 +1377,18 @@
}
}
+/* MULTIPART_INVALID_PART */
+
+static int var_multipart_invalid_part_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
+ apr_table_t *vartab, apr_pool_t *mptmp)
+{
+ if ((msr->mpd != NULL)&&(msr->mpd->flag_invalid_part != 0)) {
+ return var_simple_generate(var, vartab, mptmp, "1");
+ } else {
+ return var_simple_generate(var, vartab, mptmp, "0");
+ }
+}
+
/* MULTIPART_INVALID_QUOTING */
static int var_multipart_invalid_quoting_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
@@ -1429,6 +1441,7 @@
||(msr->mpd->flag_lf_line != 0)
||(msr->mpd->flag_missing_semicolon != 0)
||(msr->mpd->flag_invalid_quoting != 0)
+ ||(msr->mpd->flag_invalid_part != 0)
||(msr->mpd->flag_invalid_header_folding != 0)
||(msr->mpd->flag_file_limit_exceeded != 0)
) {
@@ -2835,6 +2848,17 @@
VAR_DONT_CACHE, /* flag */
PHASE_REQUEST_BODY
);
+
+ /* MULTIPART_INVALID_PART */
+ msre_engine_variable_register(engine,
+ "MULTIPART_INVALID_PART",
+ VAR_SIMPLE,
+ 0, 0,
+ NULL,
+ var_multipart_invalid_part_generate,
+ VAR_DONT_CACHE, /* flag */
+ PHASE_REQUEST_BODY
+ );
/* MULTIPART_INVALID_QUOTING */
msre_engine_variable_register(engine,

View File

@ -1,57 +1,94 @@
LoadModule security2_module modules/mod_security2.so LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so LoadModule unique_id_module modules/mod_unique_id.so
<IfModule mod_security2.c> <IfModule mod_security2.c>
# ModSecurity Core Rules Set configuration # This is the ModSecurity Core Rules Set.
# Basic configuration goes in here
Include modsecurity.d/*.conf Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf Include modsecurity.d/activated_rules/*.conf
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ # Additional items taken from new minimal modsecurity conf
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" # Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off
SecUploadFileLimit 10
SecPcreMatchLimit 1000 # Debug log
SecPcreMatchLimitRecursion 1000 SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecRule TX:/^MSC_/ "!@streq 0" \ # Audit log
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogType Serial
SecAuditLogParts ABIFHZ
SecAuditLog /var/log/httpd/modsec_audit.log
SecResponseBodyAccess Off # Alternative mlogc configuration
SecDebugLog /var/log/httpd/modsec_debug.log #SecAuditLogType Concurrent
SecDebugLogLevel 0 #SecAuditLogParts ABIDEFGHZ
SecAuditEngine RelevantOnly #SecAuditLogStorageDir /var/log/mlogc/data
SecAuditLogRelevantStatus "^(?:5|4(?!04))" #SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial # Set Data Directory
SecAuditLog /var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security SecDataDir /var/lib/mod_security
# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyLimit 524288
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IQ %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Did we see anything that might be a boundary?
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
"phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
</IfModule> </IfModule>

View File

@ -7,15 +7,21 @@
Summary: Security module for the Apache HTTP Server Summary: Security module for the Apache HTTP Server
Name: mod_security Name: mod_security
Version: 2.7.1 Version: 2.6.8
Release: 3%{?dist} Release: 6%{?dist}
License: ASL 2.0 License: ASL 2.0
URL: http://www.modsecurity.org/ URL: http://www.modsecurity.org/
Group: System Environment/Daemons Group: System Environment/Daemons
Source: https://github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_%{version}.tar.gz Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz
Source1: mod_security.conf Source1: mod_security.conf
Patch0: mod_security-fix-cve-2012-4528.patch
Patch1: mod_security-2.6.8-rhbz947842.patch
Patch2: mod_security-2.6.8_fix_cve-2013-2765.patch
Patch3: mod_security-2.7.6-fix_chunked_string_case_sensitive_issue-cve-2013-5705.patch
Patch4: mod_security-2.6.8-fix-m_strcasestr-issue-rhbz1089343.patch
Requires: httpd httpd-mmn = %{_httpd_mmn} Requires: httpd httpd-mmn = %{_httpd_mmn}
BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%description %description
ModSecurity is an open source intrusion detection and prevention engine ModSecurity is an open source intrusion detection and prevention engine
@ -32,6 +38,11 @@ This package contains the ModSecurity Audit Log Collector.
%prep %prep
%setup -q -n modsecurity-apache_%{version} %setup -q -n modsecurity-apache_%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%build %build
%configure --enable-pcre-match-limit=1000000 \ %configure --enable-pcre-match-limit=1000000 \
@ -65,7 +76,7 @@ install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_
# 2.2-style # 2.2-style
install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
%endif %endif
install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/%{name} install -m 700 -d %{buildroot}%{_localstatedir}/lib/%{name}
# mlogc # mlogc
install -d %{buildroot}%{_localstatedir}/log/mlogc install -d %{buildroot}%{_localstatedir}/log/mlogc
@ -74,7 +85,6 @@ install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
%clean %clean
rm -rf %{buildroot} rm -rf %{buildroot}
@ -100,34 +110,26 @@ rm -rf %{buildroot}
%attr(0755,root,root) %{_bindir}/mlogc-batch-load %attr(0755,root,root) %{_bindir}/mlogc-batch-load
%changelog %changelog
* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-3 * Fri Apr 18 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-6
- Fix m_strcasestr not defined in old mod_security branch issue (RHBZ #1089343)
* Tue Apr 01 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-5
- Fix Chunked string case sensitive issue (CVE-2013-5705, RHBZ #1082904 #1082905 #1082906)
* Tue May 28 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-4
- Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) (RHBZ #967615)
* Wed Apr 3 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-3
- Backport security patch from 2.7.3 (RHBZ #947842)
* Sat Nov 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-2
- Add some missing directives RHBZ #569360 - Add some missing directives RHBZ #569360
- Fix multipart/invalid part ruleset bypass issue (CVE-2012-4528) - Backport the fix multipart/invalid part ruleset bypass issue (CVE-2012-4528)
(RHBZ #867424, #867773, #867774) (RHBZ #867424, #867773, #867774)
* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-2
- Fix mod_security.conf
* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-1
- Update to 2.7.1
- Remove libxml2 build patch (upstreamed)
- Update spec since upstream moved to github
* Thu Oct 18 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-2
- Add a patch to fix failed build against libxml2 >= 2.9.0
* Wed Oct 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-1
- Update to 2.7.0
* Fri Sep 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-1 * Fri Sep 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-1
- Update to 2.6.8 - Update to 2.6.8
* Wed Sep 12 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-2
- Re-add mlogc sub-package for epel (#856525)
* Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
- Update to 2.6.7
* Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1 * Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
- Update to 2.6.7 - Update to 2.6.7

View File

@ -1 +1 @@
dbd30b714abe831098993213f30c1b96 modsecurity-apache_2.7.1.tar.gz 430449ab9ee906c464aa70b79f9c2230 modsecurity-apache_2.6.8.tar.gz