Change mlogc default SSL algo (RHBZ #1441614)

Conflicts:
	.gitignore

0001-mlogc-Changes-the-default-SSL-algo-to-TLS-1.2.patch

@@ -0,0 +1,28 @@
+From 84f2299f6b3b56cf5342ad378c3641be548bf79c Mon Sep 17 00:00:00 2001
+From: Felipe Zimmerle <fcosta@trustwave.com>
+Date: Mon, 3 Nov 2014 10:13:21 -0800
+Subject: [PATCH] mlogc: Changes the default SSL algo to TLS 1.2
+
+As reported by Josh Amishav-Zlatin, mlogc was making usage of SSLv3 instead of
+TLS 1.2. Servers should not answer SSLv3 after poodle.
+---
+ mlogc/mlogc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mlogc/mlogc.c b/mlogc/mlogc.c
+index 4163230..c4b2a23 100644
+--- a/mlogc/mlogc.c
++++ b/mlogc/mlogc.c
+@@ -1218,8 +1218,8 @@ static void logc_init(void)
+         curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
+         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
+         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
+-        /* SSLv3 works better overall as some servers have issues with TLS */
+-        curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
++        curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
++
+         curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 15);
+         curl_easy_setopt(curl, CURLOPT_NOSIGNAL, TRUE);
+         curl_easy_setopt(curl, CURLOPT_HEADER, TRUE);
+--
+1.9.1

mod_security-2.7.6-fix_chunked_string_case_sensitive_issue-cve-2013-5705.patch

@@ -0,0 +1,25 @@
+From f8d441cd25172fdfe5b613442fedfc0da3cc333d Mon Sep 17 00:00:00 2001
+From: Breno Silva <breno.silva@gmail.com>
+Date: Wed, 4 Sep 2013 08:57:07 -0300
+Subject: [PATCH] Fix Chunked string case sensitive issue - CVE-2013-5705
+
+---
+ apache2/modsecurity.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c
+index 6b77132..b36775d 100644
+--- a/apache2/modsecurity.c
++++ b/apache2/modsecurity.c
+@@ -297,7 +297,7 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
+     if (msr->request_content_length == -1) {
+         /* There's no C-L, but is chunked encoding used? */
+         char *transfer_encoding = (char *)apr_table_get(msr->request_headers, "Transfer-Encoding");
+-        if ((transfer_encoding != NULL)&&(strstr(transfer_encoding, "chunked") != NULL)) {
++        if ((transfer_encoding != NULL)&&(m_strcasestr(transfer_encoding, "chunked") != NULL)) {
+             msr->reqbody_should_exist = 1;
+             msr->reqbody_chunked = 1;
+         }
+-- 
+1.9.1
+

mod_security-fix-error-500-for-invalid-requests.patch

@@ -0,0 +1,49 @@
+From f9c253952c564ffefd6c10b8327ef836832facea Mon Sep 17 00:00:00 2001
+From: root <root@ip-10-124-52-70.us-east-1.aws.cloud.in.here.com>
+Date: Fri, 29 Jan 2016 08:43:28 +0000
+Subject: [PATCH] This is fix for reborn of
+ https://github.com/SpiderLabs/ModSecurity/issues/334 This bug has been
+ reborn, because Apache (at least in RedHat/CentOS) since version 2.2.15-47
+ returns in same case APR_INCOMPLETE (not APR_EOF). Based on same patch I have
+ added handler for APR_INCOMPLETE.
+
+---
+ apache2/apache2_io.c    | 3 +++
+ apache2/mod_security2.c | 7 +++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/apache2/apache2_io.c b/apache2/apache2_io.c
+index 0d59613..c14dd41 100644
+--- a/apache2/apache2_io.c
++++ b/apache2/apache2_io.c
+@@ -208,6 +208,9 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
+              *      too large and APR_EGENERAL when the client disconnects.
+              */
+             switch(rc) {
++                case APR_INCOMPLETE :
++                    *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
++                    return -7;
+                 case APR_EOF :
+                     *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
+                     return -6;
+diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
+index 5404fd8..14e9f44 100644
+--- a/apache2/mod_security2.c
++++ b/apache2/mod_security2.c
+@@ -1030,6 +1030,13 @@ static int hook_request_late(request_rec *r) {
+                 r->connection->keepalive = AP_CONN_CLOSE;
+                 return HTTP_BAD_REQUEST;
+                 break;
++            case -7 : /* Partial recieved */
++                if (my_error_msg != NULL) {
++                    msr_log(msr, 4, "%s", my_error_msg);
++                }
++                r->connection->keepalive = AP_CONN_CLOSE;
++                return HTTP_BAD_REQUEST;
++                break;
+             default :
+                 /* allow through */
+                 break;
+-- 
+2.7.4
+

mod_security.spec

@@ -10,7 +10,7 @@
 Summary: Security module for the Apache HTTP Server
 Name: mod_security 
 Version: 2.7.3
-Release: 2%{?dist}
+Release: 5%{?dist}
 License: ASL 2.0
 URL: http://www.modsecurity.org/
 Group: System Environment/Daemons
@@ -18,6 +18,9 @@ Source: http://www.modsecurity.org/tarball/%{version}/modsecurity-apache_%{versi
 Source1: mod_security.conf
 Source2: 10-mod_security.conf
 Patch0: mod_security-2.7.3-fix-mem-leak-and-cve-2013-2765.patch
+Patch1: mod_security-2.7.6-fix_chunked_string_case_sensitive_issue-cve-2013-5705.patch
+Patch2: mod_security-fix-error-500-for-invalid-requests.patch
+Patch3: 0001-mlogc-Changes-the-default-SSL-algo-to-TLS-1.2.patch
 Requires: httpd httpd-mmn = %{_httpd_mmn}
 BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
 
@@ -39,6 +42,9 @@ This package contains the ModSecurity Audit Log Collector.
 %prep
 %setup -q -n modsecurity-apache_%{version}
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 %configure --enable-pcre-match-limit=1000000 \
@@ -109,6 +115,15 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Wed Apr 26 2017 Athmane Madjoudj <athmane@fedoraproject.org> - 2.7.3-5
+- Change mlogc default SSL algo (RHBZ #1441614) 
+
+* Thu Jun 16 2016 Athmane Madjoudj <athmane@fedoraproject.org> - 2.7.3-4
+- Add a fix for failing on PUT/POST requests with http 500 error  (RHBZ #1344471)
+
+* Tue Apr 01 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.3-3
+- Fix Chunked string case sensitive issue (CVE-2013-5705, RHBZ #1082904 #1082905 #1082906)
+
 * Tue May 28 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.3-2
 - Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) (RHBZ #967615)
 - Fix a possible memory leak.