dist-git conversion

- SECURITY: Fix potential rules bypass and denial of service (bz#563576)

.cvsignore

@@ -1 +0,0 @@
-modsecurity-apache_2.5.9.tar.gz

.gitignore

@@ -0,0 +1 @@
+modsecurity-apache_2.5.12.tar.gz

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: mod_security
-# $Id$
-NAME := mod_security
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attept a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

mod_security.conf

@@ -7,30 +7,89 @@ LoadModule unique_id_module modules/mod_unique_id.so
 	# This is the ModSecurity Core Rules Set.
 	
 	# Basic configuration goes in here
-	Include modsecurity.d/modsecurity_crs_10_config.conf
-	
-	# Protocol violation and anomalies.
-	
-	Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf
-	Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf
-	
-	# HTTP policy rules
-	
-	Include modsecurity.d/modsecurity_crs_30_http_policy.conf
+	Include modsecurity.d/*.conf
+	Include modsecurity.d/base_rules/*.conf
 
-	# Here comes the Bad Stuff...
+	# Additional items taken from new minimal modsecurity conf
+	# Basic configuration options
+	SecRuleEngine On
+	SecRequestBodyAccess On
+	SecResponseBodyAccess Off
 	
-	Include modsecurity.d/modsecurity_crs_35_bad_robots.conf
-	Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf
-	Include modsecurity.d/modsecurity_crs_45_trojans.conf
-	Include modsecurity.d/modsecurity_crs_50_outbound.conf
+	# PCRE Tuning
+	SecPcreMatchLimit 1000
+	SecPcreMatchLimitRecursion 1000
 
-	# Search engines and other crawlers. Only useful if you want to track
-	# Google / Yahoo et. al.
-	
-	# Include modsecurity.d/modsecurity_crs_55_marketing.conf
-	
-	# Put your local rules in here.
+	# Handling of file uploads
+	# TODO Choose a folder private to Apache.
+	# SecUploadDir /opt/apache-frontend/tmp/
+	SecUploadKeepFiles Off
+	SecUploadFileLimit 10
 
+	# Debug log
+	SecDebugLog /var/log/httpd/modsec_debug.log
+	SecDebugLogLevel 0
+
+	# Serial audit log
+	SecAuditEngine RelevantOnly
+	SecAuditLogRelevantStatus ^5
+	SecAuditLogParts ABIFHZ
+	SecAuditLogType Serial
+	SecAuditLog /var/log/httpd/modsec_audit.log
+
+	# Set Data Directory
+	SecDataDir /var/log/httpd/
+
+	# Maximum request body size we will
+	# accept for buffering
+	SecRequestBodyLimit 131072
+
+	# Store up to 128 KB in memory
+	SecRequestBodyInMemoryLimit 131072
+
+	# Buffer response bodies of up to
+	# 512 KB in length
+	SecResponseBodyLimit 524288
+
+	# Verify that we've correctly processed the request body.
+	# As a rule of thumb, when failing to process a request body
+	# you should reject the request (when deployed in blocking mode)
+	# or log a high-severity alert (when deployed in detection-only mode).
+	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
+
+	# By default be strict with what we accept in the multipart/form-data
+	# request body. If the rule below proves to be too strict for your
+	# environment consider changing it to detection-only. You are encouraged
+	# _not_ to remove it altogether.
+	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Multipart request body \
+	failed strict validation: \
+	PE %{REQBODY_PROCESSOR_ERROR}, \
+	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+	DB %{MULTIPART_DATA_BEFORE}, \
+	DA %{MULTIPART_DATA_AFTER}, \
+	HF %{MULTIPART_HEADER_FOLDING}, \
+	LF %{MULTIPART_LF_LINE}, \
+	SM %{MULTIPART_SEMICOLON_MISSING}, \
+	IQ %{MULTIPART_INVALID_QUOTING}, \
+	IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+	IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+	
+	# Did we see anything that might be a boundary?
+	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+	
+	# Some internal errors will set flags in TX and we will need to look for these.
+	# All of these are prefixed with "MSC_".  The following flags currently exist:
+	#
+	# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
+	#
+	SecRule TX:/^MSC_/ "!@streq 0" \
+	        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+	# Local rules
 	Include modsecurity.d/modsecurity_localrules.conf
+
 </IfModule>

mod_security.spec

@@ -1,7 +1,7 @@
 Summary: Security module for the Apache HTTP Server
 Name: mod_security 
-Version: 2.5.9
-Release: 2%{?dist}
+Version: 2.5.12
+Release: 3%{?dist}
 License: GPLv2
 URL: http://www.modsecurity.org/
 Group: System Environment/Daemons
@@ -31,9 +31,10 @@ make %{_smp_mflags} mlogc
 rm -rf %{buildroot}
 install -D -m755 apache2/.libs/mod_security2.so %{buildroot}/%{_libdir}/httpd/modules/mod_security2.so
 install -D -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/mod_security.conf
-install -d %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/optional_rules/
-cp -r rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
-cp -r rules/optional_rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/optional_rules/
+install -d %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
+install -D -m644 rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
+cp -R rules/base_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
+cp -R rules/optional_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
 install -D -m644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/modsecurity_localrules.conf
 install -Dp tools/mlogc %{buildroot}/%{_bindir}/mlogc
 install -D -m644 apache2/mlogc-src/mlogc-default.conf %{buildroot}/%{_sysconfdir}/mlogc.conf
@@ -43,17 +44,33 @@ rm -rf %{buildroot}
 
 %files
 %defattr (-,root,root)
-%doc CHANGES LICENSE README.* modsecurity* doc MODSECURITY_LICENSING_EXCEPTION
+%doc rules/util CHANGES LICENSE README.* modsecurity* doc MODSECURITY_LICENSING_EXCEPTION
 %{_libdir}/httpd/modules/mod_security2.so
 %{_bindir}/mlogc
 %config(noreplace) %{_sysconfdir}/mlogc.conf
 %config(noreplace) %{_sysconfdir}/httpd/conf.d/mod_security.conf
 %dir %{_sysconfdir}/httpd/modsecurity.d
-%dir %{_sysconfdir}/httpd/modsecurity.d/optional_rules
+%{_sysconfdir}/httpd/modsecurity.d/optional_rules
+%{_sysconfdir}/httpd/modsecurity.d/base_rules
 %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf
-%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/optional_rules/*.conf
 
 %changelog
+* Wed Jun 30 2010 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.12-3
+- Fix log dirs and files ordering per bz#569360
+
+* Thu Apr 29 2010 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.12-2
+- Fix SecDatadir and minimal config per bz #569360
+
+* Sat Feb 13 2010 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.12-1
+- Update to latest upstream release
+- SECURITY: Fix potential rules bypass and denial of service (bz#563576)
+
+* Fri Nov 6 2009 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.10-2
+- Fix rules and Apache configuration (bz#533124)
+
+* Thu Oct 8 2009 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.10-1
+- Upgrade to 2.5.10 (with Core Rules v2)
+
 * Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.9-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
 

sources

@@ -1 +1 @@
-b7bf44a7e041b49b0da5043495660375  modsecurity-apache_2.5.9.tar.gz
+f7d14b97bbe54ecb953125b0f9b87a24  modsecurity-apache_2.5.12.tar.gz