Change mlogc default SSL algo (RHBZ #1441614)

Conflicts:
	.gitignore

.gitignore

@@ -7,19 +7,3 @@ modsecurity-apache_2.5.12.tar.gz
 /modsecurity-apache_2.7.1.tar.gz
 /modsecurity-apache_2.7.2.tar.gz
 /modsecurity-apache_2.7.3.tar.gz
-/modsecurity-apache_2.7.4.tar.gz
-/modsecurity-apache_2.7.5.tar.gz
-/modsecurity-apache_2.7.5.tar.gz.sha256
-/v2.7.6.tar.gz
-/modsecurity-apache_2.7.7.tar.gz
-/modsecurity-apache_2.7.7.tar.gz.sha256
-/modsecurity-2.8.0.tar.gz
-/modsecurity-2.8.0.tar.gz.sha256
-/modsecurity-2.9.0.tar.gz
-/modsecurity-2.9.1.tar.gz
-/modsecurity-2.9.2.tar.gz
-/modsecurity-2.9.3.tar.gz
-/modsecurity-2.9.4.tar.gz
-/modsecurity-2.9.5.tar.gz
-/modsecurity-2.9.6.tar.gz
-/modsecurity-2.9.7.tar.gz

0001-mlogc-Changes-the-default-SSL-algo-to-TLS-1.2.patch

@@ -0,0 +1,28 @@
+From 84f2299f6b3b56cf5342ad378c3641be548bf79c Mon Sep 17 00:00:00 2001
+From: Felipe Zimmerle <fcosta@trustwave.com>
+Date: Mon, 3 Nov 2014 10:13:21 -0800
+Subject: [PATCH] mlogc: Changes the default SSL algo to TLS 1.2
+
+As reported by Josh Amishav-Zlatin, mlogc was making usage of SSLv3 instead of
+TLS 1.2. Servers should not answer SSLv3 after poodle.
+---
+ mlogc/mlogc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mlogc/mlogc.c b/mlogc/mlogc.c
+index 4163230..c4b2a23 100644
+--- a/mlogc/mlogc.c
++++ b/mlogc/mlogc.c
+@@ -1218,8 +1218,8 @@ static void logc_init(void)
+         curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
+         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
+         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
+-        /* SSLv3 works better overall as some servers have issues with TLS */
+-        curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
++        curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
++
+         curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 15);
+         curl_easy_setopt(curl, CURLOPT_NOSIGNAL, TRUE);
+         curl_easy_setopt(curl, CURLOPT_HEADER, TRUE);
+--
+1.9.1

mod_security-2.7.3-fix-mem-leak-and-cve-2013-2765.patch

@@ -0,0 +1,23 @@
+diff -ru modsecurity-apache_2.7.3.orig/apache2/msc_reqbody.c modsecurity-apache_2.7.3/apache2/msc_reqbody.c
+--- modsecurity-apache_2.7.3.orig/apache2/msc_reqbody.c	2013-03-24 08:12:29.000000000 +0100
++++ modsecurity-apache_2.7.3/apache2/msc_reqbody.c	2013-05-28 14:48:39.063673996 +0100
+@@ -170,6 +170,7 @@
+ 
+     /* Would storing this chunk mean going over the limit? */
+     if ((msr->msc_reqbody_spilltodisk)
++        && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON)
+         && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit))
+     {
+         msc_data_chunk **chunks;
+diff -ru modsecurity-apache_2.7.3.orig/apache2/re_operators.c modsecurity-apache_2.7.3/apache2/re_operators.c
+--- modsecurity-apache_2.7.3.orig/apache2/re_operators.c	2013-03-24 08:12:29.000000000 +0100
++++ modsecurity-apache_2.7.3/apache2/re_operators.c	2013-05-28 14:49:30.448696404 +0100
+@@ -369,7 +369,7 @@
+ /* rsub */
+ 
+ static char *param_remove_escape(msre_rule *rule, char *str, int len)  {
+-    char *parm = apr_palloc(rule->ruleset->mp, len);
++    char *parm = apr_pcalloc(rule->ruleset->mp, len);
+     char *ret = parm;
+ 
+     for(;*str!='\0';str++)    {

mod_security-2.7.6-fix_chunked_string_case_sensitive_issue-cve-2013-5705.patch

@@ -0,0 +1,25 @@
+From f8d441cd25172fdfe5b613442fedfc0da3cc333d Mon Sep 17 00:00:00 2001
+From: Breno Silva <breno.silva@gmail.com>
+Date: Wed, 4 Sep 2013 08:57:07 -0300
+Subject: [PATCH] Fix Chunked string case sensitive issue - CVE-2013-5705
+
+---
+ apache2/modsecurity.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c
+index 6b77132..b36775d 100644
+--- a/apache2/modsecurity.c
++++ b/apache2/modsecurity.c
+@@ -297,7 +297,7 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
+     if (msr->request_content_length == -1) {
+         /* There's no C-L, but is chunked encoding used? */
+         char *transfer_encoding = (char *)apr_table_get(msr->request_headers, "Transfer-Encoding");
+-        if ((transfer_encoding != NULL)&&(strstr(transfer_encoding, "chunked") != NULL)) {
++        if ((transfer_encoding != NULL)&&(m_strcasestr(transfer_encoding, "chunked") != NULL)) {
+             msr->reqbody_should_exist = 1;
+             msr->reqbody_chunked = 1;
+         }
+-- 
+1.9.1
+

mod_security-2.9.3-remote-rules-timeout.patch

@@ -1,85 +0,0 @@
-diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
-index 80f8f2b..7912d84 100644
---- a/apache2/apache2_config.c
-+++ b/apache2/apache2_config.c
-@@ -2354,6 +2354,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
- }
- 
- 
-+static const char *cmd_remote_timeout(cmd_parms *cmd, void *_dcfg, const char *p1)
-+{
-+    directory_config *dcfg = (directory_config *)_dcfg;
-+    long int timeout;
-+
-+    if (dcfg == NULL) return NULL;
-+
-+    timeout = strtol(p1, NULL, 10);
-+    if ((timeout == LONG_MAX)||(timeout == LONG_MIN)||(timeout < 0)) {
-+        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRemoteTimeout: %s", p1);
-+    }
-+
-+    remote_rules_timeout = timeout;
-+
-+    return NULL;
-+}
-+
-+
- static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
- {
-     if (strcasecmp(p1, "on") == 0) {
-@@ -3667,6 +3685,14 @@ const command_rec module_directives[] = {
-         "Abort or Warn"
-     ),
- 
-+    AP_INIT_TAKE1 (
-+        "SecRemoteTimeout",
-+        cmd_remote_timeout,
-+        NULL,
-+        CMD_SCOPE_ANY,
-+        "timeout in seconds"
-+    ),
-+
- 
-     AP_INIT_TAKE1 (
-         "SecXmlExternalEntity",
-diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
-index 7bb215e..c155495 100644
---- a/apache2/mod_security2.c
-+++ b/apache2/mod_security2.c
-@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
- #endif
- int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
- char DSOLOCAL *remote_rules_fail_message = NULL;
-+unsigned long int DSOLOCAL remote_rules_timeout = NOT_SET;
-+
- 
- int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
- 
-diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
-index f24bc75..8bcd453 100644
---- a/apache2/modsecurity.h
-+++ b/apache2/modsecurity.h
-@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
- #endif
- extern DSOLOCAL int remote_rules_fail_action;
- extern DSOLOCAL char *remote_rules_fail_message;
-+extern DSOLOCAL unsigned long int remote_rules_timeout;
- 
- extern DSOLOCAL int status_engine_state;
- 
-diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
-index 99968f0..b8db13e 100644
---- a/apache2/msc_remote_rules.c
-+++ b/apache2/msc_remote_rules.c
-@@ -358,6 +358,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
-         /* We want Curl to return error in case there is an HTTP error code */
-         curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
- 
-+        /* In case we want different timeout than a default one */
-+        if (remote_rules_timeout != NOT_SET){
-+            curl_easy_setopt(curl, CURLOPT_TIMEOUT, remote_rules_timeout);
-+        }
-+
-         res = curl_easy_perform(curl);
- 
-         if (res != CURLE_OK)

mod_security-2.9.7-send_error_bucket.patch

@@ -1,30 +0,0 @@
-From b2fa083522c70368c7ab911696dcb87dde5dc688 Mon Sep 17 00:00:00 2001
-From: Tomas Korbar <tkorbar@redhat.com>
-Date: Thu, 22 Dec 2022 14:49:34 +0100
-Subject: [PATCH] Clear original response code in send_error_bucket function
-
-If this is left intact, then apache thinks that this code
-was generated during processing of ErrorDocument and does not
-handle it properly
-
-Fix #2849
----
- apache2/apache2_util.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/apache2/apache2_util.c b/apache2/apache2_util.c
-index cdae2b580..520a30f2f 100644
---- a/apache2/apache2_util.c
-+++ b/apache2/apache2_util.c
-@@ -31,6 +31,11 @@ apr_status_t send_error_bucket(modsec_rec *msr, ap_filter_t *f, int status) {
-     /* Set the status line explicitly for the error document */
-     f->r->status_line = ap_get_status_line(status);
- 
-+    /* Clear previously set response code to make clear that this is
-+     * not a recursive error
-+     */
-+    f->r->status = 200;
-+
-     brigade = apr_brigade_create(f->r->pool, f->r->connection->bucket_alloc);
-     if (brigade == NULL) return APR_EGENERAL;
- 

mod_security-fix-build-with-libxml29.patch

@@ -0,0 +1,82 @@
+--- apache2/msc_crypt.c.orig	2012-10-18 10:42:43.381000000 +0100
++++ apache2/msc_crypt.c	2012-10-18 10:46:52.442000000 +0100
+@@ -1079,6 +1079,70 @@
+ 
+     htmlDocContentDumpFormatOutput(output_buf, msr->crypto_html_tree, NULL, 0);
+ 
++#ifdef  LIBXML2_NEW_BUFFER
++
++    if (output_buf->conv == NULL || (output_buf->conv && xmlOutputBufferGetSize(output_buf) == 0)) {
++
++        if(output_buf->buffer == NULL || xmlOutputBufferGetSize(output_buf) == 0)  {
++            xmlOutputBufferClose(output_buf);
++            xmlFreeDoc(msr->crypto_html_tree);
++            msr->of_stream_changed = 0;
++            return -1;
++        }
++
++        if(msr->stream_output_data != NULL) {
++            free(msr->stream_output_data);
++            msr->stream_output_data =  NULL;
++        }
++
++        msr->stream_output_length = xmlOutputBufferGetSize(output_buf);
++        msr->stream_output_data = (char *)malloc(msr->stream_output_length+1);
++
++        if (msr->stream_output_data == NULL) {
++            xmlOutputBufferClose(output_buf);
++            xmlFreeDoc(msr->crypto_html_tree);
++            return -1;
++        }
++
++        memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
++        memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
++
++        if (msr->txcfg->debuglog_level >= 4)
++            msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONTENT to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf));
++
++    } else {
++
++        if(output_buf->conv == NULL || xmlOutputBufferGetSize(output_buf) == 0)  {
++            xmlOutputBufferClose(output_buf);
++            xmlFreeDoc(msr->crypto_html_tree);
++            msr->of_stream_changed = 0;
++            return -1;
++        }
++
++        if(msr->stream_output_data != NULL) {
++            free(msr->stream_output_data);
++            msr->stream_output_data =  NULL;
++        }
++
++        msr->stream_output_length = xmlOutputBufferGetSize(output_buf);
++        msr->stream_output_data = (char *)malloc(msr->stream_output_length+1);
++
++        if (msr->stream_output_data == NULL) {
++            xmlOutputBufferClose(output_buf);
++            xmlFreeDoc(msr->crypto_html_tree);
++            return -1;
++        }
++
++        memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
++        memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
++
++        if (msr->txcfg->debuglog_level >= 4)
++            msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONV to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf));
++
++    }
++
++#else
++
+     if (output_buf->conv == NULL || (output_buf->conv && output_buf->conv->use == 0)) {
+ 
+         if(output_buf->buffer == NULL || output_buf->buffer->use == 0)  {
+@@ -1139,6 +1203,8 @@
+ 
+     }
+ 
++#endif
++
+     xmlOutputBufferClose(output_buf);
+ 
+     content_value = (char*)apr_psprintf(msr->mp, "%"APR_SIZE_T_FMT, msr->stream_output_length);

mod_security-fix-error-500-for-invalid-requests.patch

@@ -0,0 +1,49 @@
+From f9c253952c564ffefd6c10b8327ef836832facea Mon Sep 17 00:00:00 2001
+From: root <root@ip-10-124-52-70.us-east-1.aws.cloud.in.here.com>
+Date: Fri, 29 Jan 2016 08:43:28 +0000
+Subject: [PATCH] This is fix for reborn of
+ https://github.com/SpiderLabs/ModSecurity/issues/334 This bug has been
+ reborn, because Apache (at least in RedHat/CentOS) since version 2.2.15-47
+ returns in same case APR_INCOMPLETE (not APR_EOF). Based on same patch I have
+ added handler for APR_INCOMPLETE.
+
+---
+ apache2/apache2_io.c    | 3 +++
+ apache2/mod_security2.c | 7 +++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/apache2/apache2_io.c b/apache2/apache2_io.c
+index 0d59613..c14dd41 100644
+--- a/apache2/apache2_io.c
++++ b/apache2/apache2_io.c
+@@ -208,6 +208,9 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
+              *      too large and APR_EGENERAL when the client disconnects.
+              */
+             switch(rc) {
++                case APR_INCOMPLETE :
++                    *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
++                    return -7;
+                 case APR_EOF :
+                     *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
+                     return -6;
+diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
+index 5404fd8..14e9f44 100644
+--- a/apache2/mod_security2.c
++++ b/apache2/mod_security2.c
+@@ -1030,6 +1030,13 @@ static int hook_request_late(request_rec *r) {
+                 r->connection->keepalive = AP_CONN_CLOSE;
+                 return HTTP_BAD_REQUEST;
+                 break;
++            case -7 : /* Partial recieved */
++                if (my_error_msg != NULL) {
++                    msr_log(msr, 4, "%s", my_error_msg);
++                }
++                r->connection->keepalive = AP_CONN_CLOSE;
++                return HTTP_BAD_REQUEST;
++                break;
+             default :
+                 /* allow through */
+                 break;
+-- 
+2.7.4
+

mod_security.conf

@@ -1,4 +1,8 @@
 <IfModule mod_security2.c>
+    # ModSecurity Core Rules Set configuration
+	Include modsecurity.d/*.conf
+	Include modsecurity.d/activated_rules/*.conf
+    
     # Default recommended configuration
     SecRuleEngine On
     SecRequestBodyAccess On
@@ -11,7 +15,7 @@
     SecRule REQBODY_ERROR "!@eq 0" \
     "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
     SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-    "id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \
+    "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
     failed strict validation: \
     PE %{REQBODY_PROCESSOR_ERROR}, \
     BQ %{MULTIPART_BOUNDARY_QUOTED}, \
@@ -47,10 +51,4 @@
     SecCookieFormat 0
     SecTmpDir /var/lib/mod_security
     SecDataDir /var/lib/mod_security
-
-    # ModSecurity Core Rules Set and Local configuration
-	Include modsecurity.d/*.conf
-	Include modsecurity.d/activated_rules/*.conf
-	Include modsecurity.d/local_rules/*.conf
-    
 </IfModule>

mod_security.spec

@@ -1,98 +1,69 @@
 %{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}}
-%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo 0-0)}}
+%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo missing-httpd-devel)}}
 # /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
 %{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
 %{!?_httpd_confdir:    %{expand: %%global _httpd_confdir    %%{_sysconfdir}/httpd/conf.d}}
 %{!?_httpd_moddir:    %{expand: %%global _httpd_moddir    %%{_libdir}/httpd/modules}}
 
-%bcond_without mlogc
+%global with_mlogc 0%{?fedora} || 0%{?rhel} <= 6
 
 Summary: Security module for the Apache HTTP Server
-Name: mod_security
+Name: mod_security 
-Version: 2.9.7
+Version: 2.7.3
-Release: 6%{?dist}
+Release: 5%{?dist}
-License: Apache-2.0
+License: ASL 2.0
 URL: http://www.modsecurity.org/
-Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/modsecurity-%{version}.tar.gz
+Group: System Environment/Daemons
+Source: http://www.modsecurity.org/tarball/%{version}/modsecurity-apache_%{version}.tar.gz
 Source1: mod_security.conf
 Source2: 10-mod_security.conf
-Source3: modsecurity_localrules.conf
+Patch0: mod_security-2.7.3-fix-mem-leak-and-cve-2013-2765.patch
-Patch0: modsecurity-2.9.3-lua-54.patch
+Patch1: mod_security-2.7.6-fix_chunked_string_case_sensitive_issue-cve-2013-5705.patch
-Patch1: modsecurity-2.9.3-apulibs.patch
+Patch2: mod_security-fix-error-500-for-invalid-requests.patch
-Patch2: mod_security-2.9.3-remote-rules-timeout.patch
+Patch3: 0001-mlogc-Changes-the-default-SSL-algo-to-TLS-1.2.patch
-Patch3: mod_security-2.9.7-send_error_bucket.patch
-
 Requires: httpd httpd-mmn = %{_httpd_mmn}
-%if 0%{?fedora} || 0%{?rhel} > 7
+BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
-# Ensure apache user exists for file ownership
-Requires(pre): httpd-filesystem
-%endif
-
-BuildRequires: gcc, make, autoconf, automake, libtool
-BuildRequires: httpd-devel
-BuildRequires: perl-generators
-BuildRequires: pcre2-devel
-BuildRequires: pkgconfig(libcurl)
-BuildRequires: pkgconfig(libxml-2.0)
-BuildRequires: pkgconfig(lua)
-
-# Workarround for EL6
-%if 0%{?el6}
-BuildRequires: yajl-devel
-%else
-BuildRequires: pkgconfig(yajl)
-%endif
-
 
 %description
 ModSecurity is an open source intrusion detection and prevention engine
 for web applications. It operates embedded into the web server, acting
 as a powerful umbrella - shielding web applications from attacks.
 
-%if %{with mlogc}
+%if %with_mlogc
-%package        mlogc
+%package -n     mlogc
 Summary:        ModSecurity Audit Log Collector
+Group:          System Environment/Daemons
 Requires:       mod_security
-%if 0%{?fedora} || 0%{?rhel} > 7
-# Ensure apache user exists for file ownership
-Requires(pre):  httpd-filesystem
-%endif
 
-%description mlogc
+%description -n mlogc
 This package contains the ModSecurity Audit Log Collector.
 %endif
 
 %prep
-%autosetup -p1 -n modsecurity-%{version}
+%setup -q -n modsecurity-apache_%{version}
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
-./autogen.sh
 %configure --enable-pcre-match-limit=1000000 \
            --enable-pcre-match-limit-recursion=1000000 \
-           --with-apxs=%{_httpd_apxs} \
+           --with-apxs=%{_httpd_apxs}
-           --with-yajl \
-           --with-pcre2 \
-           --disable-static
-
 # remove rpath
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 
 make %{_smp_mflags}
 
-%check
-# Test suite does not start because of some issue in shipped httpd config (fix upstreamed in PR #669)
-# After the fix, the test suite starts but still fails
-#make test
-#make test-regression
-
 %install
+rm -rf %{buildroot}
+
 install -d %{buildroot}%{_sbindir}
 install -d %{buildroot}%{_bindir}
 install -d %{buildroot}%{_httpd_moddir}
 install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/
 install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules
-install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/local_rules
 
 install -m0755 apache2/.libs/mod_security2.so %{buildroot}%{_httpd_moddir}/mod_security2.so
 
@@ -108,11 +79,8 @@ cat %{SOURCE2} %{SOURCE1} > %{buildroot}%{_httpd_confdir}/mod_security.conf
 %endif
 install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/%{name}
 
-# Local rules example
-install -Dp -m0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/local_rules/
-
 # mlogc
-%if %{with mlogc}
+%if %with_mlogc
 install -d %{buildroot}%{_localstatedir}/log/mlogc
 install -d %{buildroot}%{_localstatedir}/log/mlogc/data
 install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
@@ -120,9 +88,12 @@ install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
 install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 %endif
 
+%clean
+rm -rf %{buildroot}
 
 %files
-%doc CHANGES LICENSE README.* NOTICE
+%defattr (-,root,root)
+%doc CHANGES LICENSE README.TXT NOTICE
 %{_httpd_moddir}/mod_security2.so
 %config(noreplace) %{_httpd_confdir}/*.conf
 %if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
@@ -130,12 +101,11 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 %endif
 %dir %{_sysconfdir}/httpd/modsecurity.d
 %dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules
-%dir %{_sysconfdir}/httpd/modsecurity.d/local_rules
-%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/local_rules/*.conf
 %attr(770,apache,root) %dir %{_localstatedir}/lib/%{name}
 
-%if %{with mlogc}
+%if %with_mlogc
-%files mlogc
+%files -n mlogc
+%defattr (-,root,root)
 %doc mlogc/INSTALL
 %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/mlogc.conf
 %attr(0755,root,root) %dir %{_localstatedir}/log/mlogc
@@ -145,191 +115,14 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 %endif
 
 %changelog
-* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.7-6
+* Wed Apr 26 2017 Athmane Madjoudj <athmane@fedoraproject.org> - 2.7.3-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+- Change mlogc default SSL algo (RHBZ #1441614) 
 
-* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.7-5
+* Thu Jun 16 2016 Athmane Madjoudj <athmane@fedoraproject.org> - 2.7.3-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+- Add a fix for failing on PUT/POST requests with http 500 error  (RHBZ #1344471)
 
-* Tue Jan 02 2024 Tomas Korbar <tkorbar@redhat.com> - 2.9.7-4
+* Tue Apr 01 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.3-3
-- Clear original response code in send_error_bucket function
+- Fix Chunked string case sensitive issue (CVE-2013-5705, RHBZ #1082904 #1082905 #1082906)
-
-* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.7-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Fri Jun 02 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.9.7-2
-- SPDX migration
-
-* Thu Apr 13 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.9.7-1
-- new version 2.9.7
-- use pcre2 instead of deprecated pcre (rhbz #2128330)
-
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.6-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Wed Sep 14 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.9.6-1
-- new version 2.9.6
-
-* Wed Aug 31 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.9.5-1
-- new version 2.9.5
-
-* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Wed Aug 18 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.9.4-1
-- new version 2.9.4
-
-* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-11
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-10
-- Resolves: #1930664 - RFE: Add a feature that can set a mod_security/libcurl
-  timeout for retrieving the rules
-- rename mlogc to mod_security-mlogc
-
-* Fri Jan 22 2021 Joe Orton <jorton@redhat.com> - 2.9.3-8
-- don't link against redundant apr-util dependent libraries
-
-* Sat Aug 08 2020 Othman Madjoudj <athmane@fedoraproject.org> - 2.9.3-7
-- Add a patch to fix build with Lua 5.4 until we completely switch to mod_sec3 as default
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-6
-- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Sun Dec 09 2018 Athmane Madjoudj <athmane@fedoraproject.org> - 2.9.3-1
-- Update to 2.9.3
-
-* Fri Nov 16 2018 Joe Orton <jorton@redhat.com> - 2.9.2-7
-- Requires(pre): httpd-filesystem to ensure apache user exists
-- enable mlogc everywhere, use buildcond to disable
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.2-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Sun Feb 18 2018 Athmane Madjoudj <athmane@fedoraproject.org> - 2.9.2-5
-- Add gcc and make as BR (minimal buildroot change)
-
-* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.2-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.2-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Fri Jul 21 2017 Athmane Madjoudj <athmane@fedoraproject.org> - 2.9.2-1
-- Update to 2.9.2
-
-* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Wed Mar 09 2016 Athmane Madjoudj <athmane@fedoraproject.org> 2.9.1-1
-- Update to final 2.9.1
-- Minor spec fix.
-
-* Tue Mar 08 2016 Athmane Madjoudj <athmane@fedoraproject.org> 2.9.1-0.1.rc1
-- Add workaround for el6
-
-* Tue Mar 08 2016 Athmane Madjoudj <athmane@fedoraproject.org> 2.9.1-0.rc1
-- Update to 2.9.1-rc1
-- Remove upstreamed patch
-
-* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.0-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
-
-* Fri Oct 02 2015 Athmane Madjoudj <athmane@fedoraproject.org> 2.9.0-5
-- Update BuildRequires using pkgconfig name schema
-
-* Tue Sep 01 2015 Athmane Madjoudj <athmane@fedoraproject.org>  2.9.0-4
-- Add yajl support
-
-* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
-
-* Fri Feb 13 2015 Athmane Madjoudj <athmane@fedoraproject.org> 2.9.0-2
-- Remove curl version dep. since it no longer required
-
-* Fri Feb 13 2015 Athmane Madjoudj <athmane@fedoraproject.org>  2.9.0-1
-- Update to 2.9.0
-- Remove backported patch
-- Add patch to fix lua 5.3 build issue (PR #837)
-
-* Tue Nov 04 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.8.0-7
-- Make sure mod_security is built with correct curl version
-
-* Mon Nov 03 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.8.0-6
-- Changes the default SSL version to TLS 1.2 since SSLv3 is vulnerable to poodle
-
-* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.8.0-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
-
-* Fri Aug 15 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.8.0-4
-- Add support for user-provided configurations and rules (rhbz #1129843)
-
-* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.8.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
-
-* Wed Apr 16 2014  Athmane Madjoudj <athmane@fedoraproject.org> 2.8.0-1
-- Update to 2.8.0 Final
-
-* Thu Apr 03 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.8.0-0.rc1
-- Update to 2.8.0-RC1
-
-* Tue Mar 04 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.7-6
-- Fix status code in the configuration file (upstream PR #666)
-
-* Sat Mar 01 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.7-5
-- Fix rpmlint warnings
-
-* Thu Feb 27 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.7-4
-- Add check section
-
-* Sat Feb 22 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.7-3
-- Fix bogus date in chanelog
-
-* Thu Jan 23 2014 Joe Orton <jorton@redhat.com> - 2.7.7-2
-- fix _httpd_mmn expansion in absence of httpd-devel
-
-* Thu Dec 19 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.7-1
-- Update to 2.7.7
-- Fix the spec file since upstream fixed the bugs reported.
-
-* Tue Dec 17 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.6-2
-- Add autotools deps
-
-* Tue Dec 17 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.6-1
-- Update to 2.7.6
-- Fix spec since upstream will only provide tarball via Github
-
-* Sat Aug 03 2013 Petr Pisar <ppisar@redhat.com> - 2.7.5-2
-- Perl 5.18 rebuild
-
-* Tue Jul 30 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.5-1
-- Update to 2.7.5
-
-* Thu Jul 18 2013 Petr Pisar <ppisar@redhat.com> - 2.7.4-2
-- Perl 5.18 rebuild
-
-* Tue May 28 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.4-1
-- Update to 2.7.4
-- Drop non required patch
 
 * Tue May 28 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.3-2
 - Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) (RHBZ #967615)
@@ -405,7 +198,7 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 * Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.13-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
 
-* Tue  May 3 2011 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.13-1
+* Wed May 3 2011 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.13-1
 - Newer upstream version
 
 * Wed Jun 30 2010 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.12-3
@@ -453,7 +246,7 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 * Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 2.1.5-3
 - Autorebuild for GCC 4.3
 
-* Sun Jan 27 2008 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.5-2
+* Sat Jan 27 2008 Michael Fleming <mfleming+rpm@enlartenment.com> 2.1.5-2
 - Update to 2.1.5 (bz#425986)
 - "blocking" -> "optional_rules" per tarball ;-)
 

modsecurity-2.9.3-apulibs.patch

@@ -1,14 +0,0 @@
-
-Strip redundant APR-util dependent libraries, it is sufficient to link against -laprutil-1.
-
---- modsecurity-2.9.3/build/find_apu.m4.apulibs
-+++ modsecurity-2.9.3/build/find_apu.m4
-@@ -59,7 +59,7 @@
-     APU_CFLAGS="`${APU_CONFIG} --includes`"
-     if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu CFLAGS: $APU_CFLAGS); fi
-     APU_LDFLAGS="`${APU_CONFIG} --ldflags`"
--    APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --libs`"
-+    APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --avoid-ldap --avoid-dbm --libs`"
-     if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDFLAGS: $APU_LDFLAGS); fi
-     APU_LDADD="`${APU_CONFIG} --link-libtool`"
-     if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDADD: $APU_LDADD); fi

modsecurity-2.9.3-lua-54.patch

@@ -1,31 +0,0 @@
-diff -ru modsecurity-2.9.3/apache2/msc_lua.c modsecurity-2.9.3-lua-patch/apache2/msc_lua.c
---- modsecurity-2.9.3/apache2/msc_lua.c	2018-12-04 18:49:37.000000000 +0000
-+++ modsecurity-2.9.3-lua-patch/apache2/msc_lua.c	2020-08-08 16:55:14.936045777 +0000
-@@ -429,12 +429,12 @@
- #else
- 
-     /* Create new state. */
--#if LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 501
-+#if LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 501 || LUA_VERSION_NUM == 504
-     L = luaL_newstate();
- #elif LUA_VERSION_NUM == 500
-     L = lua_open();
- #else
--#error We are only tested under Lua 5.0, 5.1, 5.2, or 5.3.
-+#error We are only tested under Lua 5.0, 5.1, 5.2, 5.3 or 5.4.
- #endif
-     luaL_openlibs(L);
- 
-@@ -459,10 +459,10 @@
-     /* Register functions. */
- #if LUA_VERSION_NUM == 500 || LUA_VERSION_NUM == 501
-     luaL_register(L, "m", mylib);
--#elif LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503
-+#elif LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 504
-     luaL_setfuncs(L, mylib, 0);
- #else
--#error We are only tested under Lua 5.0, 5.1, 5.2, or 5.3.
-+#error We are only tested under Lua 5.0, 5.1, 5.2, 5.3 or 5.4.
- #endif
- 
-     lua_setglobal(L, "m");

modsecurity_localrules.conf

@@ -1,9 +1,2 @@
-# User defined rules and settings .
+# Drop your local rules in here.
-#
-# You can use this file/directory to drop your local rules or
-# to remove some rules provided by mod_security_crs package with SecRuleRemoveById
-#
-# You can also disable mod_security for some incompatible web applications (eg. phpMyAdmin).
-#
-#
 

sources

@@ -1 +1 @@
-SHA512 (modsecurity-2.9.7.tar.gz) = a333d142f0dedf332a3cccca8267ccf9193cd4ad5a026b3cdbe0713dd1f3edde33739eae8baced2c63409cc0b220001e0a226ea032874a97c08e4065eb1fbdd5
+4a220bf4b954ed1760462e5956f65b21  modsecurity-apache_2.7.3.tar.gz