Hello community,
here is the log from the commit of package apache2-mod_security2.2940 for
openSUSE:12.3:Update checked in at 2014-08-20 18:30:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/apache2-mod_security2.2940 (Old)
and /work/SRC/openSUSE:12.3:Update/.apache2-mod_security2.2940.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_security2.2940"
Changes:
--------
New Changes file:
--- /dev/null 2014-07-24 01:57:42.080040256 +0200
+++
/work/SRC/openSUSE:12.3:Update/.apache2-mod_security2.2940.new/apache2-mod_security2.changes
2014-08-20 18:30:26.000000000 +0200
@@ -0,0 +1,174 @@
+-------------------------------------------------------------------
+Wed Aug 6 15:16:21 CEST 2014 - [email protected]
+
+- correction to last patch: use function m_strcasestr() as substitute
+ for strstr(). [bnc#871309] CVE-2013-5705
+
+-------------------------------------------------------------------
+Thu Jul 31 14:29:07 CEST 2014 - [email protected]
+
+-
apache2-mod_security2-2.7.x-bnc871309-CVE-2013-5705-chunked_requests_bypass.diff
+ Fix for a flaw with which restrictions imposed by mod_security2
+ could be bypassed with chunked requests.
+ [bnc#871309] CVE-2013-5705
+
+-------------------------------------------------------------------
+Wed Jul 31 17:33:48 CEST 2013 - [email protected]
+
+- complete overhaul of this package, with update to 2.7.5.
+- ruleset update to 2.2.8-0-g0f07cbb.
+- new configuration framework private to mod_security2:
+ /etc/apache2/conf.d/mod_security2.conf loads
+ /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf,
+ then /etc/apache2/mod_security2.d/*.conf , as set up based on
+ advice in /etc/apache2/conf.d/mod_security2.conf
+ Your configuration starting point is
+ /etc/apache2/conf.d/mod_security2.conf
+- !!! Please note that mod_unique_id is needed for mod_security2 to run!
+- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous
+ linker parameter, preventing rpath in shared object.
+- fixes contained for the following bugs:
+ * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling
+ * [bnc#768293] multi-part bypass, minor threat
+ * CVE-2013-1915 [bnc#813190] XML external entity vulnerability
+ * CVE-2012-4528 [bnc#789393] rule bypass
+ * CVE-2013-2765 [bnc#822664] null pointer dereference crash
+- new from 2.5.9 to 2.7.5, only major changes:
+ * GPLv2 replaced by Apache License v2
+ * rules are not part of the source tarball any longer, but
+ maintaned upstream externally, and included in this package.
+ * documentation was externalized to a wiki. Package contains
+ the FAQ and the reference manual in html form.
+ * renamed the term "Encryption" in directives that actually refer
+ to hashes. See CHANGES file for more details.
+ * new directive SecXmlExternalEntity, default off
+ * byte conversion issues on s390x when logging fixed.
+ * many small issues fixed that were discovered by a Coverity scanner
+ * updated reference manual
+ * wrong time calculation when logging for some timezones fixed.
+ * replaced time-measuring mechanism with finer granularity for
+ measured request/answer phases. (Stopwatch remains for compat.)
+ * cookie parser memory leak fix
+ * parsing of quoted strings in multipart Content-Disposition
+ headers fixed.
+ * SDBM deadlock fix
+ * @rsub memory leak fix
+ * cookie separator code improvements
+ * build failure fixes
+ * compile time option --enable-htaccess-config (set)
+
+-------------------------------------------------------------------
+Mon Aug 27 11:43:47 UTC 2012 - [email protected]
+
+- license update: Apache-2.0 and GPL-2.0
+ Many of the files in the rules/ subdirectory are GPL-2.0 licensed
+
+-------------------------------------------------------------------
+Mon Aug 6 20:59:45 UTC 2012 - [email protected]
+
+- Update to version 2.6.7, fixes build in apache 2.4
+- Update spec file macros.
+
+-------------------------------------------------------------------
+Sat Sep 17 11:20:39 UTC 2011 - [email protected]
+
+- Remove redundant tags/sections from specfile
+- Use %_smp_mflags for parallel build
+
+-------------------------------------------------------------------
+Wed Jul 6 04:33:49 CEST 2011 - [email protected]
+
+- update to version 2.6.1-rc1 for submission to SLE11-SP2 (fate#309433):
+ - SecUnicodeCodePage and SecUnicodeMapFile directives added
+ - fixed bug: SecRequestBodyLimit was truncating the real request
+ body
+ additional fixes from 2.6.0:
+ - buffering filter problems fixed
+ - memory leak fix when using MATCHED_VAR_NAMES
+ - SecWriteStateLimit added against slow DoS
+ additional fixes from 2.6.0 release candidates:
+ - optimizations
+ - bug in logging code fixed
+ - cleanup
+ - google safe browsing support
+
+-------------------------------------------------------------------
+Thu May 14 18:05:26 CEST 2009 - [email protected]
+
+- update to version 2.5.9
+ - Fixed parsing multipart content with a missing part header name
+ which would crash Apache. Discovered by "Internet Security
+ Auditors" (isecauditors.com).
+ - Added ability to specify the config script directly using
+ --with-apr and --with-apu.
+ - Added macro expansion for append/prepend action.
+ - Fixed race condition in concurrent updates of persistent
+ counters. Updates are now atomic.
+ - Cleaned up build, adding an option for verbose configure output
+ and making the mlogc build more portable.
+- additional changes from 2.5.8
+ - Fixed PDF XSS issue where a non-GET request for a PDF file
+ would crash the Apache httpd process. Discovered by Steve
+ Grubb at Red Hat.
+ - Removed an invalid "Internal error: Issuing "%s" for
+ unspecified error." message that was logged when denying with
+ nolog/noauditlog set and causing the request to be audited.
+- additional changes from 2.5.7
+ - Fixed XML DTD/Schema validation which will now fail after
+ request body processing errors, even if the XML parser returns
+ a document tree.
+ - Added ctl:forceRequestBodyVariable=on|off which, when enabled,
+ will force the REQUEST_BODY variable to be set when a request
+ body processor is not set. Previously the REQUEST_BODY target
+ was only populated by the URLENCODED request body processor.
+ - Integrated mlogc source.
+ - Fixed logging the hostname in the error_log which was logging
+ the request hostname instead of the Apache resolved hostname.
+ - Allow for disabling request body limit checks in phase:1.
+ - Added transformations for processing parity for legacy
+ protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit,
+ t:parityZero7bit
+ - Added t:cssDecode transformation to decode CSS escapes.
+ - Now log XML parsing/validation warnings and errors to be in the
+ debug log at levels 3 and 4, respectivly.
+- build and package mlogc
+- remove --with-apxs from the configure args as it breaks the build
+ configure now finds our apxs2
+
+-------------------------------------------------------------------
+Fri Jan 23 16:56:55 CET 2009 - [email protected]
+
+- fix broken config [bnc#457200]
+
+-------------------------------------------------------------------
+Mon Sep 15 14:05:05 CEST 2008 - [email protected]
+
+- update to version 2.5.6
+- initial submit to FACTORY
+
+-------------------------------------------------------------------
+Mon May 12 05:25:07 CEST 2008 - [email protected]
+
+-update to 2.1.7
+
+-------------------------------------------------------------------
+Thu Feb 3 05:44:12 CEST 2008 - [email protected]
+
+-update to 2.1.6
+
+-------------------------------------------------------------------
+Wed Aug 8 05:36:42 CEST 2007 - [email protected]
+
+- update to 2.1.2
+
+-------------------------------------------------------------------
+Mon Apr 16 10:34:05 CEST 2007 - [email protected]
+
+- update to 2.1.1
+- switched to perl based patching instead of cmdline params for make
+
+-------------------------------------------------------------------
+Fri Sep 22 08:31:51 CEST 2006 - [email protected]
+
+- fix build (./install was vanished)
+
New:
----
ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2
README-SUSE-mod_security2.txt
Reference-Manual.html.bz2
SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz
apache2-mod_security2-2.7.x-bnc871309-CVE-2013-5705-chunked_requests_bypass.diff
apache2-mod_security2.changes
apache2-mod_security2.spec
mod_security2.conf
modsecurity-apache_2.7.5-build_fix_pcre.diff
modsecurity-apache_2.7.5.tar.gz
modsecurity_diagram_apache_request_cycle.jpg
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_security2.spec ++++++
#
# spec file for package apache2-mod_security2
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: apache2-mod_security2
Version: 2.7.5
Release: 0
%define aversion 2.7.5
#
#
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: apache2-devel
BuildRequires: apache2-prefork
BuildRequires: c++_compiler
BuildRequires: curl-devel
BuildRequires: libxml2-devel
BuildRequires: pcre-devel
%define apache apache2
%define modname mod_security2
%define tarballname modsecurity-apache_%{aversion}
%define refman Reference-Manual.html
%define faq ModSecurity-Frequently-Asked-Questions-FAQ.html
%define usrsharedir %{_prefix}/share/%{name}
%{!?apxs: %global apxs /usr/sbin/apxs2}
%{!?apache_libexecdir: %global apache_libexecdir %(%{apxs} -q LIBEXECDIR)}
%{!?apache_sysconfdir: %global apache_sysconfdir %(%{apxs} -q SYSCONFDIR)}
%{!?apache_includedir: %global apache_includedir %(%{apxs} -q INCLUDEDIR)}
%{!?apache_serveroot: %global apache_serverroot %(%{apxs} -q PREFIX)}
%{!?apache_localstatedir: %global apache_localstatedir %(%{apxs} -q
LOCALSTATEDIR)}
%{!?apache_mmn: %global apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x
$MMN && $MMN)}
Requires: %{apache_mmn}
Requires: apache2
#
Url: http://www.modsecurity.org/
Source: http://www.modsecurity.org/download/%{tarballname}.tar.gz
Source1:
https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz
Source2: mod_security2.conf
Source3: %{refman}.bz2
Source4: %{faq}.bz2
Source5: modsecurity_diagram_apache_request_cycle.jpg
Source6: README-SUSE-mod_security2.txt
#
Patch0: modsecurity-apache_2.7.5-build_fix_pcre.diff
Patch1:
apache2-mod_security2-2.7.x-bnc871309-CVE-2013-5705-chunked_requests_bypass.diff
Summary: ModSecurity Open Source Web Application Firewall
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
%description
ModSecurity(TM) is an open source intrusion detection and prevention
engine for web applications (or a web application firewall). Operating
as an Apache Web server module or standalone, the purpose of
ModSecurity is to increase web application security, protecting web
applications from known and unknown attacks.
The modsecurity team also offer a commercial version of their excellent
ruleset. Please have a look at http://www.modsecurity.org/ for more details.
%prep
%setup -n %{tarballname}
#tar -xvjpf %{S:2}
%setup -D -T -a 1 -n %{tarballname}
mv -v SpiderLabs* rules
bzip2 -dc %{SOURCE3} > %{_sourcedir}/%{refman} && touch -r %{SOURCE3}
%{_sourcedir}/%{refman}
bzip2 -dc %{SOURCE4} > %{_sourcedir}/%{faq} && touch -r %{SOURCE4}
%{_sourcedir}/%{faq}
%patch0
%patch1
#%patch2
%build
%configure --with-apxs=%{apxs} --enable-request-early --enable-htaccess-config
make %{?_smp_mflags}
%install
pushd %{apache}
install -d -m 0755 %{buildroot}%{apache_libexecdir}
install -m 0755 .libs/mod_security2.so
%{buildroot}%{apache_libexecdir}/%{modname}.so
popd
install -D -m 0644 %{SOURCE2}
%{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf
install -d -m 0755 %{buildroot}%{apache_sysconfdir}/mod_security2.d
install -D -m 0644 %{SOURCE6} %{buildroot}%{apache_sysconfdir}/mod_security2.d
cp -a %{SOURCE6} doc
install -m 0644 %{_sourcedir}/%{faq} %{_sourcedir}/%{refman} doc
install -m 0644 %{SOURCE5} doc
install -d -m 0755 %{buildroot}/%{usrsharedir}
install -d -m 0755 %{buildroot}/%{usrsharedir}/tools
install -d -m 0755 %{buildroot}/%{usrsharedir}
rm -f rules/.gitignore rules/LICENSE
cp -a rules/util/README
%{buildroot}/%{usrsharedir}/tools/README-rules-updater.txt
cp -a tools/rules-updater.pl tools/rules-updater-example.conf
%{buildroot}/%{usrsharedir}/tools
find rules -type f -print0 | \
xargs -0 chmod 644
cp -a rules %{buildroot}/%{usrsharedir}
rm -rf %{buildroot}/%{usrsharedir}/rules/util
rm -rf %{buildroot}/%{usrsharedir}/rules/lua
rm -f %{buildroot}/%{usrsharedir}/rules/READM*
rm -f %{buildroot}/%{usrsharedir}/rules/INSTALL
%{buildroot}/%{usrsharedir}/rules/CHANGELOG
mv %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf.example \
%{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf
%clean
%{__rm} -rf %{buildroot};
%{__rm} -f %{_sourcedir}/%{faq} %{_sourcedir}/%{refman}
%files
%defattr(-, root, root, 0755)
%{apache_libexecdir}/%{modname}.so
%config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf
%dir %{apache_sysconfdir}/mod_security2.d
%{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt
%dir %{usrsharedir}
#%dir %{usrsharedir}/tools
#%dir %{usrsharedir}/rules
%doc README.TXT CHANGES LICENSE NOTICE authors.txt
%{usrsharedir}
#%{usrsharedir}/rules/activated_rules
#%{usrsharedir}/rules/base_rules
#%{usrsharedir}/rules/experimental_rules
#%{usrsharedir}/rules/optional_rules
#%{usrsharedir}/rules/slr_rules
%doc doc/*
#rules/util/regression_tests
%changelog
++++++ README-SUSE-mod_security2.txt ++++++
#
# Dear Administrator,
#
# mod_security2 is not activated by default upon installation of the
# apache module.
#
# Your starting point for the configuration of mod_security2 is
# /etc/apache2/conf.d/mod_security2.conf .
# Please see that file for comments on how to activate the module
# and on how to assign rules.
#
++++++
apache2-mod_security2-2.7.x-bnc871309-CVE-2013-5705-chunked_requests_bypass.diff
++++++
diff -rNU 30 ../modsecurity-apache_2.7.5-o/apache2/modsecurity.c
./apache2/modsecurity.c
--- ../modsecurity-apache_2.7.5-o/apache2/modsecurity.c 2013-07-28
05:58:49.000000000 +0200
+++ ./apache2/modsecurity.c 2014-07-31 15:32:26.000000000 +0200
@@ -270,61 +270,61 @@
return APR_SUCCESS;
}
/**
*
*/
apr_status_t modsecurity_tx_init(modsec_rec *msr) {
const char *s = NULL;
const apr_array_header_t *arr;
char *semicolon = NULL;
char *comma = NULL;
apr_table_entry_t *te;
int i;
/* Register TX cleanup */
apr_pool_cleanup_register(msr->mp, msr, modsecurity_tx_cleanup,
apr_pool_cleanup_null);
/* Initialise C-L */
msr->request_content_length = -1;
s = apr_table_get(msr->request_headers, "Content-Length");
if (s != NULL) {
msr->request_content_length = strtol(s, NULL, 10);
}
/* Figure out whether this request has a body */
msr->reqbody_chunked = 0;
msr->reqbody_should_exist = 0;
if (msr->request_content_length == -1) {
/* There's no C-L, but is chunked encoding used? */
char *transfer_encoding = (char *)apr_table_get(msr->request_headers,
"Transfer-Encoding");
- if ((transfer_encoding != NULL)&&(strstr(transfer_encoding, "chunked")
!= NULL)) {
+ if ((transfer_encoding != NULL)&&(m_strcasestr(transfer_encoding,
"chunked") != NULL)) {
msr->reqbody_should_exist = 1;
msr->reqbody_chunked = 1;
}
} else {
/* C-L found */
msr->reqbody_should_exist = 1;
}
/* Initialise C-T */
msr->request_content_type = NULL;
s = apr_table_get(msr->request_headers, "Content-Type");
if (s != NULL) msr->request_content_type = s;
/* Decide what to do with the request body. */
if ((msr->request_content_type != NULL)
&& (strncasecmp(msr->request_content_type,
"application/x-www-form-urlencoded", 33) == 0))
{
/* Always place POST requests with
* "application/x-www-form-urlencoded" payloads in memory.
*/
msr->msc_reqbody_storage = MSC_REQBODY_MEMORY;
msr->msc_reqbody_spilltodisk = 0;
msr->msc_reqbody_processor = "URLENCODED";
} else {
/* If the C-L is known and there's more data than
* our limit go to disk straight away.
*/
if ((msr->request_content_length != -1)
&& (msr->request_content_length >
msr->txcfg->reqbody_inmemory_limit))
{
++++++ mod_security2.conf ++++++
# Dear administrator/webmaster,
#
# Welcome to /etc/apache2/conf.d/mod_security2.conf, the starting point for
# the configuration of mod_security2.
# Please read this text down to line 63 for information about activation
# and configuration of the mod_security2 apache module.
#
# To activate mod_security2, its apache module must be configured to be
# loaded when apache starts. The mod_security2 apache module depends on
# the module mod_unique_id to be able to run. This means that both apache
# modules must be activated/loaded when apache starts.
# Change the configuration to load these two modules by adding the two
# module names "security2" and "unique_id" to the variable APACHE_MODULES
# in /etc/sysconfig/apache2 . You can do that manually, or use the tools
# a2enmod (enable apache module) and a2dismod (disable apache module).
# These two tools expect the name of the module without the leading
# "mod_" as an argument!
#
# note: /etc/sysconfig/apache2 is evaluated upon apache start by the apache
# start script /etc/init.d/apache2 . Changes in APACHE_MODULES are then
# visible in /etc/apache2/sysconfig.d/loadmodule.conf, changed by the start
# script.
#
# example for the use of a2enmod/a2dismod:
#
# a2enmod security2 # enable module security2
# a2enmod unique_id # enable module unique_id
#
# a2dismod security2 # disable
# a2dismod unique_id # %
#
# This file /etc/apache2/conf.d/mod_security2.conf makes some basic
# configuration settings, then loads
# /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
# which is the baseline for the rules that can be loaded later.
#
# Afterwards, all files named *.conf in /etc/apache2/mod_security2.d are read.
# For the rules you wish to apply, place a symlink to the rules file there.
#
# About the rules; The OWASP ModSecurity Core Rule Set version 2.2.7
# is contained in this package, a splendid set of rules made to provide for a
# decent basic and even advanced protection. The rules files are contained
# in the directory /usr/share/apache2-mod_security2/rules/.
#
# Example (use all of the basic rules that come with the package):
#
# cd /etc/apache2/mod_security2.d
# for i in /usr/share/apache2-mod_security2/rules/base_rules/mod*; do
# ln -s $i .
# done
#
# At last, simply restart apache:
# rcapache2 restart
#
# In doubt, please consult the valuable online documentation on the project's
# website, which is the authoritative source for documentation.
# For offline reading, the webpages for the Reference Guide and the FAQ are
# located in the package's documentation directory, in the state of 2013/01:
# /usr/share/doc/packages/apache2-mod_security2
#
# Roman Drahtmueller <[email protected]>, SUSE, 20130118.
#
<IfModule mod_security2.c>
# -- Rule engine initialization ----------------------------------------------
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine DetectionOnly
# -- Request body handling ---------------------------------------------------
# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On
# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# -- XML external entity loading by libxml2.
# Defaults to off.
SecXmlExternalEntity Off
# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
# Store up to 128 KB of request body data in memory. When the multipart
# parser reachers this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit 131072
# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction Reject
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request
body.',logdata:'%{reqbody_error_msg}',severity:2"
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Did we see anything that might be a boundary?
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a
possible unmatched boundary.'"
# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error
flagged: %{MATCHED_VAR_NAME}'"
# -- Response body handling --------------------------------------------------
# Allow ModSecurity to access response bodies.
# You should have this directive enabled in order to identify errors
# and data leakage issues.
#
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
SecResponseBodyAccess On
# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml
# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288
# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial
# -- Filesystem configuration ------------------------------------------------
# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
#
# This default setting is chosen due to all systems have /tmp available
however,
# this is less than ideal. It is recommended that you specify a location that's
private.
#
SecTmpDir /tmp/
# The location where ModSecurity will keep its persistent data. This default
setting
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir /tmp/
# -- File uploads handling configuration -------------------------------------
# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir /opt/modsecurity/var/upload/
# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly
# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600
# -- Debug log configuration -------------------------------------------------
# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
#SecDebugLog /var/log/apache2/modsec_debug.log
#SecDebugLogLevel 3
# -- Audit log configuration -------------------------------------------------
# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/
# -- Miscellaneous -----------------------------------------------------------
# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &
# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat 0
# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
#SecUnicodeCodePage 20127
#SecUnicodeMapFile unicode.mapping
Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
# as set up with symlinks for files that are placed here:
Include /etc/apache2/mod_security2.d/*.conf
</IfModule>
++++++ modsecurity-apache_2.7.5-build_fix_pcre.diff ++++++
diff -rNU 30 ../modsecurity-apache_2.7.5-o/apache2/Makefile.am
./apache2/Makefile.am
--- ../modsecurity-apache_2.7.5-o/apache2/Makefile.am 2013-07-28
05:58:49.000000000 +0200
+++ ./apache2/Makefile.am 2013-08-01 15:08:21.000000000 +0200
@@ -17,61 +17,61 @@
mod_security2_la_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \
@PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @LUA_CFLAGS@
@MODSEC_EXTRA_CFLAGS@ @CURL_CFLAGS@
mod_security2_la_CPPFLAGS = @APR_CPPFLAGS@ @PCRE_CPPFLAGS@ @LIBXML2_CPPFLAGS@
mod_security2_la_LIBADD = @APR_LDADD@ @APU_LDADD@ @PCRE_LDADD@ @LIBXML2_LDADD@
@LUA_LDADD@
if AIX
mod_security2_la_LDFLAGS = -module -avoid-version \
@APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
@PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
endif
if HPUX
mod_security2_la_LDFLAGS = -module -avoid-version \
@APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
@PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
endif
if MACOSX
mod_security2_la_LDFLAGS = -module -avoid-version \
@APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
@PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
endif
if SOLARIS
mod_security2_la_LDFLAGS = -module -avoid-version \
@APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
@PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
endif
if LINUX
-mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R
@PCRE_LD_PATH@ \
+mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
@PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
endif
if FREEBSD
mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
@PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
endif
if OPENBSD
mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
@PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
endif
if NETBSD
mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
@PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
endif
if LINUX
install-exec-hook: $(pkglib_LTLIBRARIES)
@echo "Removing unused static libraries..."; \
for m in $(pkglib_LTLIBRARIES); do \
base=`echo $$m | sed 's/\..*//'`; \
rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \
install -D -m444 $(DESTDIR)$(pkglibdir)/$$base.so
$(DESTDIR)$(APXS_MODULES)/$$base.so; \
done
diff -rNU 30 ../modsecurity-apache_2.7.5-o/apache2/Makefile.in
./apache2/Makefile.in
--- ../modsecurity-apache_2.7.5-o/apache2/Makefile.in 2013-07-28
05:59:01.000000000 +0200
+++ ./apache2/Makefile.in 2013-08-01 15:08:56.000000000 +0200
@@ -303,61 +303,61 @@
#include_HEADERS = re.h modsecurity.h msc_logging.h msc_multipart.h \
# msc_parsers.h msc_pcre.h msc_util.h msc_xml.h \
# persist_dbm.h apache2.h msc_geo.h acmp.h utf8tables.h \
# msc_lua.h msc_release.h
mod_security2_la_SOURCES = mod_security2.c \
apache2_config.c apache2_io.c apache2_util.c \
re.c re_operators.c re_actions.c re_tfns.c \
re_variables.c msc_logging.c msc_xml.c \
msc_multipart.c modsecurity.c msc_parsers.c \
msc_util.c msc_pcre.c persist_dbm.c msc_reqbody.c \
msc_geo.c msc_gsb.c msc_crypt.c msc_tree.c
msc_unicode.c acmp.c msc_lua.c msc_release.c \
libinjection/libinjection_sqli.c
mod_security2_la_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \
@PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @LUA_CFLAGS@
@MODSEC_EXTRA_CFLAGS@ @CURL_CFLAGS@
mod_security2_la_CPPFLAGS = @APR_CPPFLAGS@ @PCRE_CPPFLAGS@ @LIBXML2_CPPFLAGS@
mod_security2_la_LIBADD = @APR_LDADD@ @APU_LDADD@ @PCRE_LDADD@ @LIBXML2_LDADD@
@LUA_LDADD@
@AIX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \
@AIX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@
@APXS_LDFLAGS@ \
@AIX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@
@LUA_LDFLAGS@
@FREEBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@FREEBSD_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@
@APXS_LDFLAGS@ \
@FREEBSD_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@
@LUA_LDFLAGS@
@HPUX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \
@HPUX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@
@APXS_LDFLAGS@ \
@HPUX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@
@LUA_LDFLAGS@
-@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R
@PCRE_LD_PATH@ \
+@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@LINUX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@
@APXS_LDFLAGS@ \
@LINUX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@
@LUA_LDFLAGS@
@MACOSX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \
@MACOSX_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@
@APXS_LDFLAGS@ \
@MACOSX_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@
@LUA_LDFLAGS@
@NETBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@NETBSD_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@
@APXS_LDFLAGS@ \
@NETBSD_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@
@LUA_LDFLAGS@
@OPENBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@OPENBSD_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@
@APXS_LDFLAGS@ \
@OPENBSD_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@
@LUA_LDFLAGS@
@SOLARIS_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \
@SOLARIS_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@
@APXS_LDFLAGS@ \
@SOLARIS_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@
@LUA_LDFLAGS@
all: modsecurity_config_auto.h
$(MAKE) $(AM_MAKEFLAGS) all-am
.SUFFIXES:
.SUFFIXES: .c .lo .o .obj
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
diff -rNU 30 ../modsecurity-apache_2.7.5-o/configure ./configure
--- ../modsecurity-apache_2.7.5-o/configure 2013-07-28 05:59:03.000000000
+0200
+++ ./configure 2013-08-01 15:02:59.000000000 +0200
@@ -13103,61 +13103,62 @@
if test -e "${x}/bin/${PCRE_CONFIG}"; then
pcre_path="${x}/bin"
break
elif test -e "${x}/${PCRE_CONFIG}"; then
pcre_path="${x}"
break
else
pcre_path=""
fi
done
if test -n "$pcre_path"; then
break
fi
done
if test -n "${pcre_path}"; then
if test "${pcre_path}" != "no"; then
PCRE_CONFIG="${pcre_path}/${PCRE_CONFIG}"
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${PCRE_CONFIG}" >&5
$as_echo "${PCRE_CONFIG}" >&6; }
PCRE_VERSION="`${PCRE_CONFIG} --version`"
if test "$verbose_output" -eq 1; then { $as_echo
"$as_me:${as_lineno-$LINENO}: pcre VERSION: $PCRE_VERSION" >&5
$as_echo "$as_me: pcre VERSION: $PCRE_VERSION" >&6;}; fi
PCRE_CFLAGS="`${PCRE_CONFIG} --cflags`"
if test "$verbose_output" -eq 1; then { $as_echo
"$as_me:${as_lineno-$LINENO}: pcre CFLAGS: $PCRE_CFLAGS" >&5
$as_echo "$as_me: pcre CFLAGS: $PCRE_CFLAGS" >&6;}; fi
PCRE_LDADD="`${PCRE_CONFIG} --libs`"
if test "$verbose_output" -eq 1; then { $as_echo
"$as_me:${as_lineno-$LINENO}: pcre LDADD: $PCRE_LDADD" >&5
$as_echo "$as_me: pcre LDADD: $PCRE_LDADD" >&6;}; fi
- PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' '
-f1`"
+# PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d '
' -f1`"
+ PCRE_LD_PATH=""
if test "$verbose_output" -eq 1; then { $as_echo
"$as_me:${as_lineno-$LINENO}: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&5
$as_echo "$as_me: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&6;}; fi
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
if test -z "${PCRE_VERSION}"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: *** pcre library not found." >&5
$as_echo "$as_me: *** pcre library not found." >&6;}
as_fn_error "pcre library is required" "$LINENO" 5
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: using pcre v${PCRE_VERSION}" >&5
$as_echo "$as_me: using pcre v${PCRE_VERSION}" >&6;}
fi
if test "$build_apache2_module" -ne 0 -o "$build_mlogc" -ne 0; then
# Check whether --with-apr was given.
if test "${with_apr+set}" = set; then :
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
