Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache2-mod_security2 for
openSUSE:Factory checked in at 2021-02-23 20:21:41
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_security2 (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_security2.new.2378 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_security2"
Tue Feb 23 20:21:41 2021 rev:27 rq:874491 version:2.9.3
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache2-mod_security2/apache2-mod_security2.changes
2020-02-20 14:57:59.542595574 +0100
+++
/work/SRC/openSUSE:Factory/.apache2-mod_security2.new.2378/apache2-mod_security2.changes
2021-02-23 20:23:09.347801628 +0100
@@ -1,0 +2,86 @@
+Tue Feb 23 07:49:57 UTC 2021 - pgaj...@suse.com
+
+- version update to 2.9.3
+ * Enable optimization for large stream input by default on IIS
+ [Issue #1299 - @victorhora, @zimmerle]
+ * Allow 0 length JSON requests.
+ [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern]
+ * Include unanmed JSON values in unnamed ARGS
+ [Issue #1577, #1576 - @marcstern, @victorhora, @zimmerle]
+ * Fix buffer size for utf8toUnicode transformation
+ [Issue #1208 - @katef, @victorhora]
+ * Fix sanitizing JSON request bodies in native audit log format
+ [p0pr0ck5, @victorhora]
+ * IIS: Update Wix installer to bundle a supported CRS version (3.0)
+ [@victorhora, @zimmerle]
+ * IIS: Update dependencies for Windows build
+ [Issue #1848 - @victorhora, @hsluoyz]
+ * IIS: Set SecStreamInBodyInspection by default on IIS builds (#1299)
+ [Issue #1299 - @victorhora]
+ * IIS: Update modsecurity.conf
+ [Issue #788 - @victorhora, @brianclark]
+ * Add sanity check for a couple malloc() and make code more resilient
+ [Issue #979 - @dogbert2, @victorhora, @zimmerl]
+ * Fix NetBSD build by renaming the hmac function to avoid conflicts
+ [Issue #1241 - @victorhora, @joerg, @sevan]
+ * IIS: Windows build, fix duplicate YAJL dir in script
+ [Issue #1612 - @allanbomsft, @victorhora]
+ * IIS: Remove body prebuffering due to no locking in modsecProcessRequest
+ [Issue #1917 - @allanbomsft, @victorhora]
+ * Fix mpm-itk / mod_ruid2 compatibility
+ [Issue #712 - @ju5t , @derhansen, @meatlayer, @victorhora]
+ * Code cosmetics: checks if actionset is not null before use it
+ [Issue #1556 - @marcstern, @zimmerle, @victorhora]
+ * Only generate SecHashKey when SecHashEngine is On
+ [Issue #1671 - @dmuey, @monkburger, @zimmerle]
+ * Docs: Reformat README to Markdown and update dependencies
+ [Issue #1857 - @hsluoyz, @victorhora]
+ * IIS: no lock on ProcessRequest. No reload of config.
+ [Issue #1826 - @allanbomsft]
+ * IIS: buffer request body before taking lock
+ [Issue #1651 - @allanbomsft]
+ * good practices: Initialize variables before use it
+ [Issue #1889 - Marc Stern]
+ * Let body parsers observe SecRequestBodyNoFilesLimit
+ [Issue #1613 - @allanbomsft]
+ * potential off by one in parse_arguments
+ [Issue #1799 - @tinselcity, @zimmerle]
+ * Fix utf-8 character encoding conversion
+ [Issue #1794 - @tinselcity, @zimmerle]
+ * Fix ip tree lookup on netmask content
+ [Issue #1793 - @tinselcity, @zimmerle]
+ * IIS: set overrideModeDefault to Allow so that individual websites can
+ add <ModSecurity ...> to their web.config file
+ [Issue #1781 - @default-kramer]
+ * modsecurity.conf-recommended: Fix spelling
+ [Issue #1721 - @padraigdoran]
+ * build: fix when multiple lines for curl version
+ [Issue #1771 - @Artistan]
+ * Fix arabic charset in unicode_mapping file
+ [Issue #1619 - @alaa-ahmed-a]
+ * Optionally preallocates memory when SecStreamInBodyInspection is on
+ [Issue #1366 - @allanbomsft, @zimmerle]
+ * Fixed typo in build_yajl.bat
+ [Issue #1366 - @allanbomsft]
+ * Fixes SecConnWriteStateLimit
+ [Issue #1545 - @nicjansma]
+ * Added "empy chunk" check
+ [Issue #1347, #1446 - @gravagli, @bostrt, @zimmerle]
+ * Add capture action to @detectXSS operator
+ [Issue #1488, #1482 - @victorhora]
+ * Fix for wildcard operator when loading conf files on Nginx / IIS
+ [Issue #1486, #1285 - @victorhora and @thierry-f-78]
+ * Set of fixies to make windows build workable with the buildbots
+ [Commit 94fe3 - @zimmerle]
+ * Uses LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH
+ [Issue #1510 - @marcstern]
+ * Adds missing headers
+ [Issue #1454 - @devnexen]
+- modified patches
+ % modsecurity-fixes.patch (fix crash caused by our patch)
+ [bsc#1180830]
+- added patches
+ + modsecurity-2.9.3-input_filtering_errors.patch
+ [bsc#1180830]
+
+-------------------------------------------------------------------
Old:
----
modsecurity-2.9.2.tar.gz
New:
----
modsecurity-2.9.3-input_filtering_errors.patch
modsecurity-2.9.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_security2.spec ++++++
--- /var/tmp/diff_new_pack.a2E9ou/_old 2021-02-23 20:23:10.235802414 +0100
+++ /var/tmp/diff_new_pack.a2E9ou/_new 2021-02-23 20:23:10.235802414 +0100
@@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_security2
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
%define tarballname modsecurity-%{version}
%define usrsharedir %{_datadir}/%{name}
Name: apache2-mod_security2
-Version: 2.9.2
+Version: 2.9.3
Release: 0
Summary: Web Application Firewall for apache httpd
License: Apache-2.0
@@ -34,6 +34,8 @@
Patch0: apache2-mod_security2-no_rpath.diff
Patch1: modsecurity-fixes.patch
Patch2: apache2-mod_security2_tests_conf.patch
+# https://github.com/SpiderLabs/ModSecurity/issues/2514
+Patch3: modsecurity-2.9.3-input_filtering_errors.patch
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel
BuildRequires: apache2-prefork
@@ -43,7 +45,7 @@
BuildRequires: libcurl-devel
BuildRequires: libtool
BuildRequires: libxml2-devel
-BuildRequires: lua-devel
+BuildRequires: lua53-devel
BuildRequires: pcre-devel
BuildRequires: perl-libwww-perl
BuildRequires: pkgconfig
@@ -68,6 +70,7 @@
%patch0
%patch1 -p1
%patch2 -p1
+%patch3 -p1
%build
# aclocal only works with newer distributions
@@ -120,7 +123,7 @@
%{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt
%{apache_sysconfdir}/mod_security2.d/empty.conf
%{usrsharedir}
-%doc README.TXT CHANGES LICENSE NOTICE authors.txt
+%doc README.md CHANGES LICENSE NOTICE authors.txt
%doc doc/README.txt
%doc doc/README-SUSE-mod_security2.txt
%doc rules/util/regression-tests
++++++ modsecurity-2.9.3-input_filtering_errors.patch ++++++
diff -ru modsecurity-2.9.3.old/apache2/apache2_io.c
modsecurity-2.9.3.new/apache2/apache2_io.c
--- modsecurity-2.9.3.old/apache2/apache2_io.c 2018-12-04 19:49:37.000000000
+0100
+++ modsecurity-2.9.3.new/apache2/apache2_io.c 2021-02-12 13:28:27.739749566
+0100
@@ -209,6 +209,10 @@
* too large and APR_EGENERAL when the client disconnects.
*/
switch(rc) {
+ case AP_FILTER_ERROR :
+ *error_msg = apr_pstrdup(msr->mp, "Error reading request
body: filter error");
+ return -8;
+
case APR_INCOMPLETE :
*error_msg = apr_psprintf(msr->mp, "Error reading request
body: %s", get_apr_error(msr->mp, rc));
return -7;
@@ -218,7 +222,7 @@
case APR_TIMEUP :
*error_msg = apr_psprintf(msr->mp, "Error reading request
body: %s", get_apr_error(msr->mp, rc));
return -4;
- case AP_FILTER_ERROR :
+ case APR_ENOSPC:
*error_msg = apr_psprintf(msr->mp, "Error reading request
body: HTTP Error 413 - Request entity too large. (Most likely.)");
return -3;
case APR_EGENERAL :
diff -ru modsecurity-2.9.3.old/apache2/mod_security2.c
modsecurity-2.9.3.new/apache2/mod_security2.c
--- modsecurity-2.9.3.old/apache2/mod_security2.c 2018-12-04
19:49:37.000000000 +0100
+++ modsecurity-2.9.3.new/apache2/mod_security2.c 2021-02-12
13:34:22.940428406 +0100
@@ -1013,7 +1013,7 @@
}
rc = read_request_body(msr, &my_error_msg);
- if (rc < 0 && msr->txcfg->is_enabled == MODSEC_ENABLED) {
+ if (rc < 0) {
switch(rc) {
case -1 :
if (my_error_msg != NULL) {
@@ -1021,6 +1021,21 @@
}
return HTTP_INTERNAL_SERVER_ERROR;
break;
+ case -2 : /* Bad request. */
+ case -6 : /* EOF when reading request body. */
+ case -7 : /* Partial recieved */
+ if (my_error_msg != NULL) {
+ msr_log(msr, 4, "%s", my_error_msg);
+ }
+ r->connection->keepalive = AP_CONN_CLOSE;
+ return HTTP_BAD_REQUEST;
+ break;
+ case -3 : /* Apache's LimitRequestBody. */
+ if (my_error_msg != NULL) {
+ msr_log(msr, 1, "%s", my_error_msg);
+ }
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ break;
case -4 : /* Timeout. */
if (my_error_msg != NULL) {
msr_log(msr, 4, "%s", my_error_msg);
@@ -1042,19 +1057,11 @@
}
}
break;
- case -6 : /* EOF when reading request body. */
- if (my_error_msg != NULL) {
- msr_log(msr, 4, "%s", my_error_msg);
- }
- r->connection->keepalive = AP_CONN_CLOSE;
- return HTTP_BAD_REQUEST;
- break;
- case -7 : /* Partial recieved */
+ case -8 : /* Filter error. */
if (my_error_msg != NULL) {
- msr_log(msr, 4, "%s", my_error_msg);
+ msr_log(msr, 1, "%s", my_error_msg);
}
- r->connection->keepalive = AP_CONN_CLOSE;
- return HTTP_BAD_REQUEST;
+ return AP_FILTER_ERROR;
break;
default :
/* allow through */
++++++ modsecurity-2.9.2.tar.gz -> modsecurity-2.9.3.tar.gz ++++++
++++ 6002 lines of diff (skipped)
++++++ modsecurity-fixes.patch ++++++
--- /var/tmp/diff_new_pack.a2E9ou/_old 2021-02-23 20:23:10.587802724 +0100
+++ /var/tmp/diff_new_pack.a2E9ou/_new 2021-02-23 20:23:10.587802724 +0100
@@ -1,39 +1,3 @@
-Index: modsecurity-2.9.0/apache2/mod_security2.c
-===================================================================
---- modsecurity-2.9.0.orig/apache2/mod_security2.c
-+++ modsecurity-2.9.0/apache2/mod_security2.c
-@@ -457,17 +457,13 @@ static void store_tx_context(modsec_rec
- * Creates a new transaction context.
- */
- static modsec_rec *create_tx_context(request_rec *r) {
-- apr_allocator_t *allocator = NULL;
- modsec_rec *msr = NULL;
-
- msr = (modsec_rec *)apr_pcalloc(r->pool, sizeof(modsec_rec));
- if (msr == NULL) return NULL;
-
-- apr_allocator_create(&allocator);
-- apr_allocator_max_free_set(allocator, 1024);
-- apr_pool_create_ex(&msr->mp, r->pool, NULL, allocator);
-+ apr_pool_create(&msr->mp, r->pool);
- if (msr->mp == NULL) return NULL;
-- apr_allocator_owner_set(allocator, msr->mp);
-
- msr->modsecurity = modsecurity;
- msr->r = r;
-Index: modsecurity-2.9.0/apache2/msc_reqbody.c
-===================================================================
---- modsecurity-2.9.0.orig/apache2/msc_reqbody.c
-+++ modsecurity-2.9.0/apache2/msc_reqbody.c
-@@ -88,7 +88,7 @@ apr_status_t modsecurity_request_body_st
- * to allocate structures from (not data, which is allocated
- * via malloc).
- */
-- apr_pool_create(&msr->msc_reqbody_mp, NULL);
-+ apr_pool_create(&msr->msc_reqbody_mp, msr->mp);
-
- /* Initialise request body processors, if any. */
-
Index: modsecurity-2.9.0/apache2/msc_status_engine.c
===================================================================
--- modsecurity-2.9.0.orig/apache2/msc_status_engine.c
