Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache2-mod_security2 for
openSUSE:Factory checked in at 2025-01-27 20:55:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_security2 (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_security2.new.2316 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_security2"
Mon Jan 27 20:55:30 2025 rev:32 rq:1240477 version:2.9.8
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache2-mod_security2/apache2-mod_security2.changes
2024-06-05 17:40:08.449170610 +0200
+++
/work/SRC/openSUSE:Factory/.apache2-mod_security2.new.2316/apache2-mod_security2.changes
2025-01-27 20:56:06.568749006 +0100
@@ -1,0 +2,64 @@
+Tue Jan 21 13:28:24 UTC 2025 - [email protected]
+
+- package cleanup, coordinated with owasp-modsecurity-crs cleanup
+- version update to 2.9.8 (changed upstream: Trustwave -> OWASP)
+ * Fixed ap_log_perror() usage
+ * Memory leaks + enhanced logging
+ * CI improvement: First check syntax & always display error/audit logs
+ * Fixed assert() usage
+ * Removed useless code
+ * feat: Check if the MP header contains invalid character
+ * Use standard httpd logging format in error log
+ * fix msc_regexec() != PCRE_ERROR_NOMATCH strict check
+ * Move xmlFree() call to the right place
+ * Add collection size in log in case of writing error
+ * Passing address of lock instead of lock in acquire_global_lock()
+ * Invalid pointer access in case rule id == NOT_SET_P
+ * Show error.log after httpd start in CI
+ * chore: add pull request template
+ * chore: add gitignore file
+ * Possible double free
+ * Set 'jit' variable's initial value
+ * Missing null byte + optimization
+ * fix: remove usage of insecure tmpname
+ * docs: update copyright
+ * Enhanced logging [Issue #3107]
+ * Check for null pointer dereference (almost) everywhere
+ * Fix possible segfault in collection_unpack
+ * fix: Replace obsolete macros
+ * chore: update bug-report-for-version-2-x.md
+ * feat: Add more steps: install built module and restart the server
+ * Add new flag: --without-lua
+ * Initial release of CI worklow
+ * V2/fixbuildissue
+ * ; incorrectly replaced by space in cmdline
+ * Detailed error message when writing collections
+ * docs: Fix organization name in references and security e-mail (v2)
+ * ctl:ruleRemoveByTag isn't executed if no rule id is present in the rule
+ * Suppress useless loop on tag matching
+ * Optimization: Avoid last loop and storing an empty value in case nothing
+ after last %{..} macro
+ * Ignore (consistently) empty actions
+ * Add context info to error message
+ * Implement msre_action_phase_validate()
+ * Avoid some useless code and memory allocation in case no macro is present
+ * 'jit' variable not initialized when WITH_PCRE2 is defined
+ * Configure: do not check for pcre1 if pcre2 requested
+ * Double memory allocation
+ * Fix for DEBUG_CONF compile flag
+ * Enhance logging
+ * Fix possible segfault in collection_unpack
+ * Set the minimum security protocol version for SecRemoteRules
+ * Allow lua version 5.4
+ * Configure: do not check for pcre1 if pcre2 requested
+ * Check return code of apr_procattr_io_set()
+ * Do not escape special chars in rx pattern with macro
+ * Substitute two equals-equals operators in build
+- modified patches
+ % apache2-mod_security2-no_rpath.diff (refreshed)
+ % modsecurity-2.9.3-input_filtering_errors.patch (refreshed)
+ % modsecurity-fixes.patch (refreshed)
+- added sources
+ + apache2-mod_security2.keyring
+
+-------------------------------------------------------------------
Old:
----
README-SUSE-mod_security2.txt
SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz
empty.conf
modsecurity-2.9.7.tar.gz
New:
----
README_SUSE
apache2-mod_security2.keyring
modsecurity-v2.9.8.tar.gz
modsecurity-v2.9.8.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_security2.spec ++++++
--- /var/tmp/diff_new_pack.FRrHCb/_old 2025-01-27 20:56:10.108894916 +0100
+++ /var/tmp/diff_new_pack.FRrHCb/_new 2025-01-27 20:56:10.112895081 +0100
@@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_security2
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,21 +16,18 @@
#
-%define modname mod_security2
-%define tarballname modsecurity-%{version}
-%define usrsharedir %{_datadir}/%{name}
Name: apache2-mod_security2
-Version: 2.9.7
+Version: 2.9.8
Release: 0
-Summary: Web Application Firewall for apache httpd
+Summary: Web Application Firewall for Apache httpd
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
URL: https://www.modsecurity.org/
-Source:
https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/modsecurity-%{version}.tar.gz
-Source1:
https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz
-Source2: mod_security2.conf
-Source6: README-SUSE-mod_security2.txt
-Source7: empty.conf
+Source0:
https://github.com/owasp-modsecurity/ModSecurity/releases/download/v%{version}/modsecurity-v%{version}.tar.gz
+Source1:
https://github.com/owasp-modsecurity/ModSecurity/releases/download/v%{version}/modsecurity-v%{version}.tar.gz.asc
+Source2: apache2-mod_security2.keyring
+Source3: mod_security2.conf
+Source4: README_SUSE
Patch0: apache2-mod_security2-no_rpath.diff
Patch1: modsecurity-fixes.patch
Patch2: apache2-mod_security2_tests_conf.patch
@@ -54,6 +51,7 @@
Requires: %{apache_mmn}
Requires: %{apache_suse_maintenance_mmn}
Requires: apache2
+Recommends: owasp-modsecurity-crs-apache2
%description
ModSecurity is an intrusion detection and prevention
@@ -63,10 +61,8 @@
applications from known and unknown attacks.
%prep
-%setup -q -n %{tarballname}
-%setup -q -D -T -a 1 -n %{tarballname}
-mv -v SpiderLabs* rules
-%autopatch -p1
+%autosetup -p1 -n modsecurity-v%{version}
+cp %{SOURCE4} .
%build
aclocal
@@ -77,40 +73,22 @@
%install
pushd apache2
install -d -m 0755 %{buildroot}%{apache_libexecdir}
- install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so
+ install .libs/mod_security2.so
%{buildroot}%{apache_libexecdir}/mod_security2.so
popd
-install -D -m 0644 %{SOURCE2}
%{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf
-install -d -m 0755 %{buildroot}%{apache_sysconfdir}/mod_security2.d
-install -D -m 0644 %{SOURCE6} %{buildroot}%{apache_sysconfdir}/mod_security2.d
-install -D -m 0644 %{SOURCE7} %{buildroot}%{apache_sysconfdir}/mod_security2.d
-cp -a %{SOURCE6} doc
-install -d -m 0755 %{buildroot}/%{usrsharedir}
-install -d -m 0755 %{buildroot}/%{usrsharedir}/tools
-rm -f rules/.gitignore rules/LICENSE
-cp -a rules/util/README
%{buildroot}/%{usrsharedir}/tools/README-rules-updater.txt
-cp -a tools/rules-updater.pl tools/rules-updater-example.conf
%{buildroot}/%{usrsharedir}/tools
-find rules -type f -exec chmod 644 {} +
-cp -a rules %{buildroot}/%{usrsharedir}
-rm -rf %{buildroot}/%{usrsharedir}/rules/util
-rm -rf %{buildroot}/%{usrsharedir}/rules/lua
-rm -f %{buildroot}/%{usrsharedir}/rules/READM*
-rm -f %{buildroot}/%{usrsharedir}/rules/INSTALL
%{buildroot}/%{usrsharedir}/rules/CHANGELOG
+mkdir -p %{buildroot}%{apache_sysconfdir}/mod_security2.d
+mkdir -p %{buildroot}%{apache_sysconfdir}/mod_security2.d/rules
+mkdir -p %{buildroot}%{apache_sysconfdir}/conf.d/
+cp -a %{SOURCE3} %{buildroot}%{apache_sysconfdir}/conf.d/
-# Temporarily disable test suite as there are some failures that need to be
solved
%check
make test
-# make test-regression
%files
-%{apache_libexecdir}/%{modname}.so
-%config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf
-%dir %{apache_sysconfdir}/mod_security2.d
-%{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt
-%{apache_sysconfdir}/mod_security2.d/empty.conf
-%{usrsharedir}
+%{apache_libexecdir}/mod_security2.so
%license LICENSE
-%doc README.md CHANGES NOTICE authors.txt
-%doc doc/README.txt
-%doc doc/README-SUSE-mod_security2.txt
-%doc rules/util/regression-tests
+%dir %{apache_sysconfdir}/mod_security2.d
+%dir %{apache_sysconfdir}/mod_security2.d/rules
+%dir %{apache_sysconfdir}/conf.d/
+%config(noreplace) %{apache_sysconfdir}/conf.d/mod_security2.conf
+%doc README.md CHANGES NOTICE authors.txt README_SUSE
++++++ README_SUSE ++++++
# mod_security2 is not activated by default upon installation of the
# apache module.
#
# Use
# # a2enmod unique_id
# # a2enmod security2
#
# to activate security2 module.
#
# Configuration directories:
# /etc/apache2/mod_security2.d is read first
# /etc/apache2/mod_security2.d/rules is read second
#
# owasp-modsecurity-crs and owasp-modsecurity-crs-apache2 can be installed.
# To test:
W
# curl 'http://localhost/?foo=/etc/passwd&bar=/bin/sh'
#
# sholud give 403 with appropriate entry in
/var/log/apache2/modsec_audit.log
# and /var/log/apache2/error_log.
#
# See https://coreruleset.org/docs/1-getting-started/1-1-crs-installation/
# for details.
++++++ apache2-mod_security2-no_rpath.diff ++++++
--- /var/tmp/diff_new_pack.FRrHCb/_old 2025-01-27 20:56:10.156896895 +0100
+++ /var/tmp/diff_new_pack.FRrHCb/_new 2025-01-27 20:56:10.160897059 +0100
@@ -1,8 +1,8 @@
-Index: apache2/Makefile.am
+Index: modsecurity-v2.9.8/apache2/Makefile.am
===================================================================
---- a/apache2/Makefile.am.orig
-+++ b/apache2/Makefile.am
-@@ -118,7 +118,7 @@ mod_security2_la_LDFLAGS = -module -avoi
+--- modsecurity-v2.9.8.orig/apache2/Makefile.am
++++ modsecurity-v2.9.8/apache2/Makefile.am
+@@ -125,7 +125,7 @@ mod_security2_la_LDFLAGS = -module -avoi
endif
if LINUX
@@ -11,11 +11,11 @@
@APR_LDFLAGS@ \
@APU_LDFLAGS@ \
@APXS_LDFLAGS@ \
-Index: apache2/Makefile.in
+Index: modsecurity-v2.9.8/apache2/Makefile.in
===================================================================
---- a/apache2/Makefile.in.orig
-+++ b/apache2/Makefile.in
-@@ -691,7 +691,7 @@ libinjection/mod_security2_la-libinjecti
+--- modsecurity-v2.9.8.orig/apache2/Makefile.in
++++ modsecurity-v2.9.8/apache2/Makefile.in
+@@ -743,7 +743,7 @@ libinjection/mod_security2_la-libinjecti
libinjection/$(DEPDIR)/$(am__dirstamp)
mod_security2.la: $(mod_security2_la_OBJECTS)
$(mod_security2_la_DEPENDENCIES) $(EXTRA_mod_security2_la_DEPENDENCIES)
@@ -24,11 +24,11 @@
mostlyclean-compile:
-rm -f *.$(OBJEXT)
-Index: build/libtool.m4
+Index: modsecurity-v2.9.8/build/libtool.m4
===================================================================
---- a/build/libtool.m4.orig
-+++ b/build/libtool.m4
-@@ -5053,7 +5053,7 @@ dnl Note also adjust exclude_expsyms for
+--- modsecurity-v2.9.8.orig/build/libtool.m4
++++ modsecurity-v2.9.8/build/libtool.m4
+@@ -5079,7 +5079,7 @@ dnl Note also adjust exclude_expsyms for
# are reset later if shared libraries are not supported. Putting them
# here allows them to be overridden if necessary.
runpath_var=LD_RUN_PATH
@@ -37,7 +37,7 @@
_LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic'
# ancient GNU ld didn't support --whole-archive et. al.
if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
-@@ -5322,7 +5322,7 @@ _LT_EOF
+@@ -5350,7 +5350,7 @@ _LT_EOF
# DT_RUNPATH tag from executables and libraries. But doing so
# requires that you compile everything twice, which is a pain.
if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null;
then
@@ -46,7 +46,7 @@
_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs
$compiler_flags $wl-soname $wl$soname -o $lib'
_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs
$compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file
$wl$export_symbols -o $lib'
else
-@@ -6409,7 +6409,7 @@ if test yes != "$_lt_caught_CXX_error";
+@@ -6439,7 +6439,7 @@ if test yes != "$_lt_caught_CXX_error";
_LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib
$predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname
$wl$soname -o $lib'
_LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib
$predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname
$wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
++++++ mod_security2.conf ++++++
--- /var/tmp/diff_new_pack.FRrHCb/_old 2025-01-27 20:56:10.196898543 +0100
+++ /var/tmp/diff_new_pack.FRrHCb/_new 2025-01-27 20:56:10.200898708 +0100
@@ -1,294 +1,56 @@
-
-# Dear administrator/webmaster,
-#
-# Welcome to /etc/apache2/conf.d/mod_security2.conf, the starting point for
-# the configuration of mod_security2.
-# Please read this text down to line 63 for information about activation
-# and configuration of the mod_security2 apache module.
-#
-# To activate mod_security2, its apache module must be configured to be
-# loaded when apache starts. The mod_security2 apache module depends on
-# the module mod_unique_id to be able to run. This means that both apache
-# modules must be activated/loaded when apache starts.
-
-# Change the configuration to load these two modules by adding the two
-# module names "security2" and "unique_id" to the variable APACHE_MODULES
-# in /etc/sysconfig/apache2 . You can do that manually, or use the tools
-# a2enmod (enable apache module) and a2dismod (disable apache module).
-# These two tools expect the name of the module without the leading
-# "mod_" as an argument!
-#
-# note: /etc/sysconfig/apache2 is evaluated upon apache start by the apache
-# start script /usr/sbin/start_apache2 . Changes in APACHE_MODULES are then
-# visible in /etc/apache2/sysconfig.d/loadmodule.conf, changed by the start
-# script.
-#
-# example for the use of a2enmod/a2dismod:
-#
-# a2enmod security2 # enable module security2
-# a2enmod unique_id # enable module unique_id
-#
-# a2dismod security2 # disable
-# a2dismod unique_id # %
-
-#
-# This file /etc/apache2/conf.d/mod_security2.conf makes some basic
-# configuration settings, then loads
-# /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
-# which is the baseline for the rules that can be loaded later.
-#
-# Afterwards, all files named *.conf in /etc/apache2/mod_security2.d are read.
-# For the rules you wish to apply, place a symlink to the rules file there.
-#
-# About the rules; The OWASP ModSecurity Core Rule Set version 2.2.9
-# is contained in this package, a splendid set of rules made to provide for a
-# decent basic and even advanced protection. The rules files are contained
-# in the directory /usr/share/apache2-mod_security2/rules/.
-#
-# Example (use all of the basic rules that come with the package):
-#
-# cd /etc/apache2/mod_security2.d
-# for i in /usr/share/apache2-mod_security2/rules/base_rules/mod*; do
-# ln -s $i .
-# done
-#
-# At last, simply restart apache:
-# rcapache2 restart
-#
-# In doubt, please consult the valuable online documentation on the project's
-# website, which is the authoritative source for documentation.
-# For offline reading, the webpages for the Reference Guide and the FAQ are
-# located in the package's documentation directory, in the state of 2013/01:
-# /usr/share/doc/packages/apache2-mod_security2
-#
-# Roman Drahtmueller <[email protected]>, SUSE, 20140610.
-#
-
-
-
<IfModule mod_security2.c>
-
-# -- Rule engine initialization ----------------------------------------------
-
-# Enable ModSecurity, attaching it to every transaction. Use detection
-# only to start with, because that minimises the chances of post-installation
-# disruption.
-#
-SecRuleEngine DetectionOnly
-
-
-# -- Request body handling ---------------------------------------------------
-
-# Allow ModSecurity to access request bodies. If you don't, ModSecurity
-# won't be able to see any POST parameters, which opens a large security
-# hole for attackers to exploit.
-#
-SecRequestBodyAccess On
-
-
-# Enable XML request body parser.
-# Initiate XML Processor in case of xml content-type
-#
-SecRule REQUEST_HEADERS:Content-Type "text/xml" \
-
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
-
-
-# Maximum request body size we will accept for buffering. If you support
-# file uploads then the value given on the first line has to be as large
-# as the largest file you are willing to accept. The second value refers
-# to the size of data, with files excluded. You want to keep that value as
-# low as practical.
-#
-SecRequestBodyLimit 13107200
-SecRequestBodyNoFilesLimit 131072
-
-# Store up to 128 KB of request body data in memory. When the multipart
-# parser reachers this limit, it will start using your hard disk for
-# storage. That is slow, but unavoidable.
-#
-SecRequestBodyInMemoryLimit 131072
-
-# What do do if the request body size is above our configured limit.
-# Keep in mind that this setting will automatically be set to ProcessPartial
-# when SecRuleEngine is set to DetectionOnly mode in order to minimize
-# disruptions when initially deploying ModSecurity.
-#
-SecRequestBodyLimitAction Reject
-
-# Verify that we've correctly processed the request body.
-# As a rule of thumb, when failing to process a request body
-# you should reject the request (when deployed in blocking mode)
-# or log a high-severity alert (when deployed in detection-only mode).
-#
-SecRule REQBODY_ERROR "!@eq 0" \
-"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request
body.',logdata:'%{reqbody_error_msg}',severity:2"
-
-# By default be strict with what we accept in the multipart/form-data
-# request body. If the rule below proves to be too strict for your
-# environment consider changing it to detection-only. You are encouraged
-# _not_ to remove it altogether.
-#
-SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-"id:'200002',phase:2,t:none,log,deny,status:44, \
-msg:'Multipart request body failed strict validation: \
-PE %{REQBODY_PROCESSOR_ERROR}, \
-BQ %{MULTIPART_BOUNDARY_QUOTED}, \
-BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
-DB %{MULTIPART_DATA_BEFORE}, \
-DA %{MULTIPART_DATA_AFTER}, \
-HF %{MULTIPART_HEADER_FOLDING}, \
-LF %{MULTIPART_LF_LINE}, \
-SM %{MULTIPART_MISSING_SEMICOLON}, \
-IQ %{MULTIPART_INVALID_QUOTING}, \
-IP %{MULTIPART_INVALID_PART}, \
-IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
-FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
-
-# Did we see anything that might be a boundary?
-#
-SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
-"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected
a possible unmatched boundary.'"
-
-# PCRE Tuning
-# We want to avoid a potential RegEx DoS condition
-#
-SecPcreMatchLimit 1000
-SecPcreMatchLimitRecursion 1000
-
-# Some internal errors will set flags in TX and we will need to look for these.
-# All of these are prefixed with "MSC_". The following flags currently exist:
-#
-# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
-#
-SecRule TX:/^MSC_/ "!@streq 0" \
- "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error
flagged: %{MATCHED_VAR_NAME}'"
-
-
-# -- Response body handling --------------------------------------------------
-
-# Allow ModSecurity to access response bodies.
-# You should have this directive enabled in order to identify errors
-# and data leakage issues.
-#
-# Do keep in mind that enabling this directive does increases both
-# memory consumption and response latency.
-#
-SecResponseBodyAccess On
-
-# Which response MIME types do you want to inspect? You should adjust the
-# configuration below to catch documents but avoid static files
-# (e.g., images and archives).
-#
-SecResponseBodyMimeType text/plain text/html text/xml
-
-# Buffer response bodies of up to 512 KB in length.
-SecResponseBodyLimit 524288
-
-# What happens when we encounter a response body larger than the configured
-# limit? By default, we process what we have and let the rest through.
-# That's somewhat less secure, but does not break any legitimate pages.
-#
-SecResponseBodyLimitAction ProcessPartial
-
-
-# -- Filesystem configuration ------------------------------------------------
-
-# The location where ModSecurity stores temporary files (for example, when
-# it needs to handle a file upload that is larger than the configured limit).
-#
-# This default setting is chosen due to all systems have /tmp available
however,
-# this is less than ideal. It is recommended that you specify a location
that's private.
-#
-SecTmpDir /tmp/
-
-# The location where ModSecurity will keep its persistent data. This default
setting
-# is chosen due to all systems have /tmp available however, it
-# too should be updated to a place that other users can't access.
-#
-SecDataDir /tmp/
-
-
-# -- File uploads handling configuration -------------------------------------
-
-# The location where ModSecurity stores intercepted uploaded files. This
-# location must be private to ModSecurity. You don't want other users on
-# the server to access the files, do you?
-#
-#SecUploadDir /opt/modsecurity/var/upload/
-
-# By default, only keep the files that were determined to be unusual
-# in some way (by an external inspection script). For this to work you
-# will also need at least one file inspection rule.
-#
-#SecUploadKeepFiles RelevantOnly
-
-# Uploaded files are by default created with permissions that do not allow
-# any other user to access them. You may need to relax that if you want to
-# interface ModSecurity to an external program (e.g., an anti-virus).
-#
-#SecUploadFileMode 0600
-
-
-# -- Debug log configuration -------------------------------------------------
-
-# The default debug log configuration is to duplicate the error, warning
-# and notice messages from the error log.
-#
-#SecDebugLog /var/log/apache2/modsec_debug.log
-#SecDebugLogLevel 3
-
-# -- Audit log configuration -------------------------------------------------
-
-# Log the transactions that are marked by a rule, as well as those that
-# trigger a server error (determined by a 5xx or 4xx, excluding 404,
-# level response status codes).
-#
-SecAuditEngine RelevantOnly
-SecAuditLogRelevantStatus "^(?:5|4(?!04))"
-
-# Log everything we know about a transaction.
-SecAuditLogParts ABIJDEFHZ
-
-# Use a single file for logging. This is much easier to look at, but
-# assumes that you will use the audit log only ocassionally.
-#
-SecAuditLogType Serial
-SecAuditLog /var/log/apache2/modsec_audit.log
-
-# Specify the path for concurrent audit logging.
-#SecAuditLogStorageDir /opt/modsecurity/var/audit/
-
-
-# -- Miscellaneous -----------------------------------------------------------
-
-# Use the most commonly used application/x-www-form-urlencoded parameter
-# separator. There's probably only one application somewhere that uses
-# something else so don't expect to change this value.
-#
-SecArgumentSeparator &
-
-# Settle on version 0 (zero) cookies, as that is what most applications
-# use. Using an incorrect cookie version may open your installation to
-# evasion attacks (against the rules that examine named cookies).
-#
-SecCookieFormat 0
-
-# Specify your Unicode Code Point.
-# This mapping is used by the t:urlDecodeUni transformation function
-# to properly map encoded data to your language. Properly setting
-# these directives helps to reduce false positives and negatives.
-#
-#SecUnicodeCodePage 20127
-#SecUnicodeMapFile unicode.mapping
-
-
-
-
-
-
-Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
-# as set up with symlinks for files that are placed here:
-Include /etc/apache2/mod_security2.d/*.conf
-
+ # Default recommended configuration
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+ SecRequestBodyLimit 13107200
+ SecRequestBodyNoFilesLimit 131072
+ SecRequestBodyInMemoryLimit 131072
+ SecRequestBodyLimitAction Reject
+ SecRule REQBODY_ERROR "!@eq 0" \
+ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse
request body.',logdata:'%{reqbody_error_msg}',severity:2"
+ SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+ "id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request
body \
+ failed strict validation: \
+ PE %{REQBODY_PROCESSOR_ERROR}, \
+ BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+ DB %{MULTIPART_DATA_BEFORE}, \
+ DA %{MULTIPART_DATA_AFTER}, \
+ HF %{MULTIPART_HEADER_FOLDING}, \
+ LF %{MULTIPART_LF_LINE}, \
+ SM %{MULTIPART_MISSING_SEMICOLON}, \
+ IQ %{MULTIPART_INVALID_QUOTING}, \
+ IP %{MULTIPART_INVALID_PART}, \
+ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+ SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+ "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser
detected a possible unmatched boundary.'"
+
+ SecPcreMatchLimit 1000
+ SecPcreMatchLimitRecursion 1000
+
+ SecRule TX:/^MSC_/ "!@streq 0" \
+ "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error
flagged: %{MATCHED_VAR_NAME}'"
+
+ SecResponseBodyAccess Off
+ SecDebugLog /var/log/apache2/modsec_debug.log
+ SecDebugLogLevel 0
+ SecAuditEngine RelevantOnly
+ SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+ SecAuditLogParts ABIJDEFHZ
+ SecAuditLogType Serial
+ SecAuditLog /var/log/apache2/modsec_audit.log
+ SecArgumentSeparator &
+ SecCookieFormat 0
+ SecTmpDir /var/lib/mod_security2
+ SecDataDir /var/lib/mod_security2
+
+ IncludeOptional /etc/apache2/mod_security2.d/*.conf
+ IncludeOptional /etc/apache2/mod_security2.d/rules/*.conf
+
</IfModule>
+
++++++ modsecurity-2.9.3-input_filtering_errors.patch ++++++
--- /var/tmp/diff_new_pack.FRrHCb/_old 2025-01-27 20:56:10.212899202 +0100
+++ /var/tmp/diff_new_pack.FRrHCb/_new 2025-01-27 20:56:10.216899367 +0100
@@ -1,7 +1,8 @@
-diff -ru modsecurity-2.9.3.old/apache2/apache2_io.c
modsecurity-2.9.3.new/apache2/apache2_io.c
---- modsecurity-2.9.3.old/apache2/apache2_io.c 2018-12-04 19:49:37.000000000
+0100
-+++ modsecurity-2.9.3.new/apache2/apache2_io.c 2021-02-12 13:28:27.739749566
+0100
-@@ -209,6 +209,10 @@
+Index: modsecurity-v2.9.8/apache2/apache2_io.c
+===================================================================
+--- modsecurity-v2.9.8.orig/apache2/apache2_io.c
++++ modsecurity-v2.9.8/apache2/apache2_io.c
+@@ -222,6 +222,10 @@ apr_status_t read_request_body(modsec_re
* too large and APR_EGENERAL when the client disconnects.
*/
switch(rc) {
@@ -12,7 +13,7 @@
case APR_INCOMPLETE :
*error_msg = apr_psprintf(msr->mp, "Error reading request
body: %s", get_apr_error(msr->mp, rc));
return -7;
-@@ -218,7 +222,7 @@
+@@ -231,7 +235,7 @@ apr_status_t read_request_body(modsec_re
case APR_TIMEUP :
*error_msg = apr_psprintf(msr->mp, "Error reading request
body: %s", get_apr_error(msr->mp, rc));
return -4;
@@ -21,10 +22,11 @@
*error_msg = apr_psprintf(msr->mp, "Error reading request
body: HTTP Error 413 - Request entity too large. (Most likely.)");
return -3;
case APR_EGENERAL :
-diff -ru modsecurity-2.9.3.old/apache2/mod_security2.c
modsecurity-2.9.3.new/apache2/mod_security2.c
---- modsecurity-2.9.3.old/apache2/mod_security2.c 2018-12-04
19:49:37.000000000 +0100
-+++ modsecurity-2.9.3.new/apache2/mod_security2.c 2021-02-12
13:34:22.940428406 +0100
-@@ -1013,7 +1013,7 @@
+Index: modsecurity-v2.9.8/apache2/mod_security2.c
+===================================================================
+--- modsecurity-v2.9.8.orig/apache2/mod_security2.c
++++ modsecurity-v2.9.8/apache2/mod_security2.c
+@@ -1032,7 +1032,7 @@ static int hook_request_late(request_rec
}
rc = read_request_body(msr, &my_error_msg);
@@ -33,7 +35,7 @@
switch(rc) {
case -1 :
if (my_error_msg != NULL) {
-@@ -1021,6 +1021,21 @@
+@@ -1040,6 +1040,21 @@ static int hook_request_late(request_rec
}
return HTTP_INTERNAL_SERVER_ERROR;
break;
@@ -55,7 +57,7 @@
case -4 : /* Timeout. */
if (my_error_msg != NULL) {
msr_log(msr, 4, "%s", my_error_msg);
-@@ -1042,19 +1057,11 @@
+@@ -1061,19 +1076,11 @@ static int hook_request_late(request_rec
}
}
break;
++++++ modsecurity-fixes.patch ++++++
--- /var/tmp/diff_new_pack.FRrHCb/_old 2025-01-27 20:56:10.228899862 +0100
+++ /var/tmp/diff_new_pack.FRrHCb/_new 2025-01-27 20:56:10.232900027 +0100
@@ -1,8 +1,8 @@
-Index: modsecurity-2.9.0/apache2/msc_status_engine.c
+Index: modsecurity-v2.9.8/apache2/msc_status_engine.c
===================================================================
---- modsecurity-2.9.0.orig/apache2/msc_status_engine.c
-+++ modsecurity-2.9.0/apache2/msc_status_engine.c
-@@ -37,6 +37,8 @@
+--- modsecurity-v2.9.8.orig/apache2/msc_status_engine.c
++++ modsecurity-v2.9.8/apache2/msc_status_engine.c
+@@ -40,6 +40,8 @@
#if (defined(__linux__) || defined(__gnu_linux__))
#include <linux/if.h>
#include <linux/sockios.h>
@@ -11,11 +11,11 @@
#endif
#ifdef HAVE_SYS_UTSNAME_H
#include <sys/utsname.h>
-Index: modsecurity-2.9.0/apache2/msc_remote_rules.c
+Index: modsecurity-v2.9.8/apache2/msc_remote_rules.c
===================================================================
---- modsecurity-2.9.0.orig/apache2/msc_remote_rules.c
-+++ modsecurity-2.9.0/apache2/msc_remote_rules.c
-@@ -792,6 +792,7 @@ next:
+--- modsecurity-v2.9.8.orig/apache2/msc_remote_rules.c
++++ modsecurity-v2.9.8/apache2/msc_remote_rules.c
+@@ -797,6 +797,7 @@ next:
"compilation.";
return -1;
#endif
@@ -23,10 +23,10 @@
}
-Index: modsecurity-2.9.0/apache2/msc_util.c
+Index: modsecurity-v2.9.8/apache2/msc_util.c
===================================================================
---- modsecurity-2.9.0.orig/apache2/msc_util.c
-+++ modsecurity-2.9.0/apache2/msc_util.c
+--- modsecurity-v2.9.8.orig/apache2/msc_util.c
++++ modsecurity-v2.9.8/apache2/msc_util.c
@@ -18,6 +18,7 @@
#include <stdlib.h>
#include <sys/types.h>
