Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package owasp-modsecurity-crs for
openSUSE:Factory checked in at 2023-09-01 14:21:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/owasp-modsecurity-crs (Old)
and /work/SRC/openSUSE:Factory/.owasp-modsecurity-crs.new.1766 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "owasp-modsecurity-crs"
Fri Sep 1 14:21:58 2023 rev:8 rq:1108448 version:3.3.5
Changes:
--------
---
/work/SRC/openSUSE:Factory/owasp-modsecurity-crs/owasp-modsecurity-crs.changes
2020-12-23 14:22:06.109776775 +0100
+++
/work/SRC/openSUSE:Factory/.owasp-modsecurity-crs.new.1766/owasp-modsecurity-crs.changes
2023-09-01 14:22:34.303429191 +0200
@@ -1,0 +2,27 @@
+Fri Sep 1 09:33:41 UTC 2023 - Robert Frohl <[email protected]>
+
+- use upstream archive for building the package, the base folder name in the
+ archive changed
+
+-------------------------------------------------------------------
+Wed Aug 16 06:54:59 UTC 2023 - Alessandro de Oliveira Faria
<[email protected]>
+
+- Version 3.3.5.
+ * This is the OWASP ModSecurity Core Rule Set version 3.3.5.
+ * Important changes:
+ - Backport fix for CVE-2023-38199 from CRS v4 via new rule 920620 (Andrea
Menin, Felipe ZipitrÃa)
+ * Fixes:
+ - Fix paranoia level-related scoring issue in rule 921422 (Walter Hop)
+ - Move auditLogParts actions to the end of chained rules where used (Ervin
Hegedus)
+ * Chore:
+ - Clean up redundant paranoia level tags (Ervin Hegedus)
+ - Clean up YAML test files to support go-ftw testing framework (Felipe
ZipitrÃa)
+ - Move testing framework from ftw to go-ftw (Felipe ZipitrÃa)
+
+-------------------------------------------------------------------
+Fri May 19 06:19:43 UTC 2023 - Alessandro de Oliveira Faria
<[email protected]>
+
+- Version 3.3.4.
+ * Important Notice: From CRS 3.2.2, 3.3.3 and up, ModSecurity 2.9.6 or 3.0.8
(or versions with backported patches) are required due to the addition of new
protections. We recommend upgrading your ModSecurity as soon as possible. If
your ModSecurity is too old, your webserver will refuse to start with an
Unknown variable: &MULTIPART_PART_HEADERS error. If you are in trouble, you can
temporarily delete file rules/REQUEST-922-MULTIPART-ATTACK.conf as a workaround
and get your server up, however, you will be missing some protections.
Therefore we recommend to upgrade ModSecurity before deploying this release.
+
+-------------------------------------------------------------------
@@ -50 +76,0 @@
-
Old:
----
2.2.9.tar.gz
_service
New:
----
owasp-modsecurity-crs-3.3.5.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ owasp-modsecurity-crs.spec ++++++
--- /var/tmp/diff_new_pack.VcVvN2/_old 2023-09-01 14:22:35.595475306 +0200
+++ /var/tmp/diff_new_pack.VcVvN2/_new 2023-09-01 14:22:35.603475592 +0200
@@ -1,8 +1,8 @@
#
# spec file for package owasp-modsecurity-crs
#
-# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
-# Copyright (c) 2012 Thomas Worm <[email protected]>
+# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2023 Alessandro de Oliveira Faria (A.K.A CABELO)
<[email protected]>
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -13,89 +13,86 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
+%define apxs2 %{_bindir}/apxs
+%define apache2 apache2
+%define apache2_mm %(MMN=$(%{apxs2} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
+%define apache2_libexecdir %(%{apxs2} -q LIBEXECDIR)
+%define apache2_sysconfdir %(%{apxs2} -q SYSCONFDIR)
+%define apache2_includedir %(%{apxs2} -q INCLUDEDIR)
+%define apache2_serverroot %(%{apxs2} -q PREFIX)
+%define apache2_localstatedir %(%{apxs2} -q LOCALSTATEDIR)
Name: owasp-modsecurity-crs
-
-BuildRequires: apache-rpm-macros
+Version: 3.3.5
+Release: 0
+Summary: OWASP ModSecurity Common Rule Set (CRS)
+License: Apache-2.0
+Group: Productivity/Networking/Security
+URL: https://coreruleset.org
+Source0:
https://github.com/coreruleset/coreruleset/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.xz
+Source99: README.SUSE
+Source100: %{name}-rpmlintrc
BuildRequires: apache2-devel
BuildRequires: gcc-c++
BuildRequires: rpm-devel
BuildRequires: zlib-devel
-
-Version: 2.2.9
-Release: 0
Provides: %{name} = %{version}
-Source0:
https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/%{version}.tar.gz
-Source99: README.SUSE
-Source100: %{name}-rpmlintrc
-Url:
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
-Summary: OWASP ModSecurity Common Rule Set (CRS)
-License: Apache-2.0
-Group: Productivity/Networking/Security
-Requires: apache2-mod_security2
-
-%define rule_sets base_rules experimental_rules optional_rules slr_rules
%description
-ModSecurity⢠is a web application firewall engine that provides very little
protection on its own. In order to become useful, ModSecurity⢠must be
configured with rules. In order to enable users to take full advantage of
ModSecurity⢠out of the box, Trustwave's SpiderLabs is providing a free
certified rule set for ModSecurity⢠2.x. Unlike intrusion detection and
prevention systems, which rely on signatures specific to known vulnerabilities,
the Core Rules provide generic protection from unknown vulnerabilities often
found in web applications, which are in most cases custom coded. The Core Rules
are heavily commented to allow it to be used as a step-by-step deployment guide
for ModSecurityâ¢.
+The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection
rules for use with ModSecurity
+or compatible web application firewalls. The CRS aims to protect web
applications from a wide range of attacks,
+including the OWASP Top Ten, with a minimum of false alerts.
-Core Rules Content
-
-In order to provide generic web applications protection, the Core Rules use
the following techniques:
-
-HTTP Protection - detecting violations of the HTTP protocol and a locally
defined usage policy.
-Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation
-Web-based Malware Detection - identifies malicious web content by check
against the Google Safe Browsing API.
-HTTP Denial of Service Protections - defense against HTTP Flooding and Slow
HTTP DoS Attacks.
-Common Web Attacks Protection - detecting common web application security
attack.
-Automation Detection - Detecting bots, crawlers, scanners and other surface
malicious activity.
-Integration with AV Scanning for File Uploads - detects malicious files
uploaded through the web application.
-Tracking Sensitive Data - Tracks Credit Card usage and blocks leakages.
-Trojan Protection - Detecting access to Trojans horses.
-Identification of Application Defects - alerts on application
misconfigurations.
-Error Detection and Hiding - Disguising error messages sent by the server.
+%package apache2
+Summary: OWASP ModSecurity Common Rule Set (CRS)
+Group: Productivity/Networking/Security
+Requires: %{name} = %{version}
+Requires: apache2-mod_security2
+%description apache2
+The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection
rules for use with ModSecurity
+or compatible web application firewalls. The CRS aims to protect web
applications from a wide range of attacks,
+including the OWASP Top Ten, with a minimum of false alerts.
+Includes Apache httpd 2.x rules
%prep
-%setup -q -n %{name}-%{version}
-sed -i -e '/^#!/c#!/usr/bin/lua' lua/*.lua
-sed -i -e '/^#!/c#!/usr/bin/perl' util/*/*.pl util/*/*.cgi
-%{__cp} %{S:99} .
+%setup -q -n coreruleset-%{version}
+sed -i -e '/^#!/c#!%{_bindir}/perl' util/*/*.pl
+cp %{SOURCE99} .
%build
# Build configuration files
mkdir -p .%{_sysconfdir}/%{name}/rules.d
-for rule_set in %{rule_sets}
+mkdir -p .%{_sysconfdir}/%{name}/rules
+
+for rule in rules/*.conf
do
- mkdir -p .%{_sysconfdir}/%{name}/$rule_set
- for rule in `find $rule_set -name *.conf -printf "%f\\n"|sort`
- do
- echo "Include \"%{_datadir}/%{name}/$rule_set/$rule\"" >
.%{_sysconfdir}/%{name}/$rule_set/$rule
- echo "Include \"%{_sysconfdir}/%{name}/$rule_set/$rule\"" >>
.%{_sysconfdir}/%{name}/$rule_set.conf
- done
- ln -s ../$rule_set.conf .%{_sysconfdir}/%{name}/rules.d/$rule_set.conf
+ RULE=$(basename ${rule})
+ echo "Include \"%{_datadir}/%{name}/rules/$RULE\"" >
.%{_sysconfdir}/%{name}/rules/$RULE
+ echo "Include \"%{_sysconfdir}/%{name}/rules/$RULE\"" >>
.%{_sysconfdir}/%{name}/rules.conf
done
-echo "Include \"%{_datadir}/%{name}/modsecurity_crs_10_setup.conf.example\"" >
.%{_sysconfdir}/%{name}/modsecurity_crs_10_setup.conf
+ln -s ../rules.conf .%{_sysconfdir}/%{name}/rules.d/rules.conf
+
+echo "Include \"%{_datadir}/%{name}/crs-setup.conf.example\"" >
.%{_sysconfdir}/%{name}/crs-setup.conf
# Create Apache2 include
-mkdir -p .%{apache_sysconfdir}/conf.d
-echo "<IfModule mod_security2.c>" > .%{apache_sysconfdir}/conf.d/%{name}.conf
-echo -e "\tInclude \"%{_sysconfdir}/%{name}/modsecurity_crs_10_setup.conf\""
>> .%{apache_sysconfdir}/conf.d/%{name}.conf
-echo -e "\tInclude \"%{_sysconfdir}/%{name}/rules.d/*\"" >>
.%{apache_sysconfdir}/conf.d/%{name}.conf
-echo "</IfModule>" >> .%{apache_sysconfdir}/conf.d/%{name}.conf
+mkdir -p .%{apache2_sysconfdir}/conf.d
+echo "<IfModule mod_security2.c>" > .%{apache2_sysconfdir}/conf.d/%{name}.conf
+echo -e "\tInclude \"%{_sysconfdir}/%{name}/crs-setup.conf\"" >>
.%{apache2_sysconfdir}/conf.d/%{name}.conf
+echo -e "\tInclude \"%{_sysconfdir}/%{name}/rules.d/*\"" >>
.%{apache2_sysconfdir}/conf.d/%{name}.conf
+echo "</IfModule>" >> .%{apache2_sysconfdir}/conf.d/%{name}.conf
%install
# CRS data
mkdir -p %{buildroot}%{_datadir}/%{name}
-cp -dr {lua,util,*.conf*} %{buildroot}%{_datadir}/%{name}/
+cp -dr {util,*.conf*} %{buildroot}%{_datadir}/%{name}/
for rule_set in %{rule_sets}
do
-cp -r $rule_set %{buildroot}%{_datadir}/%{name}/
+cp -r rules %{buildroot}%{_datadir}/%{name}/
done
# Configuration files
mkdir -p %{buildroot}/%{_sysconfdir}
@@ -103,73 +100,30 @@
%files
%defattr(644,root,root,755)
-%doc CHANGES
-%doc LICENSE
-%doc README.md
-%doc README.SUSE
+%doc CHANGES.md README.md README.SUSE
+%license LICENSE
%dir %{_datadir}/%{name}
-%{_datadir}/%{name}/lua
%{_datadir}/%{name}/util
+%attr(0754, root, root) %{_datadir}/%{name}/util/av-scanning/runav.pl
+%attr(0754, root, root) %{_datadir}/%{name}/util/crs2-renumbering/update.py
+%attr(0754, root, root) %{_datadir}/%{name}/util/join-multiline-rules/join.py
+%attr(0754, root, root)
%{_datadir}/%{name}/util/regexp-assemble/regexp-assemble-v2.pl
+%attr(0754, root, root)
%{_datadir}/%{name}/util/regexp-assemble/regexp-assemble.pl
+%attr(0754, root, root)
%{_datadir}/%{name}/util/regexp-assemble/regexp-cmdline.py
+%attr(0754, root, root) %{_datadir}/%{name}/util/send-payload-pls.sh
+%attr(0754, root, root) %{_datadir}/%{name}/util/verify.rb
+%attr(0754, root, root)
%{_datadir}/%{name}/util/virtual-patching/arachni2modsec.pl
+%attr(0754, root, root) %{_datadir}/%{name}/util/virtual-patching/zap2modsec.pl
%{_datadir}/%{name}/*.conf*
-%config(noreplace) %{apache_sysconfdir}/conf.d/%{name}.conf
+%{_datadir}/%{name}/rules
+
+%files apache2
+%config(noreplace) %{apache2_sysconfdir}/conf.d/%{name}.conf
%dir %{_sysconfdir}/%{name}
%dir %{_sysconfdir}/%{name}/rules.d
-%config(noreplace) %{_sysconfdir}/%{name}/modsecurity_crs_10_setup.conf
-
-%package base_rules
-Summary: Base rules for OWASP ModSecurity CRS
-Group: Productivity/Networking/Security
-Requires: %{name} = %{version}
-
-%description base_rules
-Base rules for HTTP Protocol Validation, Common Web Attacks Protection, Trojan
Protection, InfoLeakages, ...
-
-%files base_rules
-%defattr(644,root,root,755)
-%{_datadir}/%{name}/base_rules
-%config(noreplace) %{_sysconfdir}/%{name}/base_rules*
-%config(noreplace) %{_sysconfdir}/%{name}/rules.d/base_rules.conf
-
-%package optional_rules
-Summary: Optional rules for OWASP ModSecurity CRS
-Group: Productivity/Networking/Security
-Requires: %{name} = %{version}
-
-%description optional_rules
-Optional rules for HTTP Protocol Validation, Common Web Attacks Protection,
Request Header Tagging, ...
-
-%files optional_rules
-%defattr(644,root,root,755)
-%{_datadir}/%{name}/optional_rules
-%config(noreplace) %{_sysconfdir}/%{name}/optional_rules*
-%config(noreplace) %{_sysconfdir}/%{name}/rules.d/optional_rules.conf
-
-%package experimental_rules
-Summary: Experimental rules for OWASP ModSecurity CRS
-Group: Productivity/Networking/Security
-Requires: %{name} = %{version}
-
-%description experimental_rules
-Experimental rules for OWASP ModSecurity CRS
-
-%files experimental_rules
-%defattr(644,root,root,755)
-%{_datadir}/%{name}/experimental_rules
-%config(noreplace) %{_sysconfdir}/%{name}/experimental_rules*
-%config(noreplace) %{_sysconfdir}/%{name}/rules.d/experimental_rules.conf
-
-%package slr_rules
-Summary: SpiderLabs Research (SLR) rules for OWASP ModSecurity CRS
-Group: Productivity/Networking/Security
-Requires: %{name} = %{version}
-
-%description slr_rules
-SpiderLabs Research rules for ModSecurity CRS
-
-%files slr_rules
-%defattr(644,root,root,755)
-%{_datadir}/%{name}/slr_rules
-%config(noreplace) %{_sysconfdir}/%{name}/slr_rules*
-%config(noreplace) %{_sysconfdir}/%{name}/rules.d/slr_rules.conf
+%config(noreplace) %{_sysconfdir}/%{name}/crs-setup.conf
+%config(noreplace) %{_sysconfdir}/%{name}/rules
+%config(noreplace) %{_sysconfdir}/%{name}/rules.conf
+%config(noreplace) %{_sysconfdir}/%{name}/rules.d/rules.conf
%changelog
++++++ README.SUSE ++++++
--- /var/tmp/diff_new_pack.VcVvN2/_old 2023-09-01 14:22:35.631476591 +0200
+++ /var/tmp/diff_new_pack.VcVvN2/_new 2023-09-01 14:22:35.635476734 +0200
@@ -11,4 +11,5 @@
Rules can be (de)activated by adding or removing the symlink in activation
directory /etc/owasp-modsecurity-crs/rules.d.
+Contact: Alessandro de Oliveira Faria ([email protected] or
[email protected])
++++++ owasp-modsecurity-crs-rpmlintrc ++++++
--- /var/tmp/diff_new_pack.VcVvN2/_old 2023-09-01 14:22:35.655477447 +0200
+++ /var/tmp/diff_new_pack.VcVvN2/_new 2023-09-01 14:22:35.659477591 +0200
@@ -1,2 +1,2 @@
-addFilter("/usr/share/owasp-modsecurity-crs/util/runAV/*
devel-file-in-non-devel-package")
+addFilter("/usr/share/owasp-modsecurity-crs/util/runAV/*
devel-file-in-non-devel-package")
