[EPEL-devel] I need a copy of mod_security-2.5.12-2.el6.x86_64

2015-11-06 Thread Harriman, Chad (SAA) 
I have the repo for EPEL synced on my satellite server and the upgrade to 2.7 
broke.  I need to downgrade but I do not have the 
mod_security-2.5.12-2.el6.x86_64 package.
How do I obtain a copy to downgrade?
Chad Harriman
Principal Systems Engineer
U.S. Senate Sergeant At Arms
chad_harri...@saa.senate.gov
(w) 202-224-1592
(c) 202-213-6413

___
epel-devel mailing list
epel-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/epel-devel

Re: [EPEL-devel] I need a copy of mod_security-2.5.12-2.el6.x86_64

2015-11-06 Thread Athmane Madjoudj 
Hi,

On Fri, Nov 6, 2015 at 1:25 PM, Harriman, Chad (SAA) <
chad_harri...@saa.senate.gov> wrote:

> I have the repo for EPEL synced on my satellite server and the upgrade to
> 2.7 broke.  I need to downgrade but I do not have
> the mod_security-2.5.12-2.el6.x86_64 package.
> How do I obtain a copy to downgrade?
>

I guess, you could rebuild EL5 package (it's 2.6.8 + security pacthes),
rules for 2.5 should run fine with 2.6.x.

AFAIK, we don't keep the old version of the package in the repo.


Best regards.

-- Athmane
___
epel-devel mailing list
epel-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/epel-devel

Re: [EPEL-devel] I need a copy of mod_security-2.5.12-2.el6.x86_64

2015-11-06 Thread Ken Dreyer 
Yeah, the Koji build has been deleted as well:
http://koji.fedoraproject.org/koji/buildinfo?buildID=242226

It would be a good idea to update your rules for 2.7. That
mod_security-2.5.12-2.el6 build is over four years old and subject to
several CVEs...

CVE-2013-5705
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote
attackers to bypass rules by using chunked transfer coding with a
capitalized Chunked value in the Transfer-Encoding HTTP header.

CVE-2013-2765
The ModSecurity module before 2.7.4 for the Apache HTTP Server allows
remote attackers to cause a denial of service (NULL pointer
dereference, process crash, and disk consumption) via a POST request
with a large body and a crafted Content-Type header.

CVE-2013-1915
ModSecurity before 2.7.3 allows remote attackers to read arbitrary
files, send HTTP requests to intranet servers, or cause a denial of
service (CPU and memory consumption) via an XML external entity
declaration in conjunction with an entity reference, aka an XML
External Entity (XXE) vulnerability.

CVE-2012-4528
The mod_security2 module before 2.7.0 for the Apache HTTP Server
allows remote attackers to bypass rules, and deliver arbitrary POST
data to a PHP application, via a multipart request in which an invalid
part precedes the crafted data.

CVE-2012-2751
ModSecurity before 2.6.6, when used with PHP, does not properly handle
single quotes not at the beginning of a request parameter value in the
Content-Disposition field of a request with a multipart/form-data
Content-Type header, which allows remote attackers to bypass filtering
rules and perform other attacks such as cross-site scripting (XSS)
attacks. NOTE: this vulnerability exists because of an incomplete fix
for CVE-2009-5031.

- Ken

On Fri, Nov 6, 2015 at 9:02 AM, Athmane Madjoudj
 wrote:
> Hi,
>
> On Fri, Nov 6, 2015 at 1:25 PM, Harriman, Chad (SAA)
>  wrote:
>>
>> I have the repo for EPEL synced on my satellite server and the upgrade to
>> 2.7 broke.  I need to downgrade but I do not have the
>> mod_security-2.5.12-2.el6.x86_64 package.
>> How do I obtain a copy to downgrade?
>
>
> I guess, you could rebuild EL5 package (it's 2.6.8 + security pacthes),
> rules for 2.5 should run fine with 2.6.x.
>
> AFAIK, we don't keep the old version of the package in the repo.
>
>
> Best regards.
>
> -- Athmane
>
> ___
> epel-devel mailing list
> epel-devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/epel-devel
>
___
epel-devel mailing list
epel-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/epel-devel

Re: [EPEL-devel] I need a copy of mod_security-2.5.12-2.el6.x86_64

2015-11-06 Thread James Hogarth 
On 6 November 2015 at 21:08, Volker Fröhlich  wrote:
> Am 06.11.2015 um 13:25 schrieb Harriman, Chad (SAA):
>>
>> I have the repo for EPEL synced on my satellite server and the upgrade
>> to 2.7 broke.  I need to downgrade but I do not have
>> the mod_security-2.5.12-2.el6.x86_64 package.
>> How do I obtain a copy to downgrade?
>> Chad Harriman
>> Principal Systems Engineer
>> U.S. Senate Sergeant At Arms
>> /chad_harri...@saa.senate.gov/
>> (w) 202-224-1592
>> (c) 202-213-6413
>>
>>
>>
>> ___
>> epel-devel mailing list
>> epel-devel@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/epel-devel
>>
>
> By rebuilding the package from commit
> c50316f2698149cea63cd08510321495c6ce1a29 in the el6 branch of the
> mod_security git repo.
>
> I did that for you. I can understand if you don't trust me, but it takes me
> a lot more time to explain it than to do it.
>
> If you like to, you can inspect the src.rpm file I built from that commit
> and build it in mock yourself or do it on COPR.
>
> http://www.geofrogger.net/review/mod_security-debuginfo-2.5.12-2.el6.x86_64.rpm
> http://www.geofrogger.net/review/mod_security-2.5.12-2.el6.x86_64.rpm
> http://www.geofrogger.net/review/mod_security-2.5.12-2.el6.src.rpm
>


Do bear in mind the list of CVEs already provided before rolling this
out however...
___
epel-devel mailing list
epel-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/epel-devel