[EPEL-devel] I need a copy of mod_security-2.5.12-2.el6.x86_64
I have the repo for EPEL synced on my satellite server and the upgrade to 2.7 broke. I need to downgrade but I do not have the mod_security-2.5.12-2.el6.x86_64 package. How do I obtain a copy to downgrade? Chad Harriman Principal Systems Engineer U.S. Senate Sergeant At Arms chad_harri...@saa.senate.gov (w) 202-224-1592 (c) 202-213-6413 ___ epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel
Re: [EPEL-devel] I need a copy of mod_security-2.5.12-2.el6.x86_64
Hi, On Fri, Nov 6, 2015 at 1:25 PM, Harriman, Chad (SAA) < chad_harri...@saa.senate.gov> wrote: > I have the repo for EPEL synced on my satellite server and the upgrade to > 2.7 broke. I need to downgrade but I do not have > the mod_security-2.5.12-2.el6.x86_64 package. > How do I obtain a copy to downgrade? > I guess, you could rebuild EL5 package (it's 2.6.8 + security pacthes), rules for 2.5 should run fine with 2.6.x. AFAIK, we don't keep the old version of the package in the repo. Best regards. -- Athmane ___ epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel
Re: [EPEL-devel] I need a copy of mod_security-2.5.12-2.el6.x86_64
Yeah, the Koji build has been deleted as well: http://koji.fedoraproject.org/koji/buildinfo?buildID=242226 It would be a good idea to update your rules for 2.7. That mod_security-2.5.12-2.el6 build is over four years old and subject to several CVEs... CVE-2013-5705 apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header. CVE-2013-2765 The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request with a large body and a crafted Content-Type header. CVE-2013-1915 ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability. CVE-2012-4528 The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data. CVE-2012-2751 ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031. - Ken On Fri, Nov 6, 2015 at 9:02 AM, Athmane Madjoudjwrote: > Hi, > > On Fri, Nov 6, 2015 at 1:25 PM, Harriman, Chad (SAA) > wrote: >> >> I have the repo for EPEL synced on my satellite server and the upgrade to >> 2.7 broke. I need to downgrade but I do not have the >> mod_security-2.5.12-2.el6.x86_64 package. >> How do I obtain a copy to downgrade? > > > I guess, you could rebuild EL5 package (it's 2.6.8 + security pacthes), > rules for 2.5 should run fine with 2.6.x. > > AFAIK, we don't keep the old version of the package in the repo. > > > Best regards. > > -- Athmane > > ___ > epel-devel mailing list > epel-devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/epel-devel > ___ epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel
Re: [EPEL-devel] I need a copy of mod_security-2.5.12-2.el6.x86_64
On 6 November 2015 at 21:08, Volker Fröhlichwrote: > Am 06.11.2015 um 13:25 schrieb Harriman, Chad (SAA): >> >> I have the repo for EPEL synced on my satellite server and the upgrade >> to 2.7 broke. I need to downgrade but I do not have >> the mod_security-2.5.12-2.el6.x86_64 package. >> How do I obtain a copy to downgrade? >> Chad Harriman >> Principal Systems Engineer >> U.S. Senate Sergeant At Arms >> /chad_harri...@saa.senate.gov/ >> (w) 202-224-1592 >> (c) 202-213-6413 >> >> >> >> ___ >> epel-devel mailing list >> epel-devel@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/epel-devel >> > > By rebuilding the package from commit > c50316f2698149cea63cd08510321495c6ce1a29 in the el6 branch of the > mod_security git repo. > > I did that for you. I can understand if you don't trust me, but it takes me > a lot more time to explain it than to do it. > > If you like to, you can inspect the src.rpm file I built from that commit > and build it in mock yourself or do it on COPR. > > http://www.geofrogger.net/review/mod_security-debuginfo-2.5.12-2.el6.x86_64.rpm > http://www.geofrogger.net/review/mod_security-2.5.12-2.el6.x86_64.rpm > http://www.geofrogger.net/review/mod_security-2.5.12-2.el6.src.rpm > Do bear in mind the list of CVEs already provided before rolling this out however... ___ epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel