Hello community,
here is the log from the commit of package apache2-mod_security2.2940 for openSUSE:12.3:Update checked in at 2014-08-20 18:30:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/apache2-mod_security2.2940 (Old)
and /work/SRC/openSUSE:12.3:Update/.apache2-mod_security2.2940.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_security2.2940"
Changes:
--------
New Changes file:
--- /dev/null 2014-07-24 01:57:42.080040256 +0200
+++ /work/SRC/openSUSE:12.3:Update/.apache2-mod_security2.2940.new/apache2-mod_security2.changes 2014-08-20 18:30:26.000000000 +0200
@@ -0,0 +1,174 @@
+-------------------------------------------------------------------
+Wed Aug 6 15:16:21 CEST 2014 - draht@suse.de
+
+- correction to last patch: use function m_strcasestr() as substitute
+ for strstr(). [bnc#871309] CVE-2013-5705
+
+-------------------------------------------------------------------
+Thu Jul 31 14:29:07 CEST 2014 - draht@suse.de
+
+- apache2-mod_security2-2.7.x-bnc871309-CVE-2013-5705-chunked_requests_bypass.diff
+ Fix for a flaw with which restrictions imposed by mod_security2
+ could be bypassed with chunked requests.
+ [bnc#871309] CVE-2013-5705
+
+-------------------------------------------------------------------
+Wed Jul 31 17:33:48 CEST 2013 - draht@suse.de
+
+- complete overhaul of this package, with update to 2.7.5.
+- ruleset update to 2.2.8-0-g0f07cbb.
+- new configuration framework private to mod_security2:
+ /etc/apache2/conf.d/mod_security2.conf loads
+ /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf,
+ then /etc/apache2/mod_security2.d/*.conf , as set up based on
+ advice in /etc/apache2/conf.d/mod_security2.conf
+ Your configuration starting point is
+ /etc/apache2/conf.d/mod_security2.conf
+- !!! Please note that mod_unique_id is needed for mod_security2 to run!
+- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous
+ linker parameter, preventing rpath in shared object.
+- fixes contained for the following bugs:
+ * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling
+ * [bnc#768293] multi-part bypass, minor threat
+ * CVE-2013-1915 [bnc#813190] XML external entity vulnerability
+ * CVE-2012-4528 [bnc#789393] rule bypass
+ * CVE-2013-2765 [bnc#822664] null pointer dereference crash
+- new from 2.5.9 to 2.7.5, only major changes:
+ * GPLv2 replaced by Apache License v2
+ * rules are not part of the source tarball any longer, but
+ maintaned upstream externally, and included in this package.
+ * documentation was externalized to a wiki. Package contains
+ the FAQ and the reference manual in html form.
+ * renamed the term "Encryption" in directives that actually refer
+ to hashes. See CHANGES file for more details.
+ * new directive SecXmlExternalEntity, default off
+ * byte conversion issues on s390x when logging fixed.
+ * many small issues fixed that were discovered by a Coverity scanner
+ * updated reference manual
+ * wrong time calculation when logging for some timezones fixed.
+ * replaced time-measuring mechanism with finer granularity for
+ measured request/answer phases. (Stopwatch remains for compat.)
+ * cookie parser memory leak fix
+ * parsing of quoted strings in multipart Content-Disposition
+ headers fixed.
+ * SDBM deadlock fix
+ * @rsub memory leak fix
+ * cookie separator code improvements
+ * build failure fixes
+ * compile time option --enable-htaccess-config (set)
+
+-------------------------------------------------------------------
+Mon Aug 27 11:43:47 UTC 2012 - cfarrell@suse.com
+
+- license update: Apache-2.0 and GPL-2.0
+ Many of the files in the rules/ subdirectory are GPL-2.0 licensed
+
+-------------------------------------------------------------------
+Mon Aug 6 20:59:45 UTC 2012 - crrodriguez@opensuse.org
+
+- Update to version 2.6.7, fixes build in apache 2.4
+- Update spec file macros.
+
+-------------------------------------------------------------------
+Sat Sep 17 11:20:39 UTC 2011 - jengelh@medozas.de
+
+- Remove redundant tags/sections from specfile
+- Use %_smp_mflags for parallel build
+
+-------------------------------------------------------------------
+Wed Jul 6 04:33:49 CEST 2011 - draht@suse.de
+
+- update to version 2.6.1-rc1 for submission to SLE11-SP2 (fate#309433):
+ - SecUnicodeCodePage and SecUnicodeMapFile directives added
+ - fixed bug: SecRequestBodyLimit was truncating the real request
+ body
+ additional fixes from 2.6.0:
+ - buffering filter problems fixed
+ - memory leak fix when using MATCHED_VAR_NAMES
+ - SecWriteStateLimit added against slow DoS
+ additional fixes from 2.6.0 release candidates:
+ - optimizations
+ - bug in logging code fixed
+ - cleanup
+ - google safe browsing support
+
+-------------------------------------------------------------------
+Thu May 14 18:05:26 CEST 2009 - mrueckert@suse.de
+
+- update to version 2.5.9
+ - Fixed parsing multipart content with a missing part header name
+ which would crash Apache. Discovered by "Internet Security
+ Auditors" (isecauditors.com).
+ - Added ability to specify the config script directly using
+ --with-apr and --with-apu.
+ - Added macro expansion for append/prepend action.
+ - Fixed race condition in concurrent updates of persistent
+ counters. Updates are now atomic.
+ - Cleaned up build, adding an option for verbose configure output
+ and making the mlogc build more portable.
+- additional changes from 2.5.8
+ - Fixed PDF XSS issue where a non-GET request for a PDF file
+ would crash the Apache httpd process. Discovered by Steve
+ Grubb at Red Hat.
+ - Removed an invalid "Internal error: Issuing "%s" for
+ unspecified error." message that was logged when denying with
+ nolog/noauditlog set and causing the request to be audited.
+- additional changes from 2.5.7
+ - Fixed XML DTD/Schema validation which will now fail after
+ request body processing errors, even if the XML parser returns
+ a document tree.
+ - Added ctl:forceRequestBodyVariable=on|off which, when enabled,
+ will force the REQUEST_BODY variable to be set when a request
+ body processor is not set. Previously the REQUEST_BODY target
+ was only populated by the URLENCODED request body processor.
+ - Integrated mlogc source.
+ - Fixed logging the hostname in the error_log which was logging
+ the request hostname instead of the Apache resolved hostname.
+ - Allow for disabling request body limit checks in phase:1.
+ - Added transformations for processing parity for legacy
+ protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit,
+ t:parityZero7bit
+ - Added t:cssDecode transformation to decode CSS escapes.
+ - Now log XML parsing/validation warnings and errors to be in the
+ debug log at levels 3 and 4, respectivly.
+- build and package mlogc
+- remove --with-apxs from the configure args as it breaks the build
+ configure now finds our apxs2
+
+-------------------------------------------------------------------
+Fri Jan 23 16:56:55 CET 2009 - skh@suse.de
+
+- fix broken config [bnc#457200]
+
+-------------------------------------------------------------------
+Mon Sep 15 14:05:05 CEST 2008 - skh@suse.de
+
+- update to version 2.5.6
+- initial submit to FACTORY
+
+-------------------------------------------------------------------
+Mon May 12 05:25:07 CEST 2008 - jg@internetx.de
+
+-update to 2.1.7
+
+-------------------------------------------------------------------
+Thu Feb 3 05:44:12 CEST 2008 - jg@internetx.de
+
+-update to 2.1.6
+
+-------------------------------------------------------------------
+Wed Aug 8 05:36:42 CEST 2007 - mrueckert@suse.de
+
+- update to 2.1.2
+
+-------------------------------------------------------------------
+Mon Apr 16 10:34:05 CEST 2007 - mrueckert@suse.de
+
+- update to 2.1.1
+- switched to perl based patching instead of cmdline params for make
+
+-------------------------------------------------------------------
+Fri Sep 22 08:31:51 CEST 2006 - poeml@suse.de
+
+- fix build (./install was vanished)
+
New:
----
ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2
README-SUSE-mod_security2.txt
Reference-Manual.html.bz2
SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz
apache2-mod_security2-2.7.x-bnc871309-CVE-2013-5705-chunked_requests_bypass.diff
apache2-mod_security2.changes
apache2-mod_security2.spec
mod_security2.conf
modsecurity-apache_2.7.5-build_fix_pcre.diff
modsecurity-apache_2.7.5.tar.gz
modsecurity_diagram_apache_request_cycle.jpg
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_security2.spec ++++++
#
# spec file for package apache2-mod_security2
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: apache2-mod_security2
Version: 2.7.5
Release: 0
%define aversion 2.7.5
#
#
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: apache2-devel
BuildRequires: apache2-prefork
BuildRequires: c++_compiler
BuildRequires: curl-devel
BuildRequires: libxml2-devel
BuildRequires: pcre-devel
%define apache apache2
%define modname mod_security2
%define tarballname modsecurity-apache_%{aversion}
%define refman Reference-Manual.html
%define faq ModSecurity-Frequently-Asked-Questions-FAQ.html
%define usrsharedir %{_prefix}/share/%{name}
%{!?apxs: %global apxs /usr/sbin/apxs2}
%{!?apache_libexecdir: %global apache_libexecdir %(%{apxs} -q LIBEXECDIR)}
%{!?apache_sysconfdir: %global apache_sysconfdir %(%{apxs} -q SYSCONFDIR)}
%{!?apache_includedir: %global apache_includedir %(%{apxs} -q INCLUDEDIR)}
%{!?apache_serveroot: %global apache_serverroot %(%{apxs} -q PREFIX)}
%{!?apache_localstatedir: %global apache_localstatedir %(%{apxs} -q LOCALSTATEDIR)}
%{!?apache_mmn: %global apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)}
Requires: %{apache_mmn}
Requires: apache2
#
Url: http://www.modsecurity.org/
Source: http://www.modsecurity.org/download/%{tarballname}.tar.gz
Source1: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLa...
Source2: mod_security2.conf
Source3: %{refman}.bz2
Source4: %{faq}.bz2
Source5: modsecurity_diagram_apache_request_cycle.jpg
Source6: README-SUSE-mod_security2.txt
#
Patch0: modsecurity-apache_2.7.5-build_fix_pcre.diff
Patch1: apache2-mod_security2-2.7.x-bnc871309-CVE-2013-5705-chunked_requests_bypass.diff
Summary: ModSecurity Open Source Web Application Firewall
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
%description
ModSecurity(TM) is an open source intrusion detection and prevention
engine for web applications (or a web application firewall). Operating
as an Apache Web server module or standalone, the purpose of
ModSecurity is to increase web application security, protecting web
applications from known and unknown attacks.
The modsecurity team also offer a commercial version of their excellent
ruleset. Please have a look at http://www.modsecurity.org/ for more details.
%prep
%setup -n %{tarballname}
#tar -xvjpf %{S:2}
%setup -D -T -a 1 -n %{tarballname}
mv -v SpiderLabs* rules
bzip2 -dc %{SOURCE3} > %{_sourcedir}/%{refman} && touch -r %{SOURCE3} %{_sourcedir}/%{refman}
bzip2 -dc %{SOURCE4} > %{_sourcedir}/%{faq} && touch -r %{SOURCE4} %{_sourcedir}/%{faq}
%patch0
%patch1
#%patch2
%build
%configure --with-apxs=%{apxs} --enable-request-early --enable-htaccess-config
make %{?_smp_mflags}
%install
pushd %{apache}
install -d -m 0755 %{buildroot}%{apache_libexecdir}
install -m 0755 .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so
popd
install -D -m 0644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf
install -d -m 0755 %{buildroot}%{apache_sysconfdir}/mod_security2.d
install -D -m 0644 %{SOURCE6} %{buildroot}%{apache_sysconfdir}/mod_security2.d
cp -a %{SOURCE6} doc
install -m 0644 %{_sourcedir}/%{faq} %{_sourcedir}/%{refman} doc
install -m 0644 %{SOURCE5} doc
install -d -m 0755 %{buildroot}/%{usrsharedir}
install -d -m 0755 %{buildroot}/%{usrsharedir}/tools
install -d -m 0755 %{buildroot}/%{usrsharedir}
rm -f rules/.gitignore rules/LICENSE
cp -a rules/util/README %{buildroot}/%{usrsharedir}/tools/README-rules-updater.txt
cp -a tools/rules-updater.pl tools/rules-updater-example.conf %{buildroot}/%{usrsharedir}/tools
find rules -type f -print0 | \
xargs -0 chmod 644
cp -a rules %{buildroot}/%{usrsharedir}
rm -rf %{buildroot}/%{usrsharedir}/rules/util
rm -rf %{buildroot}/%{usrsharedir}/rules/lua
rm -f %{buildroot}/%{usrsharedir}/rules/READM*
rm -f %{buildroot}/%{usrsharedir}/rules/INSTALL %{buildroot}/%{usrsharedir}/rules/CHANGELOG
mv %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf.example \
%{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf
%clean
%{__rm} -rf %{buildroot};
%{__rm} -f %{_sourcedir}/%{faq} %{_sourcedir}/%{refman}
%files
%defattr(-, root, root, 0755)
%{apache_libexecdir}/%{modname}.so
%config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf
%dir %{apache_sysconfdir}/mod_security2.d
%{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt
%dir %{usrsharedir}
#%dir %{usrsharedir}/tools
#%dir %{usrsharedir}/rules
%doc README.TXT CHANGES LICENSE NOTICE authors.txt
%{usrsharedir}
#%{usrsharedir}/rules/activated_rules
#%{usrsharedir}/rules/base_rules
#%{usrsharedir}/rules/experimental_rules
#%{usrsharedir}/rules/optional_rules
#%{usrsharedir}/rules/slr_rules
%doc doc/*
#rules/util/regression_tests
%changelog
++++++ README-SUSE-mod_security2.txt ++++++
#
# Dear Administrator,
#
# mod_security2 is not activated by default upon installation of the
# apache module.
#
# Your starting point for the configuration of mod_security2 is
# /etc/apache2/conf.d/mod_security2.conf .
# Please see that file for comments on how to activate the module
# and on how to assign rules.
#
++++++ apache2-mod_security2-2.7.x-bnc871309-CVE-2013-5705-chunked_requests_bypass.diff ++++++
diff -rNU 30 ../modsecurity-apache_2.7.5-o/apache2/modsecurity.c ./apache2/modsecurity.c
--- ../modsecurity-apache_2.7.5-o/apache2/modsecurity.c 2013-07-28 05:58:49.000000000 +0200
+++ ./apache2/modsecurity.c 2014-07-31 15:32:26.000000000 +0200
@@ -270,61 +270,61 @@
return APR_SUCCESS;
}
/**
*
*/
apr_status_t modsecurity_tx_init(modsec_rec *msr) {
const char *s = NULL;
const apr_array_header_t *arr;
char *semicolon = NULL;
char *comma = NULL;
apr_table_entry_t *te;
int i;
/* Register TX cleanup */
apr_pool_cleanup_register(msr->mp, msr, modsecurity_tx_cleanup, apr_pool_cleanup_null);
/* Initialise C-L */
msr->request_content_length = -1;
s = apr_table_get(msr->request_headers, "Content-Length");
if (s != NULL) {
msr->request_content_length = strtol(s, NULL, 10);
}
/* Figure out whether this request has a body */
msr->reqbody_chunked = 0;
msr->reqbody_should_exist = 0;
if (msr->request_content_length == -1) {
/* There's no C-L, but is chunked encoding used? */
char *transfer_encoding = (char *)apr_table_get(msr->request_headers, "Transfer-Encoding");
- if ((transfer_encoding != NULL)&&(strstr(transfer_encoding, "chunked") != NULL)) {
+ if ((transfer_encoding != NULL)&&(m_strcasestr(transfer_encoding, "chunked") != NULL)) {
msr->reqbody_should_exist = 1;
msr->reqbody_chunked = 1;
}
} else {
/* C-L found */
msr->reqbody_should_exist = 1;
}
/* Initialise C-T */
msr->request_content_type = NULL;
s = apr_table_get(msr->request_headers, "Content-Type");
if (s != NULL) msr->request_content_type = s;
/* Decide what to do with the request body. */
if ((msr->request_content_type != NULL)
&& (strncasecmp(msr->request_content_type, "application/x-www-form-urlencoded", 33) == 0))
{
/* Always place POST requests with
* "application/x-www-form-urlencoded" payloads in memory.
*/
msr->msc_reqbody_storage = MSC_REQBODY_MEMORY;
msr->msc_reqbody_spilltodisk = 0;
msr->msc_reqbody_processor = "URLENCODED";
} else {
/* If the C-L is known and there's more data than
* our limit go to disk straight away.
*/
if ((msr->request_content_length != -1)
&& (msr->request_content_length > msr->txcfg->reqbody_inmemory_limit))
{
++++++ mod_security2.conf ++++++
# Dear administrator/webmaster,
#
# Welcome to /etc/apache2/conf.d/mod_security2.conf, the starting point for
# the configuration of mod_security2.
# Please read this text down to line 63 for information about activation
# and configuration of the mod_security2 apache module.
#
# To activate mod_security2, its apache module must be configured to be
# loaded when apache starts. The mod_security2 apache module depends on
# the module mod_unique_id to be able to run. This means that both apache
# modules must be activated/loaded when apache starts.
# Change the configuration to load these two modules by adding the two
# module names "security2" and "unique_id" to the variable APACHE_MODULES
# in /etc/sysconfig/apache2 . You can do that manually, or use the tools
# a2enmod (enable apache module) and a2dismod (disable apache module).
# These two tools expect the name of the module without the leading
# "mod_" as an argument!
#
# note: /etc/sysconfig/apache2 is evaluated upon apache start by the apache
# start script /etc/init.d/apache2 . Changes in APACHE_MODULES are then
# visible in /etc/apache2/sysconfig.d/loadmodule.conf, changed by the start
# script.
#
# example for the use of a2enmod/a2dismod:
#
# a2enmod security2 # enable module security2
# a2enmod unique_id # enable module unique_id
#
# a2dismod security2 # disable
# a2dismod unique_id # %
#
# This file /etc/apache2/conf.d/mod_security2.conf makes some basic
# configuration settings, then loads
# /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
# which is the baseline for the rules that can be loaded later.
#
# Afterwards, all files named *.conf in /etc/apache2/mod_security2.d are read.
# For the rules you wish to apply, place a symlink to the rules file there.
#
# About the rules; The OWASP ModSecurity Core Rule Set version 2.2.7
# is contained in this package, a splendid set of rules made to provide for a
# decent basic and even advanced protection. The rules files are contained
# in the directory /usr/share/apache2-mod_security2/rules/.
#
# Example (use all of the basic rules that come with the package):
#
# cd /etc/apache2/mod_security2.d
# for i in /usr/share/apache2-mod_security2/rules/base_rules/mod*; do
# ln -s $i .
# done
#
# At last, simply restart apache:
# rcapache2 restart
#
# In doubt, please consult the valuable online documentation on the project's
# website, which is the authoritative source for documentation.
# For offline reading, the webpages for the Reference Guide and the FAQ are
# located in the package's documentation directory, in the state of 2013/01:
# /usr/share/doc/packages/apache2-mod_security2
#
# Roman Drahtmueller