commit owasp-modsecurity-crs for openSUSE:Factory

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package owasp-modsecurity-crs for openSUSE:Factory checked in at 2023-09-01 14:21:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/owasp-modsecurity-crs (Old) and /work/SRC/openSUSE:Factory/.owasp-modsecurity-crs.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "owasp-modsecurity-crs" Fri Sep 1 14:21:58 2023 rev:8 rq:1108448 version:3.3.5 Changes: -------- --- /work/SRC/openSUSE:Factory/owasp-modsecurity-crs/owasp-modsecurity-crs.changes 2020-12-23 14:22:06.109776775 +0100 +++ /work/SRC/openSUSE:Factory/.owasp-modsecurity-crs.new.1766/owasp-modsecurity-crs.changes 2023-09-01 14:22:34.303429191 +0200 @@ -1,0 +2,27 @@ +Fri Sep 1 09:33:41 UTC 2023 - Robert Frohl <rfrohl@suse.com> + +- use upstream archive for building the package, the base folder name in the + archive changed + +------------------------------------------------------------------- +Wed Aug 16 06:54:59 UTC 2023 - Alessandro de Oliveira Faria <cabelo@opensuse.org> + +- Version 3.3.5. + * This is the OWASP ModSecurity Core Rule Set version 3.3.5. + * Important changes: + - Backport fix for CVE-2023-38199 from CRS v4 via new rule 920620 (Andrea Menin, Felipe Zipitría) + * Fixes: + - Fix paranoia level-related scoring issue in rule 921422 (Walter Hop) + - Move auditLogParts actions to the end of chained rules where used (Ervin Hegedus) + * Chore: + - Clean up redundant paranoia level tags (Ervin Hegedus) + - Clean up YAML test files to support go-ftw testing framework (Felipe Zipitría) + - Move testing framework from ftw to go-ftw (Felipe Zipitría) + +------------------------------------------------------------------- +Fri May 19 06:19:43 UTC 2023 - Alessandro de Oliveira Faria <cabelo@opensuse.org> + +- Version 3.3.4. + * Important Notice: From CRS 3.2.2, 3.3.3 and up, ModSecurity 2.9.6 or 3.0.8 (or versions with backported patches) are required due to the addition of new protections. We recommend upgrading your ModSecurity as soon as possible. If your ModSecurity is too old, your webserver will refuse to start with an Unknown variable: &MULTIPART_PART_HEADERS error. If you are in trouble, you can temporarily delete file rules/REQUEST-922-MULTIPART-ATTACK.conf as a workaround and get your server up, however, you will be missing some protections. Therefore we recommend to upgrade ModSecurity before deploying this release. + +------------------------------------------------------------------- @@ -50 +76,0 @@ - Old: ---- 2.2.9.tar.gz _service New: ---- owasp-modsecurity-crs-3.3.5.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ owasp-modsecurity-crs.spec ++++++ --- /var/tmp/diff_new_pack.VcVvN2/_old 2023-09-01 14:22:35.595475306 +0200 +++ /var/tmp/diff_new_pack.VcVvN2/_new 2023-09-01 14:22:35.603475592 +0200 @@ -1,8 +1,8 @@ # # spec file for package owasp-modsecurity-crs # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. -# Copyright (c) 2012 Thomas Worm <thomas.worm@datev.de> +# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2023 Alessandro de Oliveira Faria (A.K.A CABELO) <cabelo@opensuse.org> # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -13,89 +13,86 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # +%define apxs2 %{_bindir}/apxs +%define apache2 apache2 +%define apache2_mm %(MMN=$(%{apxs2} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) +%define apache2_libexecdir %(%{apxs2} -q LIBEXECDIR) +%define apache2_sysconfdir %(%{apxs2} -q SYSCONFDIR) +%define apache2_includedir %(%{apxs2} -q INCLUDEDIR) +%define apache2_serverroot %(%{apxs2} -q PREFIX) +%define apache2_localstatedir %(%{apxs2} -q LOCALSTATEDIR) Name: owasp-modsecurity-crs - -BuildRequires: apache-rpm-macros +Version: 3.3.5 +Release: 0 +Summary: OWASP ModSecurity Common Rule Set (CRS) +License: Apache-2.0 +Group: Productivity/Networking/Security +URL: https://coreruleset.org +Source0: https://github.com/coreruleset/coreruleset/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.xz +Source99: README.SUSE +Source100: %{name}-rpmlintrc BuildRequires: apache2-devel BuildRequires: gcc-c++ BuildRequires: rpm-devel BuildRequires: zlib-devel - -Version: 2.2.9 -Release: 0 Provides: %{name} = %{version} -Source0: https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/%{version}.tar.gz -Source99: README.SUSE -Source100: %{name}-rpmlintrc -Url: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Pro... BuildArch: noarch -BuildRoot: %{_tmppath}/%{name}-%{version}-build -Summary: OWASP ModSecurity Common Rule Set (CRS) -License: Apache-2.0 -Group: Productivity/Networking/Security -Requires: apache2-mod_security2 - -%define rule_sets base_rules experimental_rules optional_rules slr_rules %description -ModSecurity™ is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity™ must be configured with rules. In order to enable users to take full advantage of ModSecurity™ out of the box, Trustwave's SpiderLabs is providing a free certified rule set for ModSecurity™ 2.x. Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the Core Rules provide generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity™. +The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity +or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, +including the OWASP Top Ten, with a minimum of false alerts. -Core Rules Content - -In order to provide generic web applications protection, the Core Rules use the following techniques: - -HTTP Protection - detecting violations of the HTTP protocol and a locally defined usage policy. -Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation -Web-based Malware Detection - identifies malicious web content by check against the Google Safe Browsing API. -HTTP Denial of Service Protections - defense against HTTP Flooding and Slow HTTP DoS Attacks. -Common Web Attacks Protection - detecting common web application security attack. -Automation Detection - Detecting bots, crawlers, scanners and other surface malicious activity. -Integration with AV Scanning for File Uploads - detects malicious files uploaded through the web application. -Tracking Sensitive Data - Tracks Credit Card usage and blocks leakages. -Trojan Protection - Detecting access to Trojans horses. -Identification of Application Defects - alerts on application misconfigurations. -Error Detection and Hiding - Disguising error messages sent by the server. +%package apache2 +Summary: OWASP ModSecurity Common Rule Set (CRS) +Group: Productivity/Networking/Security +Requires: %{name} = %{version} +Requires: apache2-mod_security2 +%description apache2 +The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity +or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, +including the OWASP Top Ten, with a minimum of false alerts. +Includes Apache httpd 2.x rules %prep -%setup -q -n %{name}-%{version} -sed -i -e '/^#!/c#!/usr/bin/lua' lua/*.lua -sed -i -e '/^#!/c#!/usr/bin/perl' util/*/*.pl util/*/*.cgi -%{__cp} %{S:99} . +%setup -q -n coreruleset-%{version} +sed -i -e '/^#!/c#!%{_bindir}/perl' util/*/*.pl +cp %{SOURCE99} . %build # Build configuration files mkdir -p .%{_sysconfdir}/%{name}/rules.d -for rule_set in %{rule_sets} +mkdir -p .%{_sysconfdir}/%{name}/rules + +for rule in rules/*.conf do - mkdir -p .%{_sysconfdir}/%{name}/$rule_set - for rule in `find $rule_set -name *.conf -printf "%f\\n"|sort` - do - echo "Include \"%{_datadir}/%{name}/$rule_set/$rule\"" > .%{_sysconfdir}/%{name}/$rule_set/$rule - echo "Include \"%{_sysconfdir}/%{name}/$rule_set/$rule\"" >> .%{_sysconfdir}/%{name}/$rule_set.conf - done - ln -s ../$rule_set.conf .%{_sysconfdir}/%{name}/rules.d/$rule_set.conf + RULE=$(basename ${rule}) + echo "Include \"%{_datadir}/%{name}/rules/$RULE\"" > .%{_sysconfdir}/%{name}/rules/$RULE + echo "Include \"%{_sysconfdir}/%{name}/rules/$RULE\"" >> .%{_sysconfdir}/%{name}/rules.conf done -echo "Include \"%{_datadir}/%{name}/modsecurity_crs_10_setup.conf.example\"" > .%{_sysconfdir}/%{name}/modsecurity_crs_10_setup.conf +ln -s ../rules.conf .%{_sysconfdir}/%{name}/rules.d/rules.conf + +echo "Include \"%{_datadir}/%{name}/crs-setup.conf.example\"" > .%{_sysconfdir}/%{name}/crs-setup.conf # Create Apache2 include -mkdir -p .%{apache_sysconfdir}/conf.d -echo "<IfModule mod_security2.c>" > .%{apache_sysconfdir}/conf.d/%{name}.conf -echo -e "\tInclude \"%{_sysconfdir}/%{name}/modsecurity_crs_10_setup.conf\"" >> .%{apache_sysconfdir}/conf.d/%{name}.conf -echo -e "\tInclude \"%{_sysconfdir}/%{name}/rules.d/*\"" >> .%{apache_sysconfdir}/conf.d/%{name}.conf -echo "</IfModule>" >> .%{apache_sysconfdir}/conf.d/%{name}.conf +mkdir -p .%{apache2_sysconfdir}/conf.d +echo "<IfModule mod_security2.c>" > .%{apache2_sysconfdir}/conf.d/%{name}.conf +echo -e "\tInclude \"%{_sysconfdir}/%{name}/crs-setup.conf\"" >> .%{apache2_sysconfdir}/conf.d/%{name}.conf +echo -e "\tInclude \"%{_sysconfdir}/%{name}/rules.d/*\"" >> .%{apache2_sysconfdir}/conf.d/%{name}.conf +echo "</IfModule>" >> .%{apache2_sysconfdir}/conf.d/%{name}.conf %install # CRS data mkdir -p %{buildroot}%{_datadir}/%{name} -cp -dr {lua,util,*.conf*} %{buildroot}%{_datadir}/%{name}/ +cp -dr {util,*.conf*} %{buildroot}%{_datadir}/%{name}/ for rule_set in %{rule_sets} do -cp -r $rule_set %{buildroot}%{_datadir}/%{name}/ +cp -r rules %{buildroot}%{_datadir}/%{name}/ done # Configuration files mkdir -p %{buildroot}/%{_sysconfdir} @@ -103,73 +100,30 @@ %files %defattr(644,root,root,755) -%doc CHANGES -%doc LICENSE -%doc README.md -%doc README.SUSE +%doc CHANGES.md README.md README.SUSE +%license LICENSE %dir %{_datadir}/%{name} -%{_datadir}/%{name}/lua %{_datadir}/%{name}/util +%attr(0754, root, root) %{_datadir}/%{name}/util/av-scanning/runav.pl +%attr(0754, root, root) %{_datadir}/%{name}/util/crs2-renumbering/update.py +%attr(0754, root, root) %{_datadir}/%{name}/util/join-multiline-rules/join.py +%attr(0754, root, root) %{_datadir}/%{name}/util/regexp-assemble/regexp-assemble-v2.pl +%attr(0754, root, root) %{_datadir}/%{name}/util/regexp-assemble/regexp-assemble.pl +%attr(0754, root, root) %{_datadir}/%{name}/util/regexp-assemble/regexp-cmdline.py +%attr(0754, root, root) %{_datadir}/%{name}/util/send-payload-pls.sh +%attr(0754, root, root) %{_datadir}/%{name}/util/verify.rb +%attr(0754, root, root) %{_datadir}/%{name}/util/virtual-patching/arachni2modsec.pl +%attr(0754, root, root) %{_datadir}/%{name}/util/virtual-patching/zap2modsec.pl %{_datadir}/%{name}/*.conf* -%config(noreplace) %{apache_sysconfdir}/conf.d/%{name}.conf +%{_datadir}/%{name}/rules + +%files apache2 +%config(noreplace) %{apache2_sysconfdir}/conf.d/%{name}.conf %dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/%{name}/rules.d -%config(noreplace) %{_sysconfdir}/%{name}/modsecurity_crs_10_setup.conf - -%package base_rules -Summary: Base rules for OWASP ModSecurity CRS -Group: Productivity/Networking/Security -Requires: %{name} = %{version} - -%description base_rules -Base rules for HTTP Protocol Validation, Common Web Attacks Protection, Trojan Protection, InfoLeakages, ... - -%files base_rules -%defattr(644,root,root,755) -%{_datadir}/%{name}/base_rules -%config(noreplace) %{_sysconfdir}/%{name}/base_rules* -%config(noreplace) %{_sysconfdir}/%{name}/rules.d/base_rules.conf - -%package optional_rules -Summary: Optional rules for OWASP ModSecurity CRS -Group: Productivity/Networking/Security -Requires: %{name} = %{version} - -%description optional_rules -Optional rules for HTTP Protocol Validation, Common Web Attacks Protection, Request Header Tagging, ... - -%files optional_rules -%defattr(644,root,root,755) -%{_datadir}/%{name}/optional_rules -%config(noreplace) %{_sysconfdir}/%{name}/optional_rules* -%config(noreplace) %{_sysconfdir}/%{name}/rules.d/optional_rules.conf - -%package experimental_rules -Summary: Experimental rules for OWASP ModSecurity CRS -Group: Productivity/Networking/Security -Requires: %{name} = %{version} - -%description experimental_rules -Experimental rules for OWASP ModSecurity CRS - -%files experimental_rules -%defattr(644,root,root,755) -%{_datadir}/%{name}/experimental_rules -%config(noreplace) %{_sysconfdir}/%{name}/experimental_rules* -%config(noreplace) %{_sysconfdir}/%{name}/rules.d/experimental_rules.conf - -%package slr_rules -Summary: SpiderLabs Research (SLR) rules for OWASP ModSecurity CRS -Group: Productivity/Networking/Security -Requires: %{name} = %{version} - -%description slr_rules -SpiderLabs Research rules for ModSecurity CRS - -%files slr_rules -%defattr(644,root,root,755) -%{_datadir}/%{name}/slr_rules -%config(noreplace) %{_sysconfdir}/%{name}/slr_rules* -%config(noreplace) %{_sysconfdir}/%{name}/rules.d/slr_rules.conf +%config(noreplace) %{_sysconfdir}/%{name}/crs-setup.conf +%config(noreplace) %{_sysconfdir}/%{name}/rules +%config(noreplace) %{_sysconfdir}/%{name}/rules.conf +%config(noreplace) %{_sysconfdir}/%{name}/rules.d/rules.conf %changelog ++++++ README.SUSE ++++++ --- /var/tmp/diff_new_pack.VcVvN2/_old 2023-09-01 14:22:35.631476591 +0200 +++ /var/tmp/diff_new_pack.VcVvN2/_new 2023-09-01 14:22:35.635476734 +0200 @@ -11,4 +11,5 @@ Rules can be (de)activated by adding or removing the symlink in activation directory /etc/owasp-modsecurity-crs/rules.d. +Contact: Alessandro de Oliveira Faria (cabelo@opensuse.org or alessandro.faria@owasp.org) ++++++ owasp-modsecurity-crs-rpmlintrc ++++++ --- /var/tmp/diff_new_pack.VcVvN2/_old 2023-09-01 14:22:35.655477447 +0200 +++ /var/tmp/diff_new_pack.VcVvN2/_new 2023-09-01 14:22:35.659477591 +0200 @@ -1,2 +1,2 @@ -addFilter("/usr/share/owasp-modsecurity-crs/util/runAV/* devel-file-in-non-devel-package") +addFilter("/usr/share/owasp-modsecurity-crs/util/runAV/* devel-file-in-non-devel-package")