rpms/mod_security/FC-6 .cvsignore, 1.6, 1.7 mod_security.conf, 1.4, 1.5 mod_security.spec, 1.15, 1.16 sources, 1.7, 1.8
Michael G. Fleming (mfleming)
fedora-extras-commits at redhat.com
Mon Apr 2 10:34:21 UTC 2007
- Previous message: rpms/python-metar/FC-6 metar-1.3.0-nobang.patch, NONE, 1.1 python-metar.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message: rpms/mod_security/FC-5 mod_security.conf, 1.3, 1.4 mod_security.spec, 1.15, 1.16
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mfleming
Update of /cvs/extras/rpms/mod_security/FC-6
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25490
Modified Files:
.cvsignore mod_security.conf mod_security.spec sources
Log Message:
* Mon Apr 2 2007 Michael Fleming <mfleming+rpm at enlartenment.com> 2.1.0-3
- Sync with devel
- Fix CVE-2007-1359 (bz #231728)
- Automagically configure correct library path for libxml2 library.
- Add LoadModule for mod_unique_id as the logging wants this at runtime
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/mod_security/FC-6/.cvsignore,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- .cvsignore 15 May 2006 12:31:04 -0000 1.6
+++ .cvsignore 2 Apr 2007 10:33:48 -0000 1.7
@@ -1 +1,3 @@
-modsecurity-apache_1.9.4.tar.gz
+modsecurity-apache_2.1.0.tar.gz
+mod_security.conf
+modsecurity_localrules.conf
Index: mod_security.conf
===================================================================
RCS file: /cvs/extras/rpms/mod_security/FC-6/mod_security.conf,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- mod_security.conf 3 Sep 2006 06:41:10 -0000 1.4
+++ mod_security.conf 2 Apr 2007 10:33:48 -0000 1.5
@@ -1,107 +1,41 @@
# Example configuration file for the mod_security Apache module
-LoadModule security_module modules/mod_security.so
+LoadFile LIBDIR/libxml2.so.2
-<IfModule mod_security.c>
+LoadModule security2_module modules/mod_security2.so
+LoadModule unique_id_module modules/mod_unique_id.so
- # Turn the filtering engine On or Off
- SecFilterEngine On
+<IfModule mod_security2.c>
+ # This is the ModSecurity Core Rules Set.
+
+ # Basic configuration goes in here
+ Include modsecurity.d/modsecurity_crs_10_config.conf
+
+ # Protocol violation and anomalies.
+ # These are disabled as there's a bug in REQUEST_FILENAME handling
+ # causing the "+" character to be incorrectly handled.
+
+ # Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf
+ # Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf
+
+ # HTTP policy rules
+
+ Include modsecurity.d/modsecurity_crs_30_http_policy.conf
+
+ # Here comes the Bad Stuff...
+
+ Include modsecurity.d/modsecurity_crs_35_bad_robots.conf
+ Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf
+ Include modsecurity.d/modsecurity_crs_45_trojans.conf
+ Include modsecurity.d/modsecurity_crs_50_outbound.conf
+
+ # Search engines and other crawlers. Only useful if you want to track
+ # Google / Yahoo et. al.
+
+ # Include modsecurity.d/modsecurity_crs_55_marketing.conf
+
+ # Put your local rules in here.
+ # The existing example is for the CVE-2007-1359 vulnerability
- # The audit engine works independently and
- # can be turned On of Off on the per-server or
- # on the per-directory basis
- SecAuditEngine RelevantOnly
-
- # Make sure that URL encoding is valid
- SecFilterCheckURLEncoding On
-
- # Unicode encoding check
- SecFilterCheckUnicodeEncoding On
-
- # Only allow bytes from this range
- SecFilterForceByteRange 1 255
-
- # Cookie format checks.
- SecFilterCheckCookieFormat On
-
- # The name of the audit log file
- SecAuditLog logs/audit_log
-
- # Should mod_security inspect POST payloads
- SecFilterScanPOST On
-
- # Default action set
- SecFilterDefaultAction "deny,log,status:406"
-
- # Simple example filter
- # SecFilter 111
-
- # Prevent path traversal (..) attacks
- # SecFilter "\.\./"
-
- # Weaker XSS protection but allows common HTML tags
- # SecFilter "<( |\n)*script"
-
- # Prevent XSS atacks (HTML/Javascript injection)
- # SecFilter "<(.|\n)+>"
-
- # Very crude filters to prevent SQL injection attacks
- # SecFilter "delete[[:space:]]+from"
- # SecFilter "insert[[:space:]]+into"
- # SecFilter "select.+from"
-
- # Require HTTP_USER_AGENT and HTTP_HOST headers
- SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
-
- # Only accept request encodings we know how to handle
- # we exclude GET requests from this because some (automated)
- # clients supply "text/html" as Content-Type
- SecFilterSelective REQUEST_METHOD "!^GET$" chain
- SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded|^multipart/form-data)"
-
- # Require Content-Length to be provided with
- # every POST request
- SecFilterSelective REQUEST_METHOD "^POST$" chain
- SecFilterSelective HTTP_Content-Length "^$"
-
- # Don't accept transfer encodings we know we don't handle
- # (and you don't need it anyway)
- SecFilterSelective HTTP_Transfer-Encoding "!^$"
-
- # Some common application-related rules from
- # http://modsecrules.monkeydev.org/rules.php?safety=safe
-
- #Nuke Bookmarks XSS
- SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)"
-
- #Nuke Bookmarks Marks.php SQL Injection Vulnerability
- SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)"
-
- #PHPNuke general XSS attempt
- #/modules.php?name=News&file=article&sid=1&optionbox=
- SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script"
-
- # PHPNuke SQL injection attempt
- SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory="
-
- #phpnuke sql insertion
- SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/"
-
- # WEB-PHP phpbb quick-reply.php arbitrary command attempt
-
- SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
- SecFilter "phpbb_root_path="
-
- #Topic Calendar Mod for phpBB Cross-Site Scripting Attack
- SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)"
-
- # phpMyAdmin: Safe
-
- #phpMyAdmin Export.PHP File Disclosure Vulnerability
- SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
- SecFilterSelective ARG_what "\.\."
-
- #phpMyAdmin path vln
- SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"
-
+ Include modsecurity.d/modsecurity_localrules.conf
</IfModule>
Index: mod_security.spec
===================================================================
RCS file: /cvs/extras/rpms/mod_security/FC-6/mod_security.spec,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- mod_security.spec 3 Sep 2006 06:41:10 -0000 1.15
+++ mod_security.spec 2 Apr 2007 10:33:48 -0000 1.16
@@ -1,15 +1,16 @@
Summary: Security module for the Apache HTTP Server
Name: mod_security
-Version: 1.9.4
-Release: 2%{?dist}
+Version: 2.1.0
+Release: 3%{?dist}
License: GPL
URL: http://www.modsecurity.org/
Group: System Environment/Daemons
Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz
Source1: mod_security.conf
+Source2: modsecurity_localrules.conf
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Requires: httpd httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing)
-BuildRequires: httpd-devel
+Requires: libxml2 pcre httpd httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing)
+BuildRequires: httpd-devel libxml2-devel pcre-devel
%description
ModSecurity is an open source intrusion detection and prevention engine
@@ -18,28 +19,51 @@
%prep
-%setup -q -n modsecurity-apache_%{version}
+%setup -n modsecurity-apache_%{version}
%build
-/usr/sbin/apxs -Wc,"%{optflags}" -c apache2/mod_security.c
+make -C apache2 CFLAGS="%{optflags}" top_dir="%{_libdir}/httpd"
+perl -pi.orig -e 's|LIBDIR|%{_libdir}|;' %{SOURCE1}
%install
rm -rf %{buildroot}
-mkdir -p %{buildroot}%{_libdir}/httpd/modules/
-mkdir -p %{buildroot}/%{_sysconfdir}/httpd/conf.d/
-install -p apache2/.libs/mod_security.so %{buildroot}/%{_libdir}/httpd/modules/
-install -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/
+install -D -m755 apache2/.libs/mod_security2.so %{buildroot}/%{_libdir}/httpd/modules/mod_security2.so
+install -D -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/mod_security.conf
+install -d %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/blocking/
+cp -r rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
+cp -r rules/blocking/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/blocking/
+install -D -m644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/modsecurity_localrules.conf
%clean
rm -rf %{buildroot}
%files
%defattr (-,root,root)
-%doc CHANGES LICENSE INSTALL README httpd* util doc
-%{_libdir}/httpd/modules/mod_security.so
-%config(noreplace) %{_sysconfdir}/httpd/conf.d/mod_security.conf
+%doc CHANGES LICENSE README.* modsecurity* doc
+%{_libdir}/httpd/modules/mod_security2.so
+%config %{_sysconfdir}/httpd/conf.d/mod_security.conf
+%dir %{_sysconfdir}/httpd/modsecurity.d
+%dir %{_sysconfdir}/httpd/modsecurity.d/blocking
+%config %{_sysconfdir}/httpd/modsecurity.d/*.conf
+%config %{_sysconfdir}/httpd/modsecurity.d/blocking/*.conf
+
%changelog
+* Mon Apr 2 2007 Michael Fleming <mfleming+rpm at enlartenment.com> 2.1.0-3
+- Sync with devel
+- Fix CVE-2007-1359 (bz #231728)
+- Automagically configure correct library path for libxml2 library.
+- Add LoadModule for mod_unique_id as the logging wants this at runtime
+
+* Mon Mar 26 2007 Michael Fleming <mfleming+rpm at enlartenment.com> 2.1.0-2
+- Fix DSO permissions (bz#233733)
+
+* Tue Mar 13 2007 Michael Fleming <mfleming+rpm at enlartenment.com> 2.1.0-1
+- New major release - 2.1.0
+- Fix CVE-2007-1359 with a local rule courtesy of Ivan Ristic
+- Addition of core ruleset
+- (Build)Requires libxml2 and pcre added.
+
* Sun Sep 3 2006 Michael Fleming <mfleming+rpm at enlartenment.com> 1.9.4-2
- Rebuild
- Fix minor longstanding braino in included sample configuration (bz #203972)
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/mod_security/FC-6/sources,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- sources 15 May 2006 12:31:04 -0000 1.7
+++ sources 2 Apr 2007 10:33:48 -0000 1.8
@@ -1 +1,3 @@
-74d2317781bab619cd7b6b376b978107 modsecurity-apache_1.9.4.tar.gz
+2e919766f2878c4ee46334816004dd15 modsecurity-apache_2.1.0.tar.gz
+ca0529cce7b56675e5f319c75cbb7398 mod_security.conf
+cbd1dbca89666a85fe9d703de26444c6 modsecurity_localrules.conf
- Previous message: rpms/python-metar/FC-6 metar-1.3.0-nobang.patch, NONE, 1.1 python-metar.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message: rpms/mod_security/FC-5 mod_security.conf, 1.3, 1.4 mod_security.spec, 1.15, 1.16
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list