rpms/mod_security/F-13 mod_security.conf, 1.9, 1.10 mod_security.spec, 1.36, 1.37
Michael Fleming
mfleming at fedoraproject.org
Wed Jun 30 09:39:10 UTC 2010
Author: mfleming
Update of /cvs/pkgs/rpms/mod_security/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv25751
Modified Files:
mod_security.conf mod_security.spec
Log Message:
* Wed Jun 30 2010 Michael Fleming <mfleming+rpm at thatfleminggent.com> - 2.5.12-2
- Fix log dirs and files ordering per bz#569360
Index: mod_security.conf
===================================================================
RCS file: /cvs/pkgs/rpms/mod_security/F-13/mod_security.conf,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -p -r1.9 -r1.10
--- mod_security.conf 6 Nov 2009 09:38:11 -0000 1.9
+++ mod_security.conf 30 Jun 2010 09:39:10 -0000 1.10
@@ -9,5 +9,87 @@ LoadModule unique_id_module modules/mod_
# Basic configuration goes in here
Include modsecurity.d/*.conf
Include modsecurity.d/base_rules/*.conf
+
+ # Additional items taken from new minimal modsecurity conf
+ # Basic configuration options
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecResponseBodyAccess Off
+
+ # PCRE Tuning
+ SecPcreMatchLimit 1000
+ SecPcreMatchLimitRecursion 1000
+
+ # Handling of file uploads
+ # TODO Choose a folder private to Apache.
+ # SecUploadDir /opt/apache-frontend/tmp/
+ SecUploadKeepFiles Off
+ SecUploadFileLimit 10
+
+ # Debug log
+ SecDebugLog /var/log/httpd/modsec_debug.log
+ SecDebugLogLevel 0
+
+ # Serial audit log
+ SecAuditEngine RelevantOnly
+ SecAuditLogRelevantStatus ^5
+ SecAuditLogParts ABIFHZ
+ SecAuditLogType Serial
+ SecAuditLog /var/log/httpd/modsec_audit.log
+
+ # Set Data Directory
+ SecDataDir /var/log/httpd/
+
+ # Maximum request body size we will
+ # accept for buffering
+ SecRequestBodyLimit 131072
+
+ # Store up to 128 KB in memory
+ SecRequestBodyInMemoryLimit 131072
+
+ # Buffer response bodies of up to
+ # 512 KB in length
+ SecResponseBodyLimit 524288
+
+ # Verify that we've correctly processed the request body.
+ # As a rule of thumb, when failing to process a request body
+ # you should reject the request (when deployed in blocking mode)
+ # or log a high-severity alert (when deployed in detection-only mode).
+ SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
+ "phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
+
+ # By default be strict with what we accept in the multipart/form-data
+ # request body. If the rule below proves to be too strict for your
+ # environment consider changing it to detection-only. You are encouraged
+ # _not_ to remove it altogether.
+ SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+ "phase:2,t:none,log,deny,msg:'Multipart request body \
+ failed strict validation: \
+ PE %{REQBODY_PROCESSOR_ERROR}, \
+ BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+ DB %{MULTIPART_DATA_BEFORE}, \
+ DA %{MULTIPART_DATA_AFTER}, \
+ HF %{MULTIPART_HEADER_FOLDING}, \
+ LF %{MULTIPART_LF_LINE}, \
+ SM %{MULTIPART_SEMICOLON_MISSING}, \
+ IQ %{MULTIPART_INVALID_QUOTING}, \
+ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+ IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+ # Did we see anything that might be a boundary?
+ SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+ "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+ # Some internal errors will set flags in TX and we will need to look for these.
+ # All of these are prefixed with "MSC_". The following flags currently exist:
+ #
+ # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
+ #
+ SecRule TX:/^MSC_/ "!@streq 0" \
+ "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+ # Local rules
Include modsecurity.d/modsecurity_localrules.conf
+
</IfModule>
Index: mod_security.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mod_security/F-13/mod_security.spec,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -p -r1.36 -r1.37
--- mod_security.spec 13 Feb 2010 10:27:03 -0000 1.36
+++ mod_security.spec 30 Jun 2010 09:39:10 -0000 1.37
@@ -1,7 +1,7 @@
Summary: Security module for the Apache HTTP Server
Name: mod_security
Version: 2.5.12
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2
URL: http://www.modsecurity.org/
Group: System Environment/Daemons
@@ -55,6 +55,9 @@ rm -rf %{buildroot}
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf
%changelog
+* Wed Jun 30 2010 Michael Fleming <mfleming+rpm at thatfleminggent.com> - 2.5.12-2
+- Fix log dirs and files ordering per bz#569360
+
* Sat Feb 13 2010 Michael Fleming <mfleming+rpm at thatfleminggent.com> - 2.5.12-1
- Update to latest upstream release
- SECURITY: Fix potential rules bypass and denial of service (bz#563576)
More information about the scm-commits
mailing list