rpms/mod_security
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c10s
rpms:c9s
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:imports/c8/mod_security-2.9.6-1.el8
rpms:imports/c9/mod_security-2.9.6-1.el9
rpms:imports/c9-beta/mod_security-2.9.6-1.el9
rpms:imports/c8-beta/mod_security-2.9.6-1.el8
rpms:imports/c8s/mod_security-2.9.6-1.el8
rpms:imports/c9/mod_security-2.9.3-12.el9
rpms:imports/c9-beta/mod_security-2.9.3-12.el9
rpms:imports/c8-beta/mod_security-2.9.2-9.el8
rpms:imports/c8-beta/mod_security-2.9.2-8.el8
rpms:imports/c8s/mod_security-2.9.2-9.el8
rpms:imports/c8/mod_security-2.9.2-9.el8
rpms:imports/c8/mod_security-2.9.2-8.el8
...
pull from: rpms:c9-beta
Branches Tags
rpms:c10s
rpms:c9s
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:imports/c8/mod_security-2.9.6-1.el8
rpms:imports/c9/mod_security-2.9.6-1.el9
rpms:imports/c9-beta/mod_security-2.9.6-1.el9
rpms:imports/c8-beta/mod_security-2.9.6-1.el8
rpms:imports/c8s/mod_security-2.9.6-1.el8
rpms:imports/c9/mod_security-2.9.3-12.el9
rpms:imports/c9-beta/mod_security-2.9.3-12.el9
rpms:imports/c8-beta/mod_security-2.9.2-9.el8
rpms:imports/c8-beta/mod_security-2.9.2-8.el8
rpms:imports/c8s/mod_security-2.9.2-9.el8
rpms:imports/c8/mod_security-2.9.2-9.el8
rpms:imports/c8/mod_security-2.9.2-8.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

4 changed files with 117 additions and 35 deletions
Show Stats Expand all files Collapse all files

14
SOURCES/mod_security-2.9.2-remote-rules-timeout.patch → SOURCES/mod_security-2.9.3-remote-rules-timeout.patch
View File

@ -1,8 +1,8 @@
diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
index ce97950..5d4e9b5 100644
index 80f8f2b..7912d84 100644
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@@ -2345,6 +2345,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
@@ -2354,6 +2354,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
}
@ -27,7 +27,7 @@ index ce97950..5d4e9b5 100644
static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
{
if (strcasecmp(p1, "on") == 0) {
@@ -3658,6 +3677,14 @@ const command_rec module_directives[] = {
@@ -3667,6 +3685,14 @@ const command_rec module_directives[] = {
"Abort or Warn"
),
@ -43,7 +43,7 @@ index ce97950..5d4e9b5 100644
AP_INIT_TAKE1 (
"SecXmlExternalEntity",
diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
index b6e98e9..1410ac7 100644
index 7bb215e..c155495 100644
--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
@ -56,7 +56,7 @@ index b6e98e9..1410ac7 100644
int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
index f170034..d9de1f0 100644
index f24bc75..8bcd453 100644
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
@ -68,10 +68,10 @@ index f170034..d9de1f0 100644
extern DSOLOCAL int status_engine_state;
diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
index 8a6df9e..af437d1 100644
index 99968f0..b8db13e 100644
--- a/apache2/msc_remote_rules.c
+++ b/apache2/msc_remote_rules.c
@@ -353,6 +353,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
@@ -358,6 +358,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
/* We want Curl to return error in case there is an HTTP error code */
curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);

14
SOURCES/modsecurity-2.9.3-apulibs.patch Normal file
View File

@ -0,0 +1,14 @@
Strip redundant APR-util dependent libraries, it is sufficient to link against -laprutil-1.
--- modsecurity-2.9.3/build/find_apu.m4.apulibs
+++ modsecurity-2.9.3/build/find_apu.m4
@@ -59,7 +59,7 @@
APU_CFLAGS="`${APU_CONFIG} --includes`"
if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu CFLAGS: $APU_CFLAGS); fi
APU_LDFLAGS="`${APU_CONFIG} --ldflags`"
- APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --libs`"
+ APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --avoid-ldap --avoid-dbm --libs`"
if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDFLAGS: $APU_LDFLAGS); fi
APU_LDADD="`${APU_CONFIG} --link-libtool`"
if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDADD: $APU_LDADD); fi

31
SOURCES/modsecurity-2.9.3-lua-54.patch Normal file
View File

@ -0,0 +1,31 @@
diff -ru modsecurity-2.9.3/apache2/msc_lua.c modsecurity-2.9.3-lua-patch/apache2/msc_lua.c
--- modsecurity-2.9.3/apache2/msc_lua.c 2018-12-04 18:49:37.000000000 +0000
+++ modsecurity-2.9.3-lua-patch/apache2/msc_lua.c 2020-08-08 16:55:14.936045777 +0000
@@ -429,12 +429,12 @@
#else
/* Create new state. */
-#if LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 501
+#if LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 501 || LUA_VERSION_NUM == 504
L = luaL_newstate();
#elif LUA_VERSION_NUM == 500
L = lua_open();
#else
-#error We are only tested under Lua 5.0, 5.1, 5.2, or 5.3.
+#error We are only tested under Lua 5.0, 5.1, 5.2, 5.3 or 5.4.
#endif
luaL_openlibs(L);
@@ -459,10 +459,10 @@
/* Register functions. */
#if LUA_VERSION_NUM == 500 || LUA_VERSION_NUM == 501
luaL_register(L, "m", mylib);
-#elif LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503
+#elif LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 504
luaL_setfuncs(L, mylib, 0);
#else
-#error We are only tested under Lua 5.0, 5.1, 5.2, or 5.3.
+#error We are only tested under Lua 5.0, 5.1, 5.2, 5.3 or 5.4.
#endif
lua_setglobal(L, "m");

93
SPECS/mod_security.spec
View File

@ -5,26 +5,30 @@
%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}}
%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
%global with_mlogc 1
%bcond_without mlogc
Summary: Security module for the Apache HTTP Server
Name: mod_security
Name: mod_security
Version: 2.9.6
Release: 1%{?dist}
License: ASL 2.0
URL: http://www.modsecurity.org/
Group: System Environment/Daemons
Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/modsecurity-%{version}.tar.gz
Source1: mod_security.conf
Source2: 10-mod_security.conf
Source3: modsecurity_localrules.conf
Patch1: mod_security-2.9.2-remote-rules-timeout.patch
Patch0: modsecurity-2.9.3-lua-54.patch
Patch1: modsecurity-2.9.3-apulibs.patch
Patch2: mod_security-2.9.3-remote-rules-timeout.patch
Requires: httpd httpd-mmn = %{_httpd_mmn}
# To ensure correct file ownership
%if 0%{?fedora} || 0%{?rhel} > 7
# Ensure apache user exists for file ownership
Requires(pre): httpd-filesystem
BuildRequires: gcc
%endif
BuildRequires: gcc, make, autoconf, automake, libtool
BuildRequires: httpd-devel
BuildRequires: make
BuildRequires: perl-generators
BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(libpcre)
@ -35,7 +39,7 @@ BuildRequires: pkgconfig(lua)
%if 0%{?el6}
BuildRequires: yajl-devel
%else
BuildRequires: pkgconfig(yajl)
BuildRequires: pkgconfig(yajl)
%endif
@ -44,27 +48,30 @@ ModSecurity is an open source intrusion detection and prevention engine
for web applications. It operates embedded into the web server, acting
as a powerful umbrella - shielding web applications from attacks.
%if %with_mlogc
%if %{with mlogc}
%package mlogc
Summary: ModSecurity Audit Log Collector
Group: System Environment/Daemons
Requires: mod_security%{?_isa} = %{version}-%{release}
Requires: mod_security
%if 0%{?fedora} || 0%{?rhel} > 7
# Ensure apache user exists for file ownership
Requires(pre): httpd-filesystem
%endif
%description mlogc
%description mlogc
This package contains the ModSecurity Audit Log Collector.
%endif
%prep
%setup -q -n modsecurity-%{version}
%patch1 -p1 -b .remote-rules-timeout
%autosetup -p1 -n modsecurity-%{version}
%build
./autogen.sh
%configure --enable-pcre-match-limit=1000000 \
--enable-pcre-match-limit-recursion=1000000 \
--with-apxs=%{_httpd_apxs} \
--with-yajl \
--enable-collection-global-lock
--disable-static
# remove rpath
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
@ -103,7 +110,7 @@ install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/%{name}
install -Dp -m0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/local_rules/
# mlogc
%if %with_mlogc
%if %{with mlogc}
install -d %{buildroot}%{_localstatedir}/log/mlogc
install -d %{buildroot}%{_localstatedir}/log/mlogc/data
install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
@ -125,7 +132,7 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/local_rules/*.conf
%attr(770,apache,root) %dir %{_localstatedir}/lib/%{name}
%if %with_mlogc
%if %{with mlogc}
%files mlogc
%doc mlogc/INSTALL
%attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/mlogc.conf
@ -136,23 +143,53 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
%endif
%changelog
* Thu Dec 08 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.9.6-1
* Wed Nov 16 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.9.6-1
- new version 2.9.6
- Resolves: #2143207 - [RFE] upgrade mod_security to 2.9.6
- Resolves: #2143211 - [RFE] upgrade mod_security to 2.9.6
* Sun Nov 15 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.9.2-9
- Resolves: #1824859 - RFE: Add a feature that can set a mod_security/libcurl
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.9.3-12
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.9.3-11
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-10
- Resolves: #1930664 - RFE: Add a feature that can set a mod_security/libcurl
timeout for retrieving the rules
- rename mlogc to mod_security-mlogc
* Mon Dec 17 2018 Joe Orton <jorton@redhat.com> - 2.9.2-8
- enable collection global lock (#1650268)
* Fri Jan 22 2021 Joe Orton <jorton@redhat.com> - 2.9.3-8
- don't link against redundant apr-util dependent libraries
* Wed Nov 28 2018 Lubos Uhliarik <luhliari@redhat.com> - 2.9.2-7
- Related: #1650242 - mod_security-mlogc dropped
* Sat Aug 08 2020 Othman Madjoudj <athmane@fedoraproject.org> - 2.9.3-7
- Add a patch to fix build with Lua 5.4 until we completely switch to mod_sec3 as default
* Thu Nov 15 2018 Joe Orton <jorton@redhat.com> - 2.9.2-6
- build -mlogc subpackage (#1650242)
- add httpd-filesystem as Requires(pre)
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-6
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Sun Dec 09 2018 Athmane Madjoudj <athmane@fedoraproject.org> - 2.9.3-1
- Update to 2.9.3
* Fri Nov 16 2018 Joe Orton <jorton@redhat.com> - 2.9.2-7
- Requires(pre): httpd-filesystem to ensure apache user exists
- enable mlogc everywhere, use buildcond to disable
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.2-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Sun Feb 18 2018 Athmane Madjoudj <athmane@fedoraproject.org> - 2.9.2-5
- Add gcc and make as BR (minimal buildroot change)