From e83f3e411a1344e389b008303d67aabcc782daa3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 5 Dec 2022 18:57:07 +0100 Subject: [PATCH] new version 3.3.4 Resolves: #2143210 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x --- .gitignore | 1 + mod_security_crs-early-blocking.patch | 38 +++++++++++---------------- mod_security_crs.spec | 10 ++++--- sources | 2 +- 4 files changed, 25 insertions(+), 26 deletions(-) diff --git a/.gitignore b/.gitignore index 255be10..5897ba5 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ /owasp-modsecurity-crs-3.0.0.tar.gz /owasp-modsecurity-crs-3.2.0.tar.gz /v3.3.0.tar.gz +/v3.3.4.tar.gz diff --git a/mod_security_crs-early-blocking.patch b/mod_security_crs-early-blocking.patch index 16bced8..2d2dbb3 100644 --- a/mod_security_crs-early-blocking.patch +++ b/mod_security_crs-early-blocking.patch @@ -1,14 +1,8 @@ -commit 8acabc1806d3c9be5f781da978a7684639b257d8 -Author: Tomas Korbar -Date: Thu Aug 4 12:13:03 2022 +0200 - - Add early blocking feature - diff --git a/crs-setup.conf.example b/crs-setup.conf.example -index 6e18996..08c719e 100644 +index b443e77..0fdd5cb 100644 --- a/crs-setup.conf.example +++ b/crs-setup.conf.example -@@ -233,7 +233,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" +@@ -234,7 +234,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # @@ -17,7 +11,7 @@ index 6e18996..08c719e 100644 # # Each rule in the CRS has an associated severity level. # These are the default scoring points for each severity level. -@@ -269,7 +269,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" +@@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # @@ -26,7 +20,7 @@ index 6e18996..08c719e 100644 # # Here, you can specify at which cumulative anomaly score an inbound request, # or outbound response, gets blocked. -@@ -318,6 +318,35 @@ SecDefaultAction "phase:2,log,auditlog,pass" +@@ -319,6 +319,35 @@ SecDefaultAction "phase:2,log,auditlog,pass" # setvar:tx.outbound_anomaly_score_threshold=4" # @@ -63,11 +57,11 @@ index 6e18996..08c719e 100644 # # Some well-known applications may undertake actions that appear to be diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf -index 2a6f74e..b279829 100644 +index 5044abd..06a1bb3 100644 --- a/rules/REQUEST-901-INITIALIZATION.conf +++ b/rules/REQUEST-901-INITIALIZATION.conf -@@ -88,6 +88,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ - ver:'OWASP_CRS/3.3.0',\ +@@ -89,6 +89,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ + ver:'OWASP_CRS/3.3.4',\ setvar:'tx.outbound_anomaly_score_threshold=4'" +# Default Blocking Early (rule 900120 in setup.conf) @@ -83,10 +77,10 @@ index 2a6f74e..b279829 100644 SecRule &TX:paranoia_level "@eq 0" \ "id:901120,\ diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf -index 5f370a1..338ce88 100644 +index 050eb04..755315f 100644 --- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf +++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf -@@ -11,7 +11,66 @@ +@@ -12,7 +12,66 @@ # -= Paranoia Level 0 (empty) =- (apply unconditionally) # @@ -154,7 +148,7 @@ index 5f370a1..338ce88 100644 # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs. # So we add to it. -@@ -92,6 +151,21 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ +@@ -93,6 +152,21 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'" @@ -177,10 +171,10 @@ index 5f370a1..338ce88 100644 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf -index c34607e..a192359 100644 +index 13013de..bf9b03d 100644 --- a/rules/RESPONSE-950-DATA-LEAKAGES.conf +++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf -@@ -95,7 +95,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf +@@ -96,7 +96,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf # SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \ "id:950100,\ @@ -190,10 +184,10 @@ index c34607e..a192359 100644 capture,\ t:none,\ diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf -index 8f8114c..26b525c 100644 +index 24130eb..549c07c 100644 --- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf +++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf -@@ -21,7 +21,67 @@ +@@ -22,7 +22,67 @@ # -= Paranoia Level 0 (empty) =- (apply unconditionally) # @@ -262,8 +256,8 @@ index 8f8114c..26b525c 100644 # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs. # So we add to it. -@@ -75,6 +135,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \ - ver:'OWASP_CRS/3.3.0',\ +@@ -76,6 +136,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \ + ver:'OWASP_CRS/3.3.4',\ setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'" +SecRule TX:BLOCKING_EARLY "@eq 1" \ diff --git a/mod_security_crs.spec b/mod_security_crs.spec index 277da37..039e6af 100644 --- a/mod_security_crs.spec +++ b/mod_security_crs.spec @@ -1,12 +1,12 @@ Summary: ModSecurity Rules Name: mod_security_crs -Version: 3.3.0 -Release: 6%{?dist} +Version: 3.3.4 +Release: 1%{?dist} License: ASL 2.0 URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz BuildArch: noarch -Requires: mod_security >= 2.8.0 +Requires: mod_security >= 2.9.6 Obsoletes: mod_security_crs-extras < 3.0.0 Patch0: mod_security_crs-early-blocking.patch @@ -48,6 +48,10 @@ done %{_datarootdir}/mod_modsecurity_crs %changelog +* Mon Dec 05 2022 Luboš Uhliarik - 3.3.4-1 +- new version 3.3.4 +- Resolves: #2143210 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x + * Wed Sep 07 2022 Tomas Korbar - 3.3.0-6 - Fix application of early blocking patch - Related: rhbz#2115313 diff --git a/sources b/sources index eaa1db0..4d22b93 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (v3.3.0.tar.gz) = 12043aae12b5e01455e229136411e1fdef3a14318aff191d190b567463b63efb72630a695449b56f1d654ed1cfc0b4eb452a64502c35337d37cce920d5fa4ea4 +SHA512 (v3.3.4.tar.gz) = a8b8b210054a9a4e3f8e45a5a9428110bb4075e40430e3fc16f4717e363af141265b1fb5c173ff96abeff0ac61ef5eef667a4b9cb703f8edc15e48deb3342827