new version 3.3.4
Resolves: #2143210 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x
This commit is contained in:
parent
888fdb6dfc
commit
e83f3e411a
1
.gitignore
vendored
1
.gitignore
vendored
@ -8,3 +8,4 @@
|
|||||||
/owasp-modsecurity-crs-3.0.0.tar.gz
|
/owasp-modsecurity-crs-3.0.0.tar.gz
|
||||||
/owasp-modsecurity-crs-3.2.0.tar.gz
|
/owasp-modsecurity-crs-3.2.0.tar.gz
|
||||||
/v3.3.0.tar.gz
|
/v3.3.0.tar.gz
|
||||||
|
/v3.3.4.tar.gz
|
||||||
|
@ -1,14 +1,8 @@
|
|||||||
commit 8acabc1806d3c9be5f781da978a7684639b257d8
|
|
||||||
Author: Tomas Korbar <tkorbar@redhat.com>
|
|
||||||
Date: Thu Aug 4 12:13:03 2022 +0200
|
|
||||||
|
|
||||||
Add early blocking feature
|
|
||||||
|
|
||||||
diff --git a/crs-setup.conf.example b/crs-setup.conf.example
|
diff --git a/crs-setup.conf.example b/crs-setup.conf.example
|
||||||
index 6e18996..08c719e 100644
|
index b443e77..0fdd5cb 100644
|
||||||
--- a/crs-setup.conf.example
|
--- a/crs-setup.conf.example
|
||||||
+++ b/crs-setup.conf.example
|
+++ b/crs-setup.conf.example
|
||||||
@@ -233,7 +233,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
@@ -234,7 +234,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -17,7 +11,7 @@ index 6e18996..08c719e 100644
|
|||||||
#
|
#
|
||||||
# Each rule in the CRS has an associated severity level.
|
# Each rule in the CRS has an associated severity level.
|
||||||
# These are the default scoring points for each severity level.
|
# These are the default scoring points for each severity level.
|
||||||
@@ -269,7 +269,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
@@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -26,7 +20,7 @@ index 6e18996..08c719e 100644
|
|||||||
#
|
#
|
||||||
# Here, you can specify at which cumulative anomaly score an inbound request,
|
# Here, you can specify at which cumulative anomaly score an inbound request,
|
||||||
# or outbound response, gets blocked.
|
# or outbound response, gets blocked.
|
||||||
@@ -318,6 +318,35 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
@@ -319,6 +319,35 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
||||||
# setvar:tx.outbound_anomaly_score_threshold=4"
|
# setvar:tx.outbound_anomaly_score_threshold=4"
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -63,11 +57,11 @@ index 6e18996..08c719e 100644
|
|||||||
#
|
#
|
||||||
# Some well-known applications may undertake actions that appear to be
|
# Some well-known applications may undertake actions that appear to be
|
||||||
diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
|
diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
|
||||||
index 2a6f74e..b279829 100644
|
index 5044abd..06a1bb3 100644
|
||||||
--- a/rules/REQUEST-901-INITIALIZATION.conf
|
--- a/rules/REQUEST-901-INITIALIZATION.conf
|
||||||
+++ b/rules/REQUEST-901-INITIALIZATION.conf
|
+++ b/rules/REQUEST-901-INITIALIZATION.conf
|
||||||
@@ -88,6 +88,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
|
@@ -89,6 +89,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
|
||||||
ver:'OWASP_CRS/3.3.0',\
|
ver:'OWASP_CRS/3.3.4',\
|
||||||
setvar:'tx.outbound_anomaly_score_threshold=4'"
|
setvar:'tx.outbound_anomaly_score_threshold=4'"
|
||||||
|
|
||||||
+# Default Blocking Early (rule 900120 in setup.conf)
|
+# Default Blocking Early (rule 900120 in setup.conf)
|
||||||
@ -83,10 +77,10 @@ index 2a6f74e..b279829 100644
|
|||||||
SecRule &TX:paranoia_level "@eq 0" \
|
SecRule &TX:paranoia_level "@eq 0" \
|
||||||
"id:901120,\
|
"id:901120,\
|
||||||
diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
|
diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
|
||||||
index 5f370a1..338ce88 100644
|
index 050eb04..755315f 100644
|
||||||
--- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf
|
--- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf
|
||||||
+++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
|
+++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
|
||||||
@@ -11,7 +11,66 @@
|
@@ -12,7 +12,66 @@
|
||||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -154,7 +148,7 @@ index 5f370a1..338ce88 100644
|
|||||||
|
|
||||||
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
|
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
|
||||||
# So we add to it.
|
# So we add to it.
|
||||||
@@ -92,6 +151,21 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
|
@@ -93,6 +152,21 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
|
||||||
severity:'CRITICAL',\
|
severity:'CRITICAL',\
|
||||||
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
|
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
|
||||||
|
|
||||||
@ -177,10 +171,10 @@ index 5f370a1..338ce88 100644
|
|||||||
|
|
||||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||||
diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf
|
diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf
|
||||||
index c34607e..a192359 100644
|
index 13013de..bf9b03d 100644
|
||||||
--- a/rules/RESPONSE-950-DATA-LEAKAGES.conf
|
--- a/rules/RESPONSE-950-DATA-LEAKAGES.conf
|
||||||
+++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf
|
+++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf
|
||||||
@@ -95,7 +95,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf
|
@@ -96,7 +96,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf
|
||||||
#
|
#
|
||||||
SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
|
SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
|
||||||
"id:950100,\
|
"id:950100,\
|
||||||
@ -190,10 +184,10 @@ index c34607e..a192359 100644
|
|||||||
capture,\
|
capture,\
|
||||||
t:none,\
|
t:none,\
|
||||||
diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
|
diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
|
||||||
index 8f8114c..26b525c 100644
|
index 24130eb..549c07c 100644
|
||||||
--- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
|
--- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
|
||||||
+++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
|
+++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
|
||||||
@@ -21,7 +21,67 @@
|
@@ -22,7 +22,67 @@
|
||||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -262,8 +256,8 @@ index 8f8114c..26b525c 100644
|
|||||||
|
|
||||||
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
|
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
|
||||||
# So we add to it.
|
# So we add to it.
|
||||||
@@ -75,6 +135,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
@@ -76,6 +136,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
||||||
ver:'OWASP_CRS/3.3.0',\
|
ver:'OWASP_CRS/3.3.4',\
|
||||||
setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
|
setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
|
||||||
|
|
||||||
+SecRule TX:BLOCKING_EARLY "@eq 1" \
|
+SecRule TX:BLOCKING_EARLY "@eq 1" \
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
Summary: ModSecurity Rules
|
Summary: ModSecurity Rules
|
||||||
Name: mod_security_crs
|
Name: mod_security_crs
|
||||||
Version: 3.3.0
|
Version: 3.3.4
|
||||||
Release: 6%{?dist}
|
Release: 1%{?dist}
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
|
URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
|
||||||
Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz
|
Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
Requires: mod_security >= 2.8.0
|
Requires: mod_security >= 2.9.6
|
||||||
Obsoletes: mod_security_crs-extras < 3.0.0
|
Obsoletes: mod_security_crs-extras < 3.0.0
|
||||||
Patch0: mod_security_crs-early-blocking.patch
|
Patch0: mod_security_crs-early-blocking.patch
|
||||||
|
|
||||||
@ -48,6 +48,10 @@ done
|
|||||||
%{_datarootdir}/mod_modsecurity_crs
|
%{_datarootdir}/mod_modsecurity_crs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-1
|
||||||
|
- new version 3.3.4
|
||||||
|
- Resolves: #2143210 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x
|
||||||
|
|
||||||
* Wed Sep 07 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-6
|
* Wed Sep 07 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-6
|
||||||
- Fix application of early blocking patch
|
- Fix application of early blocking patch
|
||||||
- Related: rhbz#2115313
|
- Related: rhbz#2115313
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (v3.3.0.tar.gz) = 12043aae12b5e01455e229136411e1fdef3a14318aff191d190b567463b63efb72630a695449b56f1d654ed1cfc0b4eb452a64502c35337d37cce920d5fa4ea4
|
SHA512 (v3.3.4.tar.gz) = a8b8b210054a9a4e3f8e45a5a9428110bb4075e40430e3fc16f4717e363af141265b1fb5c173ff96abeff0ac61ef5eef667a4b9cb703f8edc15e48deb3342827
|
||||||
|
Loading…
Reference in New Issue
Block a user