.gitignore

@@ -1,2 +1 @@
-SOURCES/v3.3.4.tar.gz
+SOURCES/v3.3.5.tar.gz
-/v3.3.4.tar.gz

.mod_security_crs.metadata

@@ -0,0 +1 @@
+b552005471446a4a2454a6b6ee7e65f864219ce0 SOURCES/v3.3.5.tar.gz

SOURCES/mod_security_crs-early-blocking.patch

@@ -1,5 +1,5 @@
 diff --git a/crs-setup.conf.example b/crs-setup.conf.example
-index b443e77..0fdd5cb 100644
+index e0b1d9c..cc2f97c 100644
 --- a/crs-setup.conf.example
 +++ b/crs-setup.conf.example
 @@ -234,7 +234,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
@@ -57,11 +57,11 @@ index b443e77..0fdd5cb 100644
  #
  # Some well-known applications may undertake actions that appear to be
 diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
-index 5044abd..06a1bb3 100644
+index 27fd54a..2095bf7 100644
 --- a/rules/REQUEST-901-INITIALIZATION.conf
 +++ b/rules/REQUEST-901-INITIALIZATION.conf
 @@ -89,6 +89,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
-     ver:'OWASP_CRS/3.3.4',\
+     ver:'OWASP_CRS/3.3.5',\
      setvar:'tx.outbound_anomaly_score_threshold=4'"
  
 +# Default Blocking Early (rule 900120 in setup.conf)
@@ -77,7 +77,7 @@ index 5044abd..06a1bb3 100644
  SecRule &TX:paranoia_level "@eq 0" \
      "id:901120,\
 diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
-index 050eb04..755315f 100644
+index 9ee4a8d..c5e4604 100644
 --- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf
 +++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
 @@ -12,7 +12,66 @@
@@ -171,7 +171,7 @@ index 050eb04..755315f 100644
  
  SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
 diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf
-index 13013de..bf9b03d 100644
+index 0b6f832..5c61674 100644
 --- a/rules/RESPONSE-950-DATA-LEAKAGES.conf
 +++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf
 @@ -96,7 +96,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf
@@ -184,7 +184,7 @@ index 13013de..bf9b03d 100644
      capture,\
      t:none,\
 diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
-index 24130eb..549c07c 100644
+index 689cc94..e30ce13 100644
 --- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
 +++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
 @@ -22,7 +22,67 @@
@@ -257,7 +257,7 @@ index 24130eb..549c07c 100644
  # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
  # So we add to it.
 @@ -76,6 +136,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
-     ver:'OWASP_CRS/3.3.4',\
+     ver:'OWASP_CRS/3.3.5',\
      setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
  
 +SecRule TX:BLOCKING_EARLY "@eq 1" \

SOURCES/mod_security_crs-rule-913100-req-scanner-detection.patch

@@ -0,0 +1,29 @@
+diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf
+index 6e12d08..6be0b67 100644
+--- a/rules/REQUEST-913-SCANNER-DETECTION.conf
++++ b/rules/REQUEST-913-SCANNER-DETECTION.conf
+@@ -31,6 +31,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAf
+ # 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data)
+ # 913102 - web crawlers/bots (data file crawlers-user-agents.data)
+ #
++# Chained rule is doing whitelist for YUM package manager of CentOS / Fedore.
+ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
+     "id:913100,\
+     phase:2,\
+@@ -49,10 +50,12 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
+     tag:'PCI/6.5.10',\
+     ver:'OWASP_CRS/3.3.5',\
+     severity:'CRITICAL',\
+-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+-    setvar:'ip.reput_block_flag=1',\
+-    setvar:'ip.reput_block_reason=%{rule.msg}',\
+-    expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
++    chain"
++    SecRule MATCHED_VARS "!@rx ^urlgrabber/[0-9\.]+ yum/[0-9\.]+$" \
++        "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
++        setvar:'ip.reput_block_flag=1',\
++        setvar:'ip.reput_block_reason=%{rule.msg}',\
++        expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
+ 
+ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \
+     "id:913110,\

SOURCES/mod_security_crs-rule-941310-dont-match-japanese-word.patch

@@ -0,0 +1,18 @@
+diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+index 3b2376b..504eb26 100644
+--- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
++++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+@@ -543,8 +543,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
+     ctl:auditLogParts=+E,\
+     ver:'OWASP_CRS/3.3.5',\
+     severity:'CRITICAL',\
+-    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
++    chain"
++        SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx [^\xe4]\xbc[^\x9a][^\xbe>]*[^\xe7][^\xa4][\xbe>]|<[^\xbe]*[^\xe7][^\xa4]\xbe" \
++        "t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
++        setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
++        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+ 
+ #
+ # https://nedbatchelder.com/blog/200704/xss_with_utf7.html

SPECS/mod_security_crs.spec

@@ -1,24 +1,27 @@
 Summary: ModSecurity Rules
 Name: mod_security_crs
-Version: 3.3.4
+Version: 3.3.5
-Release: 3%{?dist}.2
+Release: 1%{?dist}
 License: ASL 2.0
 URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
-Group: System Environment/Daemons
 Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz
 BuildArch: noarch
-Requires: mod_security >= 2.8.0
+Requires: mod_security >= 2.9.6
 Obsoletes: mod_security_crs-extras < 3.0.0
 Patch0: mod_security_crs-early-blocking.patch
+# https://issues.redhat.com/browse/RHEL-16358
 Patch1: mod_security_crs-rule-941310-dont-match-japanese-word.patch
+# https://issues.redhat.com/browse/RHEL-22733
+Patch2: mod_security_crs-rule-913100-req-scanner-detection.patch
 
 %description
 This package provides the base rules for mod_security.
 
 %prep
 %setup -q -n coreruleset-%{version}
-%patch0 -p1 -b.early_blocking
+%patch0 -p1 -b .early_blocking
-%patch1 -p1 -b.rule_941310
+%patch1 -p1 -b .rule_941310
+%patch2 -p1 -b .rule_913100
 
 %build
 
@@ -34,6 +37,7 @@ mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example %{buildroot}%{_sysc
 
 install -m0644 rules/*.conf %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
 install -m0644 rules/*.data %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
+
 mv crs-setup.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
 
 # activate base_rules
@@ -44,42 +48,76 @@ done
 
 %files
 %license LICENSE
-%doc CHANGES README.md
+%doc CHANGES.md README.md
 %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/activated_rules/*
 %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
 %{_datarootdir}/mod_modsecurity_crs
 
 %changelog
-* Wed Feb 19 2025 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-3.2
+* Mon May 20 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.5-1
-- Resolves: RHEL-78711 - A form data, "鹿沼市御成橋"(a name of street/city
+- Resolves: RHEL-32964 - new version 3.3.5
-  in Japanese) is forbade by mod_security_crs-3.3.4-3.el8.noarch
 
-* Tue Apr 04 2023 Richard Lescak <rlescak@redhat.com> - 3.3.4-3
+* Fri Feb 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-3
-- bump release to enable build
+- Resolves: #RHEL-22733 - mod_security_crs - The rule id:913100 in the
-- Related: rhbz#2040257
+  REQUEST-913-SCANNER-DETECTION.conf blocks requests  with "User-agent:
+  urlgrabber/3.10 yum/3.4.3"
 
-* Fri Mar 31 2023 Richard Lescak <rlescak@redhat.com> - 3.3.4-2
+* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-2
-- add chained regex for rule 941310 to not match japan word 'company'
+- Resolves: RHEL-16358 - A form data, "会社"(Company in Japanese) is forbade
-- Resolves: rhbz#2040257
+  with REQUEST-941-APPLICATION-ATTACK-XSS.conf of mod_security_crs
 
-* Thu Dec 08 2022 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-1
+* Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-1
 - new version 3.3.4
-- Resolves: #2141432 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x
+- Resolves: #2143210 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x
 
-* Wed Sep 07 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-5
+* Wed Sep 07 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-6
 - Fix application of early blocking patch
-- Related: rhbz#2101020
+- Related: rhbz#2115313
 
-* Mon Sep 05 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-4
+* Fri Aug 05 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-5
-- Rebuild because of build system issue
+- Fix patch for early blocking
-- Related: rhbz#2101020
+- Related: rhbz#2115313
 
-* Tue Aug 02 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-3
+* Thu Aug 04 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-4
 - Backport early blocking feature
-- Resolves: rhbz#2101020
+- Resolves: rhbz#2115313
 
-* Thu May 06 2021 Lubos Uhliarik <luhliari@redhat.com> - 3.3.0-2
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.3.0-3
-- Resolves: #1855858 - [RFE] update mod_security_crs to 3.3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Mon Aug  2 2021 Joe Orton <jorton@redhat.com> - 3.3.0-2
+- rebuild (#1986075)
+
+* Thu Apr 22 2021 Lubos Uhliarik <luhliari@redhat.com> - 3.3.0-1
+- Resolves: #1947962 - [RFE] update mod_security_crs to 3.3
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.2.0-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Fri Mar 05 2021 Lubos Uhliarik <luhliari@redhat.com> - 3.2.0-1
+- new version 3.2.0
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 
 * Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

gating.yaml

@@ -1,7 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}

mod_security_crs-rule-941310-dont-match-japanese-word.patch

@@ -1,69 +0,0 @@
-diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
-index a48980c..e675687 100644
---- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
-+++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
-@@ -524,12 +524,46 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
- # US-ASCII encoding bypass listed on XSS filter evasion
- # Reported by Mazin Ahmed
- #
-+# This evasion covered by this chain of rules is specific to webservers that deliver content in US-ASCII.
-+# Only Apache Tomcat is known (according to the page linked above) to be vulnerable to this and probably has to be
-+# misconfigured for this to happen.
-+#
-+# Since US-ASCII is a seven bit encoding, bit 8 is ignored. Consider the following ISO 8859-1 sequence:
-+#
-+# ¼script¾alert(¢XSS¢)¼/script¾
-+#
-+# A filter looking for tags will usually not match against this sequence because there are no angle brackets (< / >). However,
-+# the characters where the brackets would be are ISO 8859-1 characters:
-+# - ¼: 0x00BC
-+# - ¾: 0x00BE
-+# - ¢: 0x00A2
-+#
-+# And this is how the sequence looks in in US-ASCII:
-+#
-+# <script>alert("XSSB")</script/>
-+#
-+# This enables an attacker to craft a string that will be delivered in a form that a browser will execute as script
-+# while being ignored by input filters.
-+#
-+# This rule looks for start tag sequene that looks like "<...>" (checks fo hex and plain to be sure).
-+# Because the bytes matched occur in many different languages encoded as multibyte characters (e.g. UTF-8)
-+# (e.g. German umlauts, Russion characters) this isn't very helpful and can cause many false positives. We, therefore,
-+# use a chained rule to also look fora an end tag sequence that looks like "</...>". Only if the chained rule matches will
-+# the request be blocked.
-+#
-+# This is of course still not perfect but should at least make it harder to hide most tags using this technique while
-+# requiring very specifig patterns in a language to match, which should get rid of most false positives.
-+# These rules would, for example, not guard against an element without an end tag, e.g. "<img... />".
-+#
-+# US-ASCII on Wikipedia: https://en.wikipedia.org/wiki/ASCII
-+# ISO 8859-1 on Wikipedia: https://en.wikipedia.org/wiki/ISO/IEC_8859-1
- 
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \
-     "id:941310,\
-     phase:2,\
-     block,\
-     capture,\
-+    chain,\
-     t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
-     msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected',\
-     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
-@@ -540,11 +574,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
-     tag:'paranoia-level/1',\
-     tag:'OWASP_CRS',\
-     tag:'capec/1000/152/242',\
--    ctl:auditLogParts=+E,\
-     ver:'OWASP_CRS/3.3.4',\
--    severity:'CRITICAL',\
--    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
--    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-+    severity:'CRITICAL'"
-+    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \
-+        "t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
-+        ctl:auditLogParts=+E,\
-+        setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
- 
- #
- # https://nedbatchelder.com/blog/200704/xss_with_utf7.html

sources

@@ -1 +0,0 @@
-SHA512 (v3.3.4.tar.gz) = a8b8b210054a9a4e3f8e45a5a9428110bb4075e40430e3fc16f4717e363af141265b1fb5c173ff96abeff0ac61ef5eef667a4b9cb703f8edc15e48deb3342827