PR/44745 CVS commit: pkgsrc/security/ap-modsecurity2

To: dholland%NetBSD.org@localhost, gnats-admin%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost, msporleder%gmail.com@localhost
Subject: PR/44745 CVS commit: pkgsrc/security/ap-modsecurity2
From: "David A. Holland" <dholland%netbsd.org@localhost>
Date: Sun, 20 Mar 2011 01:00:10 +0000 (UTC)
The following reply was made to PR pkg/44745; it has been noted by GNATS.

From: "David A. Holland" <dholland%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/44745 CVS commit: pkgsrc/security/ap-modsecurity2
Date: Sat, 19 Mar 2011 21:18:06 +0000

 Module Name:   pkgsrc
 Committed By:  dholland
 Date:          Sat Mar 19 21:18:06 UTC 2011
 
 Modified Files:
        pkgsrc/security/ap-modsecurity2: Makefile distinfo
        pkgsrc/security/ap-modsecurity2/patches: patch-aa
 
 Log Message:
 Update ap-modsecurity2 to 2.5.13, partly from Matthew Sporleder in
 PR 44745, rest by me.
 
 pkgsrc changes:
    - fix up deps
    - fix Apache module handling
    - DESTDIR support
 
 XXX: The DESTDIR support has to bypass apxs because as far as I can tell
 XXX: apxs -i doesn't know how to handle DESTDIRs. Various Apache modules
 XXX: do this in various different ways. Someone(TM) should teach apxs -i
 XXX: about DESTDIRs and fix up all the abuse. The infrastructure for
 XXX: Apache modules could use some rototilling as well.
 
 29 Nov 2010 - 2.5.13
 --------------------
 
  * Cleaned up some mlogc code and debugging output.
 
  * Remove the ability to use a relative path to a piped audit logger
    (i.e. mlogc) as Apache does not support it in their piped loggers
    and it was breaking Windows and probably other platforms that
    use spaces in filesystem paths.  Discovered by Tom Donovan.
 
  * Fix memory leak freeing regex.  Discovered by Tom Donovan.
 
  * Fix some portability issues on Windows.
 
  * Fixed Geo lookup concurrent connections bug
 
  * Fixed Skip/SkipAfter chain bug
 
  * Added new setvar Lua API to be used into Lua scripts
 
  * Added PCRE messages indicates each rule that exceed match limits
 
  * Added new Base64 transformation function called base64DecodeEx, which
    can decode base64 data skipping special characters.
 
  * Add SecReadStateLimit to limit the number of concurrent threads in BUSY 
connections per ip address
 
  * Fixed redirect action was not expanding macros in chained rules
 
 04 Feb 2010 - 2.5.12
 --------------------
 
  * Fixed SecUploadFileMode to set the correct mode.
 
  * Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.
 
  * Added additional file info definitions introduced in APR 0.9.5 so that
    build will work with older APRs (IBM HTTP Server v6).
 
  * Added SecUploadFileLimit to limit the number of uploaded file parts that
    will be processed in a multipart POST.  The default is 100.
 
  * Fixed path normalization to better handle backreferences that extend
    above root directories.  Reported by Sogeti/ESEC R&D.
 
  * Trim whitespace around phrases used with @pmFromFile and allow
    for both LF and CRLF terminated lines.
 
  * Allow for more robust parsing for multipart header folding.  Reported
    by Sogeti/ESEC R&D.
 
  * Fixed failure to match internally set TX variables with regex
    (TX:/.../) syntax.
 
  * Fixed failure to log full internal TX variable names and populate
    MATCHED_VAR* vars.
 
  * Enabled PCRE "studying" by default.  This is now a configure-time option.
 
  * Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
    aide in REDoS type attacks.  A rule that goes over the limits will set
    TX:MSC_PCRE_LIMITS_EXCEEDED.  It is intended that the next major release
    of ModSecurity (2.6.x) will move these flags to a dedicated collection.
 
  * Reduced default PCRE match limits reducing impact of REDoS on poorly
    written regex rules.  Reported by Sogeti/ESEC R&D.
 
  * Fixed memory leak in v1 cookie parser.  Reported by Sogeti/ESEC R&D.
 
  * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
 
  * Update copyright to 2010.
 
  * Reserved 700,000-799,999 IDs for Ivan Ristic.
 
  * Fixed SecAction not working when CONNECT request method is used
    (MODSEC-110). [Ivan Ristic]
 
  * Do not escape quotes in macro resolution and only escape NUL in setenv
    values.
 
 04 Nov 2009 - 2.5.11
 --------------------
 
  * Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
    set true if any invalid quoting is found during multipart parsing.
 
  * Fixed parsing quoted strings in multipart Content-Disposition headers.
    Discovered by Stefan Esser.
 
  * Cleanup persistence database locking code.
 
  * Added warning during configure if libcurl is found linked against
    gnutls for SSL.  The openssl lib is recommended as gnutls has
    proven to cause issues with mutexes and may crash.
 
  * Cleanup some mlogc (over)logging.
 
  * Do not log output filter errors in the error log.
 
  * Moved output filter to run before other stock filters (mod_deflate,
    mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
    in the response.  Patch originally submitted by Ivan Ristic.
 
 18 Sep 2009 - 2.5.10
 --------------------
 
  * Cleanup mlogc so that it builds on Windows.
 
  * Added more detailed messages to replace "Unknown error" in filters.
 
  * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning
    auditlog permissions (especially with mpm-itk).
 
  * Cleanup SecUploadFileMode implementation.
 
  * Cleanup build scripts.
 
  * Fixed crash on configuration if SecMarker is used before any rules.
 
  * Fixed SecRuleUpdateActionById so that it will work on chain starters.
 
  * Cleanup build system for mlogc.
 
  * Allow mlogc to periodically flush memory pools.
 
  * Using nolog,auditlog will now log the "Message:" line to the auditlog, but
    nothing to the error log.  Prior versions dropped the "Message:" line from
    both logs.  To do this now, just use "nolog" or "nolog,noauditlog".
 
  * Forced mlogc to use SSLv3 to avoid some potential auto negotiation
    issues with some libcurl versions.
 
  * Fixed mlogc issue seen on big endian machines where content type
    could be listed as zero.
 
  * Removed extra newline from audit log message line when logging XML errors.
    This was causing problems parsing audit logs.
 
  * Fixed @pm/@pmFromFile case insensitivity.
 
  * Truncate long parameters in log message for "Match of ... against ...
    required" messages.
 
  * Correctly resolve chained rule actions in logs.
 
  * Cleanup some code for portability.
 
  * AIX does not support hidden visibility with xlc compiler.
 
  * Allow specifying EXTRA_CFLAGS during configure to override gcc specific
    values for non-gcc compilers.
 
  * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.
 
  * Handle a newer geo database more gracefully, avoiding a potential crash for
    new countries that ModSecurity is not yet aware.
 
  * Allow checking &GEO "@eq 0" for a failed @geoLookup.
 
  * Fixed mlogc global mutex locking issue and added more debugging output.
 
  * Cleaned up build dependencies and configure options.
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.16 -r1.17 pkgsrc/security/ap-modsecurity2/Makefile
 cvs rdiff -u -r1.6 -r1.7 pkgsrc/security/ap-modsecurity2/distinfo
 cvs rdiff -u -r1.6 -r1.7 pkgsrc/security/ap-modsecurity2/patches/patch-aa
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.
Prev by Date: Re: pkg/44745 (security/ap-modsecurity2 upgrade)
Next by Date: PR/38507 CVS commit: pkgsrc/mail/fetchmail
Previous by Thread: Re: pkg/44745 (security/ap-modsecurity2 upgrade)
Next by Thread: PR/38507 CVS commit: pkgsrc/mail/fetchmail
Indexes:
Home | Main Index | Thread Index | Old Index