pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/44745: security/ap-modsecurity2 upgrade



>Number:         44745
>Category:       pkg
>Synopsis:       security/ap-modsecurity2 upgrade
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 19 18:30:00 +0000 2011
>Originator:     matthew sporleder
>Release:        5.0.2
>Organization:
mspo.com
>Environment:
amd64
>Description:
ap-modsecurity2 seems to have some issues.  I have removed patch-aa, added some 
dependencies, upgraded the pkg, and defined a license.


29 Nov 2010 - 2.5.13
--------------------

 * Cleaned up some mlogc code and debugging output.

 * Remove the ability to use a relative path to a piped audit logger
   (i.e. mlogc) as Apache does not support it in their piped loggers
   and it was breaking Windows and probably other platforms that
   use spaces in filesystem paths.  Discovered by Tom Donovan.

 * Fix memory leak freeing regex.  Discovered by Tom Donovan.

 * Fix some portability issues on Windows.

 * Fixed Geo lookup concurrent connections bug

 * Fixed Skip/SkipAfter chain bug

 * Added new setvar Lua API to be used into Lua scripts

 * Added PCRE messages indicates each rule that exceed match limits

 * Added new Base64 transformation function called base64DecodeEx, which
   can decode base64 data skipping special characters.

 * Add SecReadStateLimit to limit the number of concurrent threads in BUSY 
connections per ip address

 * Fixed redirect action was not expanding macros in chained rules



04 Feb 2010 - 2.5.12
--------------------

 * Fixed SecUploadFileMode to set the correct mode.

 * Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.

 * Added additional file info definitions introduced in APR 0.9.5 so that
   build will work with older APRs (IBM HTTP Server v6).

 * Added SecUploadFileLimit to limit the number of uploaded file parts that
   will be processed in a multipart POST.  The default is 100.

 * Fixed path normalization to better handle backreferences that extend
   above root directories.  Reported by Sogeti/ESEC R&D.

 * Trim whitespace around phrases used with @pmFromFile and allow
   for both LF and CRLF terminated lines.

 * Allow for more robust parsing for multipart header folding.  Reported
   by Sogeti/ESEC R&D.

 * Fixed failure to match internally set TX variables with regex
   (TX:/.../) syntax.
 
 * Fixed failure to log full internal TX variable names and populate
   MATCHED_VAR* vars.

 * Enabled PCRE "studying" by default.  This is now a configure-time option.

 * Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
   aide in REDoS type attacks.  A rule that goes over the limits will set
   TX:MSC_PCRE_LIMITS_EXCEEDED.  It is intended that the next major release
   of ModSecurity (2.6.x) will move these flags to a dedicated collection.

 * Reduced default PCRE match limits reducing impact of REDoS on poorly
   written regex rules.  Reported by Sogeti/ESEC R&D.

 * Fixed memory leak in v1 cookie parser.  Reported by Sogeti/ESEC R&D.

 * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)

 * Update copyright to 2010.

 * Reserved 700,000-799,999 IDs for Ivan Ristic.

 * Fixed SecAction not working when CONNECT request method is used
   (MODSEC-110). [Ivan Ristic]

 * Do not escape quotes in macro resolution and only escape NUL in setenv
   values.


04 Nov 2009 - 2.5.11
--------------------

 * Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
   set true if any invalid quoting is found during multipart parsing.

 * Fixed parsing quoted strings in multipart Content-Disposition headers.
   Discovered by Stefan Esser.

 * Cleanup persistence database locking code.

 * Added warning during configure if libcurl is found linked against
   gnutls for SSL.  The openssl lib is recommended as gnutls has
   proven to cause issues with mutexes and may crash.

 * Cleanup some mlogc (over)logging.

 * Do not log output filter errors in the error log.

 * Moved output filter to run before other stock filters (mod_deflate,
   mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
   in the response.  Patch originally submitted by Ivan Ristic.



18 Sep 2009 - 2.5.10
--------------------

 * Cleanup mlogc so that it builds on Windows.

 * Added more detailed messages to replace "Unknown error" in filters.

 * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning
   auditlog permissions (especially with mpm-itk).

 * Cleanup SecUploadFileMode implementation.

 * Cleanup build scripts.

 * Fixed crash on configuration if SecMarker is used before any rules.

 * Fixed SecRuleUpdateActionById so that it will work on chain starters.

 * Cleanup build system for mlogc.

 * Allow mlogc to periodically flush memory pools.

 * Using nolog,auditlog will now log the "Message:" line to the auditlog, but
   nothing to the error log.  Prior versions dropped the "Message:" line from
   both logs.  To do this now, just use "nolog" or "nolog,noauditlog".

 * Forced mlogc to use SSLv3 to avoid some potential auto negotiation
   issues with some libcurl versions.

 * Fixed mlogc issue seen on big endian machines where content type
   could be listed as zero.

 * Removed extra newline from audit log message line when logging XML errors.
   This was causing problems parsing audit logs.

 * Fixed @pm/@pmFromFile case insensitivity.


 * Truncate long parameters in log message for "Match of ... against ...
   required" messages.

 * Correctly resolve chained rule actions in logs.

 * Cleanup some code for portability.

 * AIX does not support hidden visibility with xlc compiler.

 * Allow specifying EXTRA_CFLAGS during configure to override gcc specific
   values for non-gcc compilers.

 * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.

 * Handle a newer geo database more gracefully, avoiding a potential crash for
   new countries that ModSecurity is not yet aware.

 * Allow checking &GEO "@eq 0" for a failed @geoLookup.

 * Fixed mlogc global mutex locking issue and added more debugging output.

 * Cleaned up build dependencies and configure options.

>How-To-Repeat:

>Fix:
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/security/ap-modsecurity2/Makefile,v
retrieving revision 1.15
diff -r1.15 Makefile
3c3
< DISTNAME=     modsecurity-apache_2.5.9
---
> DISTNAME=     modsecurity-apache_2.5.13
6a7
> LICENSE=      gnu-gpl-v2
25a27,29
> CONFIGURE_ARGS+=        --with-lua=${PREFIX}
> CONFIGURE_ARGS+=        --with-apr=${PREFIX}
> CONFIGURE_ARGS+=        --with-apu=${PREFIX}
48a53,55
> .include "../../lang/lua/buildlink3.mk"
> .include "../../devel/apr/buildlink3.mk"
> .include "../../devel/apr-util/buildlink3.mk"
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/security/ap-modsecurity2/distinfo,v
retrieving revision 1.6
diff -r1.6 distinfo
3,6c3,5
< SHA1 (modsecurity-apache_2.5.9.tar.gz) = 
875919332a918956371fe8e2f7e46d88081857cf
< RMD160 (modsecurity-apache_2.5.9.tar.gz) = 
adab10e5eab50f0d114e3ccb47c343e744119c8f
< Size (modsecurity-apache_2.5.9.tar.gz) = 1252295 bytes
< SHA1 (patch-aa) = 19642ee3f22bd502208ee868cf24fb050bd2c56d
---
> SHA1 (modsecurity-apache_2.5.13.tar.gz) = 
> dff3dc2b360aeb4a4feebc94ff3d507a4dfad0cf
> RMD160 (modsecurity-apache_2.5.13.tar.gz) = 
> 2e7be42d5a755acc888ef28cf44598cc2540a207
> Size (modsecurity-apache_2.5.13.tar.gz) = 1421293 bytes

Remove patch-aa..
cvs diff: Diffing patches
cvs diff: cannot find patches/patch-aa



Home | Main Index | Thread Index | Old Index