rpms/mod_security/EL-4 .cvsignore, 1.7, 1.8 mod_security.conf, 1.3, 1.4 mod_security.spec, 1.13, 1.14 sources, 1.8, 1.9

Michael G. Fleming (mfleming) fedora-extras-commits at redhat.com
Sat Aug 4 00:19:41 UTC 2007 

Author: mfleming

Update of /cvs/extras/rpms/mod_security/EL-4
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21685

Modified Files:
	.cvsignore mod_security.conf mod_security.spec sources 
Log Message:
Build a version for EL4 supported by upstream :-)




Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/mod_security/EL-4/.cvsignore,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- .cvsignore	19 Jun 2007 10:04:06 -0000	1.7
+++ .cvsignore	4 Aug 2007 00:19:09 -0000	1.8
@@ -1,2 +1,3 @@
-modsecurity-apache_1.9.5.tar.gz
+modsecurity-apache_2.1.1.tar.gz
 mod_security.conf
+modsecurity_localrules.conf


Index: mod_security.conf
===================================================================
RCS file: /cvs/extras/rpms/mod_security/EL-4/mod_security.conf,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- mod_security.conf	9 Jul 2005 11:58:44 -0000	1.3
+++ mod_security.conf	4 Aug 2007 00:19:09 -0000	1.4
@@ -1,107 +1,38 @@
 # Example configuration file for the mod_security Apache module
 
-LoadModule security_module modules/mod_security.so
+LoadFile LIBDIR/libxml2.so.2
 
-<IfModule mod_security.c>
+LoadModule security2_module modules/mod_security2.so
+LoadModule unique_id_module modules/mod_unique_id.so
 
-    # Turn the filtering engine On or Off
-    SecFilterEngine On
+<IfModule mod_security2.c>
+	# This is the ModSecurity Core Rules Set.
+	
+	# Basic configuration goes in here
+	Include modsecurity.d/modsecurity_crs_10_config.conf
+	
+	# Protocol violation and anomalies.
+	
+	Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf
+	Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf
+	
+	# HTTP policy rules
+	
+	Include modsecurity.d/modsecurity_crs_30_http_policy.conf
+
+	# Here comes the Bad Stuff...
+	
+	Include modsecurity.d/modsecurity_crs_35_bad_robots.conf
+	Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf
+	Include modsecurity.d/modsecurity_crs_45_trojans.conf
+	Include modsecurity.d/modsecurity_crs_50_outbound.conf
+
+	# Search engines and other crawlers. Only useful if you want to track
+	# Google / Yahoo et. al.
+	
+	# Include modsecurity.d/modsecurity_crs_55_marketing.conf
+	
+	# Put your local rules in here.
 
-    # The audit engine works independently and
-    # can be turned On of Off on the per-server or
-    # on the per-directory basis
-    SecAuditEngine RelevantOnly
-
-    # Make sure that URL encoding is valid
-    SecFilterCheckURLEncoding On
-    
-    # Unicode encoding check
-    SecFilterCheckUnicodeEncoding On
-    
-    # Only allow bytes from this range
-    SecFilterForceByteRange 1 255
-
-    # Cookie format checks.
-    SecFilterCheckCookieFormat On	
- 
-    # The name of the audit log file
-    SecAuditLog logs/audit_log
-
-    # Should mod_security inspect POST payloads
-    SecFilterScanPOST On
-
-    # Default action set
-    SecFilterDefaultAction "deny,log,status:406"
-
-    # Simple example filter
-    # SecFilter 111
-   
-    # Prevent path traversal (..) attacks
-    # SecFilter "\.\./"
-
-    # Weaker XSS protection but allows common HTML tags
-    # SecFilter "<( |\n)*script"
-
-    # Prevent XSS atacks (HTML/Javascript injection)
-    # SecFilter "<(.|\n)+>"
-
-    # Very crude filters to prevent SQL injection attacks
-    # SecFilter "delete[[:space:]]+from"
-    # SecFilter "insert[[:space:]]+into"
-    # SecFilter "select.+from"
-
-    # Require HTTP_USER_AGENT and HTTP_HOST headers
-    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
-
-    # Only accept request encodings we know how to handle
-    # we exclude GET requests from this because some (automated)
-    # clients supply "text/html" as Content-Type
-    SecFilterSelective REQUEST_METHOD "!^GET$" chain
-    SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
-
-    # Require Content-Length to be provided with
-    # every POST request
-    SecFilterSelective REQUEST_METHOD "^POST$" chain
-    SecFilterSelective HTTP_Content-Length "^$"
-
-    # Don't accept transfer encodings we know we don't handle
-    # (and you don't need it anyway)
-    SecFilterSelective HTTP_Transfer-Encoding "!^$"
-
-    # Some common application-related rules from
-    # http://modsecrules.monkeydev.org/rules.php?safety=safe
-
-    #Nuke Bookmarks XSS
-    SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)"
-
-    #Nuke Bookmarks Marks.php SQL Injection Vulnerability
-    SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)"
-
-    #PHPNuke general XSS attempt
-    #/modules.php?name=News&file=article&sid=1&optionbox=
-    SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script"
-
-    # PHPNuke SQL injection attempt
-    SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory="
-
-    #phpnuke sql insertion
-    SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/"
-
-    # WEB-PHP phpbb quick-reply.php arbitrary command attempt
-
-    SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
-    SecFilter "phpbb_root_path="
-
-    #Topic Calendar Mod for phpBB Cross-Site Scripting Attack
-    SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)"
-    
-    # phpMyAdmin: Safe
-
-    #phpMyAdmin Export.PHP File Disclosure Vulnerability
-    SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
-    SecFilterSelective ARG_what "\.\."
-
-    #phpMyAdmin path vln
-    SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"
-    	
+	Include modsecurity.d/modsecurity_localrules.conf
 </IfModule>


Index: mod_security.spec
===================================================================
RCS file: /cvs/extras/rpms/mod_security/EL-4/mod_security.spec,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- mod_security.spec	19 Jun 2007 10:04:06 -0000	1.13
+++ mod_security.spec	4 Aug 2007 00:19:09 -0000	1.14
@@ -1,15 +1,16 @@
 Summary: Security module for the Apache HTTP Server
 Name: mod_security 
-Version: 1.9.5
+Version: 2.1.1
 Release: 1%{?dist}
 License: GPL
 URL: http://www.modsecurity.org/
 Group: System Environment/Daemons
 Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz
 Source1: mod_security.conf
+Source2: modsecurity_localrules.conf
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Requires: httpd  httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing)
-BuildRequires: httpd-devel
+Requires: libxml2 pcre httpd httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing)
+BuildRequires: httpd-devel libxml2-devel pcre-devel
 
 %description
 ModSecurity is an open source intrusion detection and prevention engine
@@ -18,37 +19,71 @@
 
 %prep
 
-%setup -q -n modsecurity-apache_%{version}
+%setup -n modsecurity-apache_%{version}
 
 %build
-/usr/sbin/apxs -Wc,"%{optflags}" -c apache2/mod_security.c
+make -C apache2 CFLAGS="%{optflags}" top_dir="%{_libdir}/httpd"
+perl -pi.orig -e 's|LIBDIR|%{_libdir}|;' %{SOURCE1}
 
 %install
 rm -rf %{buildroot}
-mkdir -p %{buildroot}%{_libdir}/httpd/modules/
-mkdir -p %{buildroot}/%{_sysconfdir}/httpd/conf.d/
-install -p apache2/.libs/mod_security.so %{buildroot}/%{_libdir}/httpd/modules/
-install -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/
+install -D -m755 apache2/.libs/mod_security2.so %{buildroot}/%{_libdir}/httpd/modules/mod_security2.so
+install -D -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/mod_security.conf
+install -d %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/blocking/
+cp -r rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
+cp -r rules/blocking/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/blocking/
+install -D -m644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/modsecurity_localrules.conf
 
 %clean
 rm -rf %{buildroot}
 
 %files
 %defattr (-,root,root)
-%doc CHANGES LICENSE INSTALL README httpd* util doc
-%{_libdir}/httpd/modules/mod_security.so
+%doc CHANGES LICENSE README.* modsecurity* doc
+%{_libdir}/httpd/modules/mod_security2.so
 %config(noreplace) %{_sysconfdir}/httpd/conf.d/mod_security.conf
+%dir %{_sysconfdir}/httpd/modsecurity.d
+%dir %{_sysconfdir}/httpd/modsecurity.d/blocking
+%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf
+%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/blocking/*.conf
+
 
 %changelog
-* Mon May 15 2006 Michael Fleming <mfleming+rpm at enlartenment.com> 1.9.5-1
-- [Security] New upstream release fixes ASCIIZ bug
-- 
+* Tue Jun 19 2007 Michael Fleming <mfleming+rpm at enlartenment.com> 2.1.1-1
+- New upstream release
+- Drop ASCIIZ rule (fixed upstream)
+- Re-enable protocol violation/anomalies rules now that REQUEST_FILENAME
+  is fixed upstream.
+
+* Sun Apr 1 2007 Michael Fleming <mfleming+rpm at enlartenment.com> 2.1.0-3
+- Automagically configure correct library path for libxml2 library.
+- Add LoadModule for mod_unique_id as the logging wants this at runtime
+
+* Mon Mar 26 2007 Michael Fleming <mfleming+rpm at enlartenment.com> 2.1.0-2
+- Fix DSO permissions (bz#233733)
+
+* Tue Mar 13 2007 Michael Fleming <mfleming+rpm at enlartenment.com> 2.1.0-1
+- New major release - 2.1.0
+- Fix CVE-2007-1359 with a local rule courtesy of Ivan Ristic
+- Addition of core ruleset
+- (Build)Requires libxml2 and pcre added.
+
+* Sun Sep 3 2006 Michael Fleming <mfleming+rpm at enlartenment.com> 1.9.4-2
+- Rebuild
+- Fix minor longstanding braino in included sample configuration (bz #203972)
+
 * Mon May 15 2006 Michael Fleming <mfleming+rpm at enlartenment.com> 1.9.4-1
 - New upstream release
 
-* Sat Apr 15 2006 Michael Fleming <mfleming+rpm at enlartenment.com> 1.9.3-2
+* Tue Apr 11 2006 Michael Fleming <mfleming+rpm at enlartenment.com> 1.9.3-1
 - New upstream release
-- Minor spec tweaks.
+- Trivial spec tweaks
+
+* Wed Mar 1 2006 Michael Fleming <mfleming+rpm at enlartenment.com> 1.9.2-3
+- Bump for FC5
+
+* Fri Feb 10 2006 Michael Fleming <mfleming+rpm at enlartenment.com> 1.9.2-2
+- Bump for newer gcc/glibc
 
 * Wed Jan 18 2006 Michael Fleming <mfleming+rpm at enlartenment.com> 1.9.2-1
 - New upstream release


Index: sources
===================================================================
RCS file: /cvs/extras/rpms/mod_security/EL-4/sources,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- sources	19 Jun 2007 10:04:06 -0000	1.8
+++ sources	4 Aug 2007 00:19:09 -0000	1.9
@@ -1,2 +1,3 @@
-83f56cce4207d02b93ff60870bf1204f  modsecurity-apache_1.9.5.tar.gz
-f4c15d94ff5ab3b1dda882be9f01fb23  mod_security.conf
+ab74ed5f320ffc4ed9f56487bf17c670  modsecurity-apache_2.1.1.tar.gz
+f84917a3f4893b8bf9400755a1a9f883  mod_security.conf
+80dc93f186cab170828d0ac621baac30  modsecurity_localrules.conf

More information about the fedora-extras-commits mailing list