SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for apache2-mod_security2-debugsource-2.7.5-14.4.1.i586.rpm :

* Tue Jul 30 2013 drahtAATTsuse.de- complete overhaul of this package, with update to 2.7.5.- ruleset update to 2.2.8-0-g0f07cbb.- new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf, then /etc/apache2/mod_security2.d/
*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf- !!! Please note that mod_unique_id is needed for mod_security2 to run!- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object.- fixes contained for the following bugs:
* CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling
* [bnc#768293] multi-part bypass, minor threat
* CVE-2013-1915 [bnc#813190] XML external entity vulnerability
* CVE-2012-4528 [bnc#789393] rule bypass
* CVE-2013-2765 [bnc#822664] null pointer dereference crash- new from 2.5.9 to 2.7.5, only major changes:
* GPLv2 replaced by Apache License v2
* rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package.
* documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form.
* renamed the term \"Encryption\" in directives that actually refer to hashes. See CHANGES file for more details.
* new directive SecXmlExternalEntity, default off
* byte conversion issues on s390x when logging fixed.
* many small issues fixed that were discovered by a Coverity scanner
* updated reference manual
* wrong time calculation when logging for some timezones fixed.
* replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.)
* cookie parser memory leak fix
* parsing of quoted strings in multipart Content-Disposition headers fixed.
* SDBM deadlock fix
* AATTrsub memory leak fix
* cookie separator code improvements
* build failure fixes
* compile time option --enable-htaccess-config (set)
* Thu May 14 2009 mrueckertAATTsuse.de- update to version 2.5.9 - Fixed parsing multipart content with a missing part header name which would crash Apache. Discovered by \"Internet Security Auditors\" (isecauditors.com). - Added ability to specify the config script directly using - -with-apr and --with-apu. - Added macro expansion for append/prepend action. - Fixed race condition in concurrent updates of persistent counters. Updates are now atomic. - Cleaned up build, adding an option for verbose configure output and making the mlogc build more portable.- additional changes from 2.5.8 - Fixed PDF XSS issue where a non-GET request for a PDF file would crash the Apache httpd process. Discovered by Steve Grubb at Red Hat. - Removed an invalid \"Internal error: Issuing \"%s\" for unspecified error.\" message that was logged when denying with nolog/noauditlog set and causing the request to be audited.- additional changes from 2.5.7 - Fixed XML DTD/Schema validation which will now fail after request body processing errors, even if the XML parser returns a document tree. - Added ctl:forceRequestBodyVariable=on|off which, when enabled, will force the REQUEST_BODY variable to be set when a request body processor is not set. Previously the REQUEST_BODY target was only populated by the URLENCODED request body processor. - Integrated mlogc source. - Fixed logging the hostname in the error_log which was logging the request hostname instead of the Apache resolved hostname. - Allow for disabling request body limit checks in phase:1. - Added transformations for processing parity for legacy protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit, t:parityZero7bit - Added t:cssDecode transformation to decode CSS escapes. - Now log XML parsing/validation warnings and errors to be in the debug log at levels 3 and 4, respectivly.- build and package mlogc- remove --with-apxs from the configure args as it breaks the build configure now finds our apxs2
* Fri Jan 23 2009 skhAATTsuse.de- fix broken config [bnc#457200]
* Mon Sep 15 2008 skhAATTsuse.de- update to version 2.5.6- initial submit to FACTORY
* Mon May 12 2008 jgAATTinternetx.de-update to 2.1.7
* Sun Feb 03 2008 jgAATTinternetx.de-update to 2.1.6
* Wed Aug 08 2007 mrueckertAATTsuse.de- update to 2.1.2
* Mon Apr 16 2007 mrueckertAATTsuse.de- update to 2.1.1- switched to perl based patching instead of cmdline params for make
* Fri Sep 22 2006 poemlAATTsuse.de- fix build (./install was vanished)
  
ICM