SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for apache2-mod_security2-2.9.0-61.3.x86_64.rpm :
Wed Jul 29 14:00:00 2015 pgajdosAATTsuse.com
- fix build for lua 5.3
+ apache2-mod_security2-lua-5.3.patch

Thu Jul 16 14:00:00 2015 pgajdosAATTsuse.com
- Requries: %{apache_suse_maintenance_mmn}
This will pull this module to the update (in released distribution)
when apache maintainer thinks it is good (due api/abi changes).

Mon Mar 2 13:00:00 2015 tchvatalAATTsuse.com
- Remove useless comment lines/whitespace

Tue Feb 24 13:00:00 2015 crrodriguezAATTopensuse.org
- spec, build: Respect optflags
- spec: buildrequire pkgconfig
- modsecurity-fixes.patch: mod_security fails at:

* building with optflags enabled due to undefined behaviour
and implicit declarations.

* It abuses it apr_allocator api, creating one allocator
per request and then destroying it, flooding the system
with mmap() , munmap requests, this is particularly nasty
with threaded mpms. it should instead use the allocator
from the request pool.

Sat Feb 14 13:00:00 2015 thomas.wormAATTsicsec.de
- Raised to version 2.9.0
- Updated patch: apache2-mod_security2-no_rpath.diff
(adapted lines)

Mon Nov 3 13:00:00 2014 pgajdosAATTsuse.com
- call spec-cleaner
- use apache rpm macros

Wed Aug 27 14:00:00 2014 drahtAATTsuse.de
- Portability: provide /etc/apache2/mod_security2.d/empty.conf
to avoid a non-match of the file-glob in the Include statement
from /etc/apache2/conf.d/mod_security2.conf . This restores
the Include back from the IncludeOptional, which is not portable.
- Source URL set to (expanded)
https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz

Mon Aug 25 14:00:00 2014 thomas.wormAATTsicsec.de
- Fixed spec file to work with older distribution versions.
Before openSuSE 13.1 aclocal doesn\'t work, instead autoreconf
has to be called.

Mon Jul 7 14:00:00 2014 drahtAATTsuse.de
- last changelog does not say that
apache2-mod_security2-libtool-fix.diff was obsoleted.

Mon Jun 16 14:00:00 2014 drahtAATTsuse.de
- BuildRequires: libtool missing

Mon Jun 16 14:00:00 2014 drahtAATTsuse.de
- apache2-mod_security2-libtool-fix.diff: initialize libtool.

Mon Jun 16 14:00:00 2014 drahtAATTsuse.de
- apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath
in autoconf m4 macros. Obsoletes patch
modsecurity-apache_2.8.0-build_fix_pcre.diff
- use automake for build, add autoconf and automake to
BuildRequires:. This fix is combined with [bnc#876878].
- turn on --enable-htaccess-config
- use %{?_smp_mflags} for build

Thu Jun 12 14:00:00 2014 drahtAATTsuse.de
- OWASP rule set. [bnc#876878]
new in 2.8.0 (more complete changelog to add to last changelog):

* Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit)
now support white and suspicious list

* New variables: FULL_REQUEST and FULL_REQUEST_LENGTH

* GPLv2 replaced by Apache License v2

* rules are not part of the source tarball any longer, but
maintaned upstream externally, and included in this package.

* documentation was externalized to a wiki. Package contains
the FAQ and the reference manual in html form.

* renamed the term \"Encryption\" in directives that actually refer
to hashes. See CHANGES file for more details.

* byte conversion issues on s390x when logging fixed.

* many small issues fixed that were discovered by a Coverity scanner

* updated reference manual

* wrong time calculation when logging for some timezones fixed.

* replaced time-measuring mechanism with finer granularity for
measured request/answer phases. (Stopwatch remains for compat.)

* cookie parser memory leak fix

* parsing of quoted strings in multipart Content-Disposition
headers fixed.

Thu May 1 14:00:00 2014 thomas.wormAATTsicsec.de
- Raised to version 2.8.0.
- updated patches:

* modsecurity-apache_2.8.0-build_fix_pcre.diff
- > modsecurity-apache_2.7.7-build_fix_pcre.diff

Sat Jan 25 13:00:00 2014 thomas.wormAATTsicsec.de
- Raised to version 2.7.7.
- modified patches:

* modsecurity-apache_2.7.5-build_fix_pcre.diff,
renamed to modsecurity-apache_2.7.7-build_fix_pcre.diff.

Thu Jan 23 13:00:00 2014 ajAATTajaissle.de
- Use correct source Url

Fri Aug 2 14:00:00 2013 drahtAATTsuse.de
- complete overhaul of this package, with update to 2.7.5.
- ruleset update to 2.2.8-0-g0f07cbb.
- new configuration framework private to mod_security2:
/etc/apache2/conf.d/mod_security2.conf loads
/usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf,
then /etc/apache2/mod_security2.d/
*.conf , as set up based on
advice in /etc/apache2/conf.d/mod_security2.conf
Your configuration starting point is
/etc/apache2/conf.d/mod_security2.conf
- !!! Please note that mod_unique_id is needed for mod_security2 to run!
- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous
linker parameter, preventing rpath in shared object.
- fixes contained for the following bugs:

* CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling

* [bnc#768293] multi-part bypass, minor threat

* CVE-2013-1915 [bnc#813190] XML external entity vulnerability

* CVE-2012-4528 [bnc#789393] rule bypass

* CVE-2013-2765 [bnc#822664] null pointer dereference crash
- new from 2.5.9 to 2.7.5, only major changes:

* GPLv2 replaced by Apache License v2

* rules are not part of the source tarball any longer, but
maintaned upstream externally, and included in this package.

* documentation was externalized to a wiki. Package contains
the FAQ and the reference manual in html form.

* renamed the term \"Encryption\" in directives that actually refer
to hashes. See CHANGES file for more details.

* new directive SecXmlExternalEntity, default off

* byte conversion issues on s390x when logging fixed.

* many small issues fixed that were discovered by a Coverity scanner

* updated reference manual

* wrong time calculation when logging for some timezones fixed.

* replaced time-measuring mechanism with finer granularity for
measured request/answer phases. (Stopwatch remains for compat.)

* cookie parser memory leak fix

* parsing of quoted strings in multipart Content-Disposition
headers fixed.

* SDBM deadlock fix

* AATTrsub memory leak fix

* cookie separator code improvements

* build failure fixes

* compile time option --enable-htaccess-config (set)

Mon Aug 27 14:00:00 2012 cfarrellAATTsuse.com
- license update: Apache-2.0 and GPL-2.0
Many of the files in the rules/ subdirectory are GPL-2.0 licensed

Mon Aug 6 14:00:00 2012 crrodriguezAATTopensuse.org
- Update to version 2.6.7, fixes build in apache 2.4
- Update spec file macros.

Sat Sep 17 14:00:00 2011 jengelhAATTmedozas.de
- Remove redundant tags/sections from specfile
- Use %_smp_mflags for parallel build

Wed Jul 6 14:00:00 2011 drahtAATTsuse.de
- update to version 2.6.1-rc1 for submission to SLE11-SP2 (fate#309433):
- SecUnicodeCodePage and SecUnicodeMapFile directives added
- fixed bug: SecRequestBodyLimit was truncating the real request
body
additional fixes from 2.6.0:
- buffering filter problems fixed
- memory leak fix when using MATCHED_VAR_NAMES
- SecWriteStateLimit added against slow DoS
additional fixes from 2.6.0 release candidates:
- optimizations
- bug in logging code fixed
- cleanup
- google safe browsing support

Thu May 14 14:00:00 2009 mrueckertAATTsuse.de
- update to version 2.5.9
- Fixed parsing multipart content with a missing part header name
which would crash Apache. Discovered by \"Internet Security
Auditors\" (isecauditors.com).
- Added ability to specify the config script directly using
- -with-apr and --with-apu.
- Added macro expansion for append/prepend action.
- Fixed race condition in concurrent updates of persistent
counters. Updates are now atomic.
- Cleaned up build, adding an option for verbose configure output
and making the mlogc build more portable.
- additional changes from 2.5.8
- Fixed PDF XSS issue where a non-GET request for a PDF file
would crash the Apache httpd process. Discovered by Steve
Grubb at Red Hat.
- Removed an invalid \"Internal error: Issuing \"%s\" for
unspecified error.\" message that was logged when denying with
nolog/noauditlog set and causing the request to be audited.
- additional changes from 2.5.7
- Fixed XML DTD/Schema validation which will now fail after
request body processing errors, even if the XML parser returns
a document tree.
- Added ctl:forceRequestBodyVariable=on|off which, when enabled,
will force the REQUEST_BODY variable to be set when a request
body processor is not set. Previously the REQUEST_BODY target
was only populated by the URLENCODED request body processor.
- Integrated mlogc source.
- Fixed logging the hostname in the error_log which was logging
the request hostname instead of the Apache resolved hostname.
- Allow for disabling request body limit checks in phase:1.
- Added transformations for processing parity for legacy
protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit,
t:parityZero7bit
- Added t:cssDecode transformation to decode CSS escapes.
- Now log XML parsing/validation warnings and errors to be in the
debug log at levels 3 and 4, respectivly.
- build and package mlogc
- remove --with-apxs from the configure args as it breaks the build
configure now finds our apxs2

Fri Jan 23 13:00:00 2009 skhAATTsuse.de
- fix broken config [bnc#457200]

Mon Sep 15 14:00:00 2008 skhAATTsuse.de
- update to version 2.5.6
- initial submit to FACTORY

Mon May 12 14:00:00 2008 jgAATTinternetx.de
-update to 2.1.7

Sun Feb 3 13:00:00 2008 jgAATTinternetx.de
-update to 2.1.6

Wed Aug 8 14:00:00 2007 mrueckertAATTsuse.de
- update to 2.1.2

Mon Apr 16 14:00:00 2007 mrueckertAATTsuse.de
- update to 2.1.1
- switched to perl based patching instead of cmdline params for make

Fri Sep 22 14:00:00 2006 poemlAATTsuse.de
- fix build (./install was vanished)


  
ICM