SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for apache2-mod_security2-debugsource-2.9.7-lp160.1.3.x86_64.rpm :

* Tue Jun 04 2024 pgajdosAATTsuse.com- %autopatch instead of %patchN- modified patches % apache2-mod_security2-no_rpath.diff (refreshed)
* Tue Jun 04 2024 Dominique Leuenberger - Fix patch application syntax: Use %patch -P N instead of deprecated %patchN.
* Tue May 07 2024 pgajdosAATTsuse.com- added patches fix fix build with gcc14 + apache2-mod_security2-gcc14.patch
* Tue Feb 20 2024 Dominique Leuenberger - Use %patch -P N instead of deprecated %patchN.
* Sat Jul 15 2023 Dirk Müller - update to 2.9.7:
* Fix: FILES_TMP_CONTENT may sometimes lack complete content
* Support configurable limit on number of arguments processed
* Silence compiler warning about discarded const
* Support for JIT option for PCRE2
* Use uid for user if apr_uid_name_get() fails
* Fix: handle error with SecConnReadStateLimit configuration
* Only check for pcre2 install if required
* Adjustment of previous fix for log messages
* Mark apache error log messages as from mod_security2
* Use pkg-config to find libxml2 first
* Support for PCRE2 in mlogc
* Support for PCRE2
* Adjust parser activation rules in modsecurity.conf- recommended
* Multipart parsing fixes and new MULTIPART_PART_HEADERS collection
* Limit rsub null termination to where necessary
* IIS: Update dependencies for next planned release
* XML parser cleanup: NULL duplicate pointer
* Properly cleanup XML parser contexts upon completion
* Fix memory leak in streams
* Fix: negative usec on log line when data type long is 32b
* mlogc log-line parsing fails due to enhanced timestamp
* Allow no-key, single-value JSON body
* Set SecStatusEngine Off in modsecurity.conf-recommended
* Fix memory leak that occurs on JSON parsing error
* Multipart names/filenames may include single quote if double- quote enclosed
* Add SecRequestBodyJsonDepthLimit to modsecurity.conf- recommended
* IIS: Update dependencies for Windows build as of v2.9.5
* Support configurable limit on depth of JSON parsing
* Mon Jul 19 2021 Danilo Spinella - Update to 2.9.4:
* Add microsec timestamp resolution to the formatted log timestamp
* Added missing Geo Countries
* Store temporaries in the request pool for regexes compiled per-request.
* Fix other usage of the global pool for request temporaries in re_operators.c
* Adds a sanity check before use ctl:ruleRemoveTargetById and ctl:ruleRemoveTargetByMsg.
* Fix the order of error_msg validation
* When the input filter finishes, check whether we returned data
* fix: care non-null terminated chunk data
* Fix for apr_global_mutex_create() crashes with mod_security
* Fix inet addr handling on 64 bit big endian systems- Run spec-cleaner- Remove if/else for older version of SUSE distribution
* Tue Feb 23 2021 pgajdosAATTsuse.com- version update to 2.9.3
* Enable optimization for large stream input by default on IIS [Issue #1299 - AATTvictorhora, AATTzimmerle]
* Allow 0 length JSON requests. [Issue #1822 - AATTallanbomsft, AATTzimmerle, AATTvictorhora, AATTmarcstern]
* Include unanmed JSON values in unnamed ARGS [Issue #1577, #1576 - AATTmarcstern, AATTvictorhora, AATTzimmerle]
* Fix buffer size for utf8toUnicode transformation [Issue #1208 - AATTkatef, AATTvictorhora]
* Fix sanitizing JSON request bodies in native audit log format [p0pr0ck5, AATTvictorhora]
* IIS: Update Wix installer to bundle a supported CRS version (3.0) [AATTvictorhora, AATTzimmerle]
* IIS: Update dependencies for Windows build [Issue #1848 - AATTvictorhora, AATThsluoyz]
* IIS: Set SecStreamInBodyInspection by default on IIS builds (#1299) [Issue #1299 - AATTvictorhora]
* IIS: Update modsecurity.conf [Issue #788 - AATTvictorhora, AATTbrianclark]
* Add sanity check for a couple malloc() and make code more resilient [Issue #979 - AATTdogbert2, AATTvictorhora, AATTzimmerl]
* Fix NetBSD build by renaming the hmac function to avoid conflicts [Issue #1241 - AATTvictorhora, AATTjoerg, AATTsevan]
* IIS: Windows build, fix duplicate YAJL dir in script [Issue #1612 - AATTallanbomsft, AATTvictorhora]
* IIS: Remove body prebuffering due to no locking in modsecProcessRequest [Issue #1917 - AATTallanbomsft, AATTvictorhora]
* Fix mpm-itk / mod_ruid2 compatibility [Issue #712 - AATTju5t , AATTderhansen, AATTmeatlayer, AATTvictorhora]
* Code cosmetics: checks if actionset is not null before use it [Issue #1556 - AATTmarcstern, AATTzimmerle, AATTvictorhora]
* Only generate SecHashKey when SecHashEngine is On [Issue #1671 - AATTdmuey, AATTmonkburger, AATTzimmerle]
* Docs: Reformat README to Markdown and update dependencies [Issue #1857 - AATThsluoyz, AATTvictorhora]
* IIS: no lock on ProcessRequest. No reload of config. [Issue #1826 - AATTallanbomsft]
* IIS: buffer request body before taking lock [Issue #1651 - AATTallanbomsft]
* good practices: Initialize variables before use it [Issue #1889 - Marc Stern]
* Let body parsers observe SecRequestBodyNoFilesLimit [Issue #1613 - AATTallanbomsft]
* potential off by one in parse_arguments [Issue #1799 - AATTtinselcity, AATTzimmerle]
* Fix utf-8 character encoding conversion [Issue #1794 - AATTtinselcity, AATTzimmerle]
* Fix ip tree lookup on netmask content [Issue #1793 - AATTtinselcity, AATTzimmerle]
* IIS: set overrideModeDefault to Allow so that individual websites can add to their web.config file [Issue #1781 - AATTdefault-kramer]
* modsecurity.conf-recommended: Fix spelling [Issue #1721 - AATTpadraigdoran]
* build: fix when multiple lines for curl version [Issue #1771 - AATTArtistan]
* Fix arabic charset in unicode_mapping file [Issue #1619 - AATTalaa-ahmed-a]
* Optionally preallocates memory when SecStreamInBodyInspection is on [Issue #1366 - AATTallanbomsft, AATTzimmerle]
* Fixed typo in build_yajl.bat [Issue #1366 - AATTallanbomsft]
* Fixes SecConnWriteStateLimit [Issue #1545 - AATTnicjansma]
* Added \"empy chunk\" check [Issue #1347, #1446 - AATTgravagli, AATTbostrt, AATTzimmerle]
* Add capture action to AATTdetectXSS operator [Issue #1488, #1482 - AATTvictorhora]
* Fix for wildcard operator when loading conf files on Nginx / IIS [Issue #1486, #1285 - AATTvictorhora and AATTthierry-f-78]
* Set of fixies to make windows build workable with the buildbots [Commit 94fe3 - AATTzimmerle]
* Uses LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH [Issue #1510 - AATTmarcstern]
* Adds missing headers [Issue #1454 - AATTdevnexen]- modified patches % modsecurity-fixes.patch (fix crash caused by our patch) [bsc#1180830]- added patches + modsecurity-2.9.3-input_filtering_errors.patch [bsc#1180830]
* Wed Feb 12 2020 pgajdosAATTsuse.com- removing %apache_test_
* macros, do not test module just by loading the module
* Fri Dec 29 2017 jengelhAATTinai.de- Trim advertisement and filler wording from descriptions.
* Wed Dec 20 2017 pgajdosAATTsuse.com- fix build for SLE_11_SP4: BuildRoot and %deffattr have to be present
* Mon Oct 02 2017 kstreitovaAATTsuse.com- update to 2.9.2
* release notes https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2
* refresh apache2-mod_security2-no_rpath.diff
* remove apache2-mod_security2-lua-5.3.patch that was applied upstream- remove outdated html pages and diagram (they can be accessed online at https://github.com/SpiderLabs/ModSecurity/wiki)
* Reference-Manual.html.bz2
* ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2
* modsecurity_diagram_apache_request_cycle.jpg- don\'t pack the whole doc directory as it contains also Makefiles or doxygen configuration files- disable mlogc as we don\'t pack it and it also can\'t be built for curl <=7.34- add basic and regression test suite (but disabled for now)
* add apache2-mod_security2_tests_conf.patch for apache2 configuration file used for tests that was trying to load mpm_worker_module (it\'s static for our apache2 package)
* add \"BuildRequires: perl-libwww-perl\" needed for the test suite
* Wed Jun 21 2017 dimstarAATTopensuse.org- Update modsecurity-fixes.patch: additionally include netdb.h in order to have gethostbyname defined.
* Thu Mar 23 2017 kstreitovaAATTsuse.com- cleanup with spec-cleaner
* Wed Jul 29 2015 pgajdosAATTsuse.com- fix build for lua 5.3 + apache2-mod_security2-lua-5.3.patch
* Thu Jul 16 2015 pgajdosAATTsuse.com- Requries: %{apache_suse_maintenance_mmn} This will pull this module to the update (in released distribution) when apache maintainer thinks it is good (due api/abi changes).
* Mon Mar 02 2015 tchvatalAATTsuse.com- Remove useless comment lines/whitespace
* Tue Feb 24 2015 crrodriguezAATTopensuse.org- spec, build: Respect optflags- spec: buildrequire pkgconfig- modsecurity-fixes.patch: mod_security fails at:
* building with optflags enabled due to undefined behaviour and implicit declarations.
* It abuses it apr_allocator api, creating one allocator per request and then destroying it, flooding the system with mmap() , munmap requests, this is particularly nasty with threaded mpms. it should instead use the allocator from the request pool.
* Sat Feb 14 2015 thomas.wormAATTsicsec.de- Raised to version 2.9.0- Updated patch: apache2-mod_security2-no_rpath.diff (adapted lines)
* Mon Nov 03 2014 pgajdosAATTsuse.com- call spec-cleaner- use apache rpm macros
* Wed Aug 27 2014 drahtAATTsuse.de- Portability: provide /etc/apache2/mod_security2.d/empty.conf to avoid a non-match of the file-glob in the Include statement from /etc/apache2/conf.d/mod_security2.conf . This restores the Include back from the IncludeOptional, which is not portable.- Source URL set to (expanded) https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
* Mon Aug 25 2014 thomas.wormAATTsicsec.de- Fixed spec file to work with older distribution versions. Before openSuSE 13.1 aclocal doesn\'t work, instead autoreconf has to be called.
* Mon Jul 07 2014 drahtAATTsuse.de- last changelog does not say that apache2-mod_security2-libtool-fix.diff was obsoleted.
* Mon Jun 16 2014 drahtAATTsuse.de- BuildRequires: libtool missing
* Mon Jun 16 2014 drahtAATTsuse.de- apache2-mod_security2-libtool-fix.diff: initialize libtool.
* Mon Jun 16 2014 drahtAATTsuse.de- apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath in autoconf m4 macros. Obsoletes patch modsecurity-apache_2.8.0-build_fix_pcre.diff- use automake for build, add autoconf and automake to BuildRequires:. This fix is combined with [bnc#876878].- turn on --enable-htaccess-config- use %{?_smp_mflags} for build
* Thu Jun 12 2014 drahtAATTsuse.de- OWASP rule set. [bnc#876878] new in 2.8.0 (more complete changelog to add to last changelog):
* Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list
* New variables: FULL_REQUEST and FULL_REQUEST_LENGTH
* GPLv2 replaced by Apache License v2
* rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package.
* documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form.
* renamed the term \"Encryption\" in directives that actually refer to hashes. See CHANGES file for more details.
* byte conversion issues on s390x when logging fixed.
* many small issues fixed that were discovered by a Coverity scanner
* updated reference manual
* wrong time calculation when logging for some timezones fixed.
* replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.)
* cookie parser memory leak fix
* parsing of quoted strings in multipart Content-Disposition headers fixed.
* Thu May 01 2014 thomas.wormAATTsicsec.de- Raised to version 2.8.0.- updated patches:
* modsecurity-apache_2.8.0-build_fix_pcre.diff - > modsecurity-apache_2.7.7-build_fix_pcre.diff
* Sat Jan 25 2014 thomas.wormAATTsicsec.de- Raised to version 2.7.7. - modified patches:
* modsecurity-apache_2.7.5-build_fix_pcre.diff, renamed to modsecurity-apache_2.7.7-build_fix_pcre.diff.
* Thu Jan 23 2014 ajAATTajaissle.de- Use correct source Url
* Fri Aug 02 2013 drahtAATTsuse.de- complete overhaul of this package, with update to 2.7.5.- ruleset update to 2.2.8-0-g0f07cbb.- new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf, then /etc/apache2/mod_security2.d/
*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf- !!! Please note that mod_unique_id is needed for mod_security2 to run!- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object.- fixes contained for the following bugs:
* CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling
* [bnc#768293] multi-part bypass, minor threat
* CVE-2013-1915 [bnc#813190] XML external entity vulnerability
* CVE-2012-4528 [bnc#789393] rule bypass
* CVE-2013-2765 [bnc#822664] null pointer dereference crash- new from 2.5.9 to 2.7.5, only major changes:
* GPLv2 replaced by Apache License v2
* rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package.
* documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form.
* renamed the term \"Encryption\" in directives that actually refer to hashes. See CHANGES file for more details.
* new directive SecXmlExternalEntity, default off
* byte conversion issues on s390x when logging fixed.
* many small issues fixed that were discovered by a Coverity scanner
* updated reference manual
* wrong time calculation when logging for some timezones fixed.
* replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.)
* cookie parser memory leak fix
* parsing of quoted strings in multipart Content-Disposition headers fixed.
* SDBM deadlock fix
* AATTrsub memory leak fix
* cookie separator code improvements
* build failure fixes
* compile time option --enable-htaccess-config (set)
* Mon Aug 27 2012 cfarrellAATTsuse.com- license update: Apache-2.0 and GPL-2.0 Many of the files in the rules/ subdirectory are GPL-2.0 licensed
* Mon Aug 06 2012 crrodriguezAATTopensuse.org- Update to version 2.6.7, fixes build in apache 2.4- Update spec file macros.
* Sat Sep 17 2011 jengelhAATTmedozas.de- Remove redundant tags/sections from specfile- Use %_smp_mflags for parallel build
* Wed Jul 06 2011 drahtAATTsuse.de- update to version 2.6.1-rc1 for submission to SLE11-SP2 (fate#309433): - SecUnicodeCodePage and SecUnicodeMapFile directives added - fixed bug: SecRequestBodyLimit was truncating the real request body additional fixes from 2.6.0: - buffering filter problems fixed - memory leak fix when using MATCHED_VAR_NAMES - SecWriteStateLimit added against slow DoS additional fixes from 2.6.0 release candidates: - optimizations - bug in logging code fixed - cleanup - google safe browsing support
* Thu May 14 2009 mrueckertAATTsuse.de- update to version 2.5.9 - Fixed parsing multipart content with a missing part header name which would crash Apache. Discovered by \"Internet Security Auditors\" (isecauditors.com). - Added ability to specify the config script directly using - -with-apr and --with-apu. - Added macro expansion for append/prepend action. - Fixed race condition in concurrent updates of persistent counters. Updates are now atomic. - Cleaned up build, adding an option for verbose configure output and making the mlogc build more portable.- additional changes from 2.5.8 - Fixed PDF XSS issue where a non-GET request for a PDF file would crash the Apache httpd process. Discovered by Steve Grubb at Red Hat. - Removed an invalid \"Internal error: Issuing \"%s\" for unspecified error.\" message that was logged when denying with nolog/noauditlog set and causing the request to be audited.- additional changes from 2.5.7 - Fixed XML DTD/Schema validation which will now fail after request body processing errors, even if the XML parser returns a document tree. - Added ctl:forceRequestBodyVariable=on|off which, when enabled, will force the REQUEST_BODY variable to be set when a request body processor is not set. Previously the REQUEST_BODY target was only populated by the URLENCODED request body processor. - Integrated mlogc source. - Fixed logging the hostname in the error_log which was logging the request hostname instead of the Apache resolved hostname. - Allow for disabling request body limit checks in phase:1. - Added transformations for processing parity for legacy protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit, t:parityZero7bit - Added t:cssDecode transformation to decode CSS escapes. - Now log XML parsing/validation warnings and errors to be in the debug log at levels 3 and 4, respectivly.- build and package mlogc- remove --with-apxs from the configure args as it breaks the build configure now finds our apxs2
* Fri Jan 23 2009 skhAATTsuse.de- fix broken config [bnc#457200]
* Mon Sep 15 2008 skhAATTsuse.de- update to version 2.5.6- initial submit to FACTORY
* Mon May 12 2008 jgAATTinternetx.de-update to 2.1.7
* Sun Feb 03 2008 jgAATTinternetx.de-update to 2.1.6
* Wed Aug 08 2007 mrueckertAATTsuse.de- update to 2.1.2
* Mon Apr 16 2007 mrueckertAATTsuse.de- update to 2.1.1- switched to perl based patching instead of cmdline params for make
* Fri Sep 22 2006 poemlAATTsuse.de- fix build (./install was vanished)
  
ICM