![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.netbsd.org] / pkgsrc / security / ap-modsecurity2
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.20 / (download) - annotate - [select for diffs], Sat Mar 3 00:13:51 2012 UTC (2 months, 3 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2012Q1-base,
pkgsrc-2012Q1,
HEAD
Changes since 1.19: +2 -2
lines
Diff to previous 1.19 (colored)
Recursive bump for pcre-8.30* (shlib major change)
Revision 1.19 / (download) - annotate - [select for diffs], Fri Nov 25 22:18:11 2011 UTC (5 months, 4 weeks ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2011Q4-base,
pkgsrc-2011Q4
Changes since 1.18: +2 -2
lines
Diff to previous 1.18 (colored)
Wants APU, so no apache2
Revision 1.18 / (download) - annotate - [select for diffs], Fri Apr 22 14:40:45 2011 UTC (13 months ago) by obache
Branch: MAIN
CVS Tags: pkgsrc-2011Q3-base,
pkgsrc-2011Q3,
pkgsrc-2011Q2-base,
pkgsrc-2011Q2
Changes since 1.17: +2 -1
lines
Diff to previous 1.17 (colored)
recursive bump from gettext-lib shlib bump.
Revision 1.17 / (download) - annotate - [select for diffs], Sat Mar 19 21:18:06 2011 UTC (14 months, 1 week ago) by dholland
Branch: MAIN
CVS Tags: pkgsrc-2011Q1-base,
pkgsrc-2011Q1
Changes since 1.16: +24 -16
lines
Diff to previous 1.16 (colored)
Update ap-modsecurity2 to 2.5.13, partly from Matthew Sporleder in PR 44745, rest by me. pkgsrc changes: - fix up deps - fix Apache module handling - DESTDIR support XXX: The DESTDIR support has to bypass apxs because as far as I can tell XXX: apxs -i doesn't know how to handle DESTDIRs. Various Apache modules XXX: do this in various different ways. Someone(TM) should teach apxs -i XXX: about DESTDIRs and fix up all the abuse. The infrastructure for XXX: Apache modules could use some rototilling as well. 29 Nov 2010 - 2.5.13 -------------------- * Cleaned up some mlogc code and debugging output. * Remove the ability to use a relative path to a piped audit logger (i.e. mlogc) as Apache does not support it in their piped loggers and it was breaking Windows and probably other platforms that use spaces in filesystem paths. Discovered by Tom Donovan. * Fix memory leak freeing regex. Discovered by Tom Donovan. * Fix some portability issues on Windows. * Fixed Geo lookup concurrent connections bug * Fixed Skip/SkipAfter chain bug * Added new setvar Lua API to be used into Lua scripts * Added PCRE messages indicates each rule that exceed match limits * Added new Base64 transformation function called base64DecodeEx, which can decode base64 data skipping special characters. * Add SecReadStateLimit to limit the number of concurrent threads in BUSY connections per ip address * Fixed redirect action was not expanding macros in chained rules 04 Feb 2010 - 2.5.12 -------------------- * Fixed SecUploadFileMode to set the correct mode. * Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions. * Added additional file info definitions introduced in APR 0.9.5 so that build will work with older APRs (IBM HTTP Server v6). * Added SecUploadFileLimit to limit the number of uploaded file parts that will be processed in a multipart POST. The default is 100. * Fixed path normalization to better handle backreferences that extend above root directories. Reported by Sogeti/ESEC R&D. * Trim whitespace around phrases used with @pmFromFile and allow for both LF and CRLF terminated lines. * Allow for more robust parsing for multipart header folding. Reported by Sogeti/ESEC R&D. * Fixed failure to match internally set TX variables with regex (TX:/.../) syntax. * Fixed failure to log full internal TX variable names and populate MATCHED_VAR* vars. * Enabled PCRE "studying" by default. This is now a configure-time option. * Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to aide in REDoS type attacks. A rule that goes over the limits will set TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release of ModSecurity (2.6.x) will move these flags to a dedicated collection. * Reduced default PCRE match limits reducing impact of REDoS on poorly written regex rules. Reported by Sogeti/ESEC R&D. * Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D. * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.) * Update copyright to 2010. * Reserved 700,000-799,999 IDs for Ivan Ristic. * Fixed SecAction not working when CONNECT request method is used (MODSEC-110). [Ivan Ristic] * Do not escape quotes in macro resolution and only escape NUL in setenv values. 04 Nov 2009 - 2.5.11 -------------------- * Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be set true if any invalid quoting is found during multipart parsing. * Fixed parsing quoted strings in multipart Content-Disposition headers. Discovered by Stefan Esser. * Cleanup persistence database locking code. * Added warning during configure if libcurl is found linked against gnutls for SSL. The openssl lib is recommended as gnutls has proven to cause issues with mutexes and may crash. * Cleanup some mlogc (over)logging. * Do not log output filter errors in the error log. * Moved output filter to run before other stock filters (mod_deflate, mod_cache, mod_expires, mod_filter) to avoid analyzing modified data in the response. Patch originally submitted by Ivan Ristic. 18 Sep 2009 - 2.5.10 -------------------- * Cleanup mlogc so that it builds on Windows. * Added more detailed messages to replace "Unknown error" in filters. * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning auditlog permissions (especially with mpm-itk). * Cleanup SecUploadFileMode implementation. * Cleanup build scripts. * Fixed crash on configuration if SecMarker is used before any rules. * Fixed SecRuleUpdateActionById so that it will work on chain starters. * Cleanup build system for mlogc. * Allow mlogc to periodically flush memory pools. * Using nolog,auditlog will now log the "Message:" line to the auditlog, but nothing to the error log. Prior versions dropped the "Message:" line from both logs. To do this now, just use "nolog" or "nolog,noauditlog". * Forced mlogc to use SSLv3 to avoid some potential auto negotiation issues with some libcurl versions. * Fixed mlogc issue seen on big endian machines where content type could be listed as zero. * Removed extra newline from audit log message line when logging XML errors. This was causing problems parsing audit logs. * Fixed @pm/@pmFromFile case insensitivity. * Truncate long parameters in log message for "Match of ... against ... required" messages. * Correctly resolve chained rule actions in logs. * Cleanup some code for portability. * AIX does not support hidden visibility with xlc compiler. * Allow specifying EXTRA_CFLAGS during configure to override gcc specific values for non-gcc compilers. * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented. * Handle a newer geo database more gracefully, avoiding a potential crash for new countries that ModSecurity is not yet aware. * Allow checking &GEO "@eq 0" for a failed @geoLookup. * Fixed mlogc global mutex locking issue and added more debugging output. * Cleaned up build dependencies and configure options.
Revision 1.16 / (download) - annotate - [select for diffs], Sat Mar 19 13:31:52 2011 UTC (14 months, 1 week ago) by obache
Branch: MAIN
Changes since 1.15: +4 -4
lines
Diff to previous 1.15 (colored)
* additional missing clean up after removal of libxml option. * pass to configure more preferred variables.
Revision 1.15 / (download) - annotate - [select for diffs], Mon Aug 31 07:19:44 2009 UTC (2 years, 8 months ago) by seb
Branch: MAIN
CVS Tags: pkgsrc-2010Q4-base,
pkgsrc-2010Q4,
pkgsrc-2010Q3-base,
pkgsrc-2010Q3,
pkgsrc-2010Q2-base,
pkgsrc-2010Q2,
pkgsrc-2010Q1-base,
pkgsrc-2010Q1,
pkgsrc-2009Q4-base,
pkgsrc-2009Q4,
pkgsrc-2009Q3-base,
pkgsrc-2009Q3
Changes since 1.14: +2 -2
lines
Diff to previous 1.14 (colored)
Fix build problem on Solaris with PKGSRC_COMPILER=sunpro and 'db4' in PKG_OPTIONS.apr-util/PKG_DEFAULT_OPTIONS. USE_LANGUAGES should be set before including mk/apache.mk as it (may) ends up including mk/compiler.mk. This last file sets a default value of 'c' to USE_LANGUAGES and then uses it to set PKG_CC, PKG_CXX and PKG_FC to "fail wrappers". Hence the C++ compiler command ends up being wrapped by a "fail script" thus breaks the build.
Revision 1.14 / (download) - annotate - [select for diffs], Fri Jul 17 18:00:23 2009 UTC (2 years, 10 months ago) by adrianp
Branch: MAIN
Changes since 1.13: +2 -2
lines
Diff to previous 1.13 (colored)
Give up MAINTAINER
Revision 1.13 / (download) - annotate - [select for diffs], Sat Mar 14 13:45:38 2009 UTC (3 years, 2 months ago) by adrianp
Branch: MAIN
CVS Tags: pkgsrc-2009Q2-base,
pkgsrc-2009Q2,
pkgsrc-2009Q1-base,
pkgsrc-2009Q1
Changes since 1.12: +8 -5
lines
Diff to previous 1.12 (colored)
Update to 2.5.9 * Fixed PDF XSS issue where a non-GET request for a PDF file would crash the Apache httpd process. Discovered by Steve Grubb at Red Hat. * Removed an invalid "Internal error: Issuing "%s" for unspecified error." message that was logged when denying with nolog/noauditlog set and causing the request to be audited. * Fixed parsing multipart content with a missing part header name which would crash Apache. Discovered by "Internet Security Auditors" (isecauditors.com). * Added ability to specify the config script directly using --with-apr and --with-apu. * Updated copyright year to 2009. * Added macro expansion for append/prepend action. * Fixed race condition in concurrent updates of persistent counters. Updates are now atomic. * Cleaned up build, adding an option for verbose configure output and making the mlogc build more portable.
Revision 1.12 / (download) - annotate - [select for diffs], Mon Feb 23 22:01:11 2009 UTC (3 years, 3 months ago) by adrianp
Branch: MAIN
Changes since 1.11: +2 -2
lines
Diff to previous 1.11 (colored)
Typo
Revision 1.11 / (download) - annotate - [select for diffs], Thu Jan 29 16:54:17 2009 UTC (3 years, 3 months ago) by joerg
Branch: MAIN
Changes since 1.10: +2 -1
lines
Diff to previous 1.10 (colored)
Needs libtool.
Revision 1.10 / (download) - annotate - [select for diffs], Sat Oct 25 15:59:27 2008 UTC (3 years, 7 months ago) by adrianp
Branch: MAIN
CVS Tags: pkgsrc-2008Q4-base,
pkgsrc-2008Q4
Changes since 1.9: +4 -2
lines
Diff to previous 1.9 (colored)
Also supports apache 2.2.x PKGREVISION++
Revision 1.9 / (download) - annotate - [select for diffs], Sun Oct 12 12:50:17 2008 UTC (3 years, 7 months ago) by adrianp
Branch: MAIN
Changes since 1.8: +18 -29
lines
Diff to previous 1.8 (colored)
Update from 2.1.4->2.5.7 Use ./configure as one is now supplied libmxl2 is no longer optional but curl is Rename doc/eg dirs from ap-security to ap-modsecurity * Allow for disabling request body limit checks in phase:1 * Now log XML parsing/validation warnings and errors to be in the debug log at levels 3 and 4, respectivly. * Transformation caching has been deprecated, and is now off by default. We now advise against using transformation caching in production. * Improve request body processing error messages. Any many more . . . see CHANGES for all the details
Revision 1.8 / (download) - annotate - [select for diffs], Mon May 26 02:13:23 2008 UTC (4 years ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2008Q3-base,
pkgsrc-2008Q3,
pkgsrc-2008Q2-base,
pkgsrc-2008Q2,
cwrapper,
cube-native-xorg-base,
cube-native-xorg
Changes since 1.7: +4 -2
lines
Diff to previous 1.7 (colored)
Second round of explicit pax dependencies. As reminded by tnn@,
many packages used to use ${PAX}. Use the common way of directly calling
pax, it is created as tool after all.
Revision 1.7 / (download) - annotate - [select for diffs], Fri Jan 4 10:05:51 2008 UTC (4 years, 4 months ago) by adrianp
Branch: MAIN
CVS Tags: pkgsrc-2008Q1-base,
pkgsrc-2008Q1
Changes since 1.6: +2 -3
lines
Diff to previous 1.6 (colored)
Update to 2.1.4 27 Nov 2007 - 2.1.4 ------------------- * Updated included Core Ruleset to version 1.5 and noted in the docs that XML support is required to use the rules without modification. * Fixed an evasion FP, mistaking a multipart non-boundary for a boundary. * Fixed multiple warnings on Solaris and/or 64bit builds. * Do not process subrequests in phase 2-4, but do hand off the request data. * Fixed a blocking FP in the multipart parser, which affected Safari. 11 Sep 2007 - 2.1.3 ------------------- * Updated multipart parsing code adding variables to allow checking for various parsing issues (request body abnormalities). * Allow mod_rpaf and mod_extract_forwarded2 to work before ModSecurity. * Quiet some compiler warnings. * Do not block internal ErrorDocument requests after blocking request. * Added ability to compile without an external API (use -DNO_MODSEC_API). 27 Jul 2007 - 2.1.2 ------------------- * Cleaned up and clarified some documentation. * Update included core rules to latest version (1.4.3). * Enhanced ability to alert/audit failed requests. * Do not trigger "pause" action for internal requests. * Fixed issue with requests that use internal requests. These had the potential to be intercepted incorrectly when other Apache httpd modules that used internal requests were used with mod_security. * Added Solaris and Cygwin to the list of platforms not supporting the hidden visibility attribute. * Fixed decoding full-width unicode in t:urlDecodeUni. * Lessen some overhead of debugging messages and calculations. * Do not try to intercept a request after a failed rule. This fixes the issue associated with an "Internal Error: Asked to intercept request but was_intercepted is zero" error message. * Added SecAuditLog2 directive to allow redundent concurrent audit log index files. This will allow sending audit data to two consoles, etc. * Small performance improvement in memory management for rule execution.
Revision 1.6 / (download) - annotate - [select for diffs], Thu Dec 27 16:39:07 2007 UTC (4 years, 4 months ago) by adrianp
Branch: MAIN
CVS Tags: pkgsrc-2007Q4-base,
pkgsrc-2007Q4
Changes since 1.5: +3 -1
lines
Diff to previous 1.5 (colored)
Add a PCRE bl3 depends to fix builds (found by DragonFly bulk builds) PKGREVISION++
Revision 1.5 / (download) - annotate - [select for diffs], Fri May 18 09:20:09 2007 UTC (5 years ago) by adrianp
Branch: MAIN
CVS Tags: pkgsrc-2007Q3-base,
pkgsrc-2007Q3,
pkgsrc-2007Q2-base,
pkgsrc-2007Q2
Changes since 1.4: +2 -2
lines
Diff to previous 1.4 (colored)
11 Apr 2007 - 2.1.1 ------------------- * Add the PCRE_DOLLAR_ENDONLY option when compiling regular expression for the @rx operator and variables. * Really set PCRE_DOTALL option when compiling the regular expression for the @rx operator as the docs state. * Fixed potential memory corruption when expanding macros. * Fixed error when a collection was retrieved from storage in the same second as creation by setting the rate to zero. * Fixed ASCIIZ (NUL) parsing for application/x-www-form-urlencoded forms. * Fixed the faulty REQUEST_FILENAME variable, which used to change the internal Apache structures by mistake. * Updates to quiet some compiler warnings. * Fixed some casting issues for compiling on NetWare (patch from Guenter Knauf)
Revision 1.4 / (download) - annotate - [select for diffs], Sun Mar 18 10:35:13 2007 UTC (5 years, 2 months ago) by adrianp
Branch: MAIN
CVS Tags: pkgsrc-2007Q1-base,
pkgsrc-2007Q1
Changes since 1.3: +3 -3
lines
Diff to previous 1.3 (colored)
Update to 2.1.0 Fix a typo in options.mk 23 Feb 2006 - 2.1.0 ------------------- * Removed the "Connection reset by peer" message, which has nothing to do with us. Actually the message was downgraded from ERROR to NOTICE so it will still appear in the debug log. * Removed the (harmless) message mentioning LAST_UPDATE_TIME missing. * It was not possible to remove a rule placed in phase 4 using SecRuleRemoveById or SecRuleRemoveByMsg. Fixed. * Fixed a problem with incorrectly setting requestBodyProcessor using the ctl action. * Bundled Core Rules 2.1-1.3.2b4. * Updates to the reference manual. * Reversed the return values of @validateDTD and @validateSchema, to make them consistent with other operators. * Added a few helpful debug messages in the XML validation area. * Updates to the reference manual. * Fixed the validateByteRange operator. * Default value for the status action is now 403 (as it was supposed to be but it was effectively 500). * Rule exceptions (removing using an ID range or an regular expression) is now applied to the current context too. (Previously it only worked on rules that are inherited from the parent context.) * Fix of a bug with expired variables. * Fixed regular expression variable selectors for many collections. * Performance improvements - up to two times for real-life work loads! * Memory consumption improvements (not measured but significant). * The allow action did not work in phases 3 and 4. Fixed. * Unlocked collections GLOBAL and RESOURCE. * Added support for variable expansion in the msg action. * New feature: It is now possible to make relative changes to the audit log parts with the ctl action. For example: "ctl:auditLogParts=+E". * New feature: "tag" action. To be used for event categorisation. * XML parser was not reporting errors that occured at the end of XML payload. * Files were not extracted from request if SecUploadKeepFiles was Off. Fixed. * Regular expressions that are too long are truncated to 256 characters before used in error messages. (In order to keep the error messages in the log at a reasonable size.) * Fixed the sha1 transformation function. * Fixed the skip action. * Fixed REQUEST_PROTOCOL, REMOTE_USER, and AUTH_TYPE. * SecRuleEngine did not work in child configuration contexts (e.g. <Location>). * Fixed base64Decode and base64Encode. 15 Nov 2006 - 2.0.4 ------------------- * Fixed the "deprecatevar" action. * Decreasing variable values did not work. * Made "nolog" do what it is supposed to do - cause a rule match to not be logged. Also "nolog" now implies "noauditlog" but it's possible to follow "nolog" with "auditlog" and have the match not logged to the error log but logged to the auditlog. (Not something that strikes me as useful but it's possible.) * Relative paths given to SecDataDir will now be treated as relative * Decreasing variable values did not work. * Made "nolog" do what it is supposed to do - cause a rule match to not be logged. Also "nolog" now implies "noauditlog" but it's possible to follow "nolog" with "auditlog" and have the match not logged to the error log but logged to the auditlog. (Not something that strikes me as useful but it's possible.) * Relative paths given to SecDataDir will now be treated as relative to the Apache server root. * Added checks to make sure only correct actions are specified in SecDefaultAction (some actions are required, some don't make any sense) and in rules that are not chain starters (same). This should make the unhelpful "Internal Error: Failed to add rule to the ruleset" message go away. * Fixed the problem when "SecRuleInheritance Off" is used in a context with no rules defined. * Fixed a problem of lost input (request body) data on some redirections, for example when mod_rewrite is used.
Revision 1.3 / (download) - annotate - [select for diffs], Thu Feb 22 19:27:07 2007 UTC (5 years, 3 months ago) by wiz
Branch: MAIN
Changes since 1.2: +2 -2
lines
Diff to previous 1.2 (colored)
Whitespace cleanup, courtesy of pkglint. Patch provided by Sergey Svishchev in private mail.
Revision 1.2 / (download) - annotate - [select for diffs], Sun Nov 5 18:05:33 2006 UTC (5 years, 6 months ago) by adrianp
Branch: MAIN
CVS Tags: pkgsrc-2006Q4-base,
pkgsrc-2006Q4
Changes since 1.1: +3 -1
lines
Diff to previous 1.1 (colored)
Add in a BUILDLINK depends on apache>=2.0.59nb2 as that contains the libtool fix this package needs to build. Riding on the initial import - no PKGREVISION bump
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Sun Nov 5 14:33:37 2006 UTC (5 years, 6 months ago) by adrianp
Branch: TNF
CVS Tags: pkgsrc-base
Changes since 1.1: +0 -0
lines
Diff to previous 1.1 (colored)
ModSecurity is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks. This is the 2.x branch of modsecurity and only supports Apache 2.x
Revision 1.1 / (download) - annotate - [select for diffs], Sun Nov 5 14:33:37 2006 UTC (5 years, 6 months ago) by adrianp
Branch: MAIN
Initial revision