Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

modsecurity-3.0.12-1.1 RPM for armv7hl

From OpenSuSE Ports Tumbleweed for armv7hl

Name: modsecurity Distribution: openSUSE Tumbleweed
Version: 3.0.12 Vendor: openSUSE
Release: 1.1 Build date: Thu Feb 29 23:03:08 2024
Group: Productivity/Networking/Security Build host: i02-armsrv3
Size: 25161 Source RPM: modsecurity-3.0.12-1.1.src.rpm
Packager: http://bugs.opensuse.org
Url: https://www.modsecurity.org/
Summary: Web application firewall engine
ModSecurity is a toolkit for real-time web application monitoring, logging, and
access control.

Provides

Requires

License

BSD-2-Clause

Changelog

* Thu Feb 15 2024 Dominique Leuenberger <dimstar@opensuse.org>
  - Update to version 3.0.12:
    + Change REQUEST_FILENAME and REQUEST_BASENAME behavior
      WAF bypass of the ModSecurity v3 release line for path-based
      payloads by submitting a specially crafted request URL
      (CVE-2024-1019).
    + Enhancements and bug fixes
    - Set the minimum security protocol version (TLSv1.2) for
      SecRemoteRules.
* Mon Jan 29 2024 Dirk Müller <dmueller@suse.com>
  - update to 3.0.11:
    * Add WRDE_NOCMD to wordexp call
    * Fix: validateDTD compile fails if when libxml2 not
      installed
    * Fix memory leak of validateDTD's dtd object
    * Fix memory leaks in ValidateSchema
    * Add support for expirevar action
    * Fix: lmdb regex match on non-null terminated string
    * Fix memory leaks in lmdb code (new'd strings)
    * Configure: add additional name to pcre2 pkg-config list
* Mon Sep 04 2023 David Anes <david.anes@suse.com>
  - Update to version 3.0.10:
    * Security impacting issue (fix bsc#1213702, CVE-2023-38285)
    - Fix: worst-case time in implementation of four transformations
    - Additional information on this issue is available at
      https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
    * Enhancements and bug fixes
    - Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
    - Make MULTIPART_PART_HEADERS accessible to lua
    - Fix: Lua scripts cannot read whole collection at once
    - Fix: quoted Include config with wildcard
    - Support isolated PCRE match limits
    - Fix: meta actions not applied if multiMatch in first rule of chain
    - Fix: audit log may omit tags when multiMatch
    - Exclude CRLF from MULTIPART_PART_HEADER value
    - Configure: use AS_ECHO_N instead echo -n
    - Adjust position of memset from 2890
* Tue May 09 2023 Danilo Spinella <danilo.spinella@suse.com>
  - Update to version 3.0.9:
    * Add some member variable inits in Transaction class (possible segfault)
    * Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
    * Resolve memory leak on reload (bison-generated variable)
    * Support equals sign in XPath expressions
    * Encode two special chars in error.log output
    * Add JIT support for PCRE2
    * Support comments in ipMatchFromFile file via '#' token
    * Use name package name libmaxminddb with pkg-config
    * Fix: FILES_TMP_CONTENT collection key should use part name
    * Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
    * During configure, do not check for pcre if pcre2 specified
    * Use pkg-config to find libxml2 first
    * Fix two rule-reload memory leak issues
    * Correct whitespace handling for Include directive
  - Fix CVE-2023-28882, a segfault and a resultant crash of a worker process
    in some configurations with certain inputs, bsc#1210993
* Fri Dec 16 2022 Michael Ströder <michael@stroeder.com>
  - Update to version 3.0.8
    * Adjust parser activation rules in modsecurity.conf-recommended [#2796]
    * Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [#2795]
    * Prevent LMDB related segfault [#2755, #2761]
    * Fix msc_transaction_cleanup function comment typo [#2788]
    * Fix: MULTIPART_INVALID_PART connected to wrong internal variable [#2785]
    * Restore Unique_id to include random portion after timestamp [#2752, #2758]
* Sun Aug 14 2022 Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>
  - Update to version 3.0.7
    * Support PCRE2
    * Support SecRequestBodyNoFilesLimit
    * Add ctl:auditEngine action support
    * Move PCRE2 match block from member variable
    * Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
    * Fix memory leak when concurrent log includes REMOTE_USER
    * Fix LMDB initialization issues
    * Fix initcol error message wording
    * Tolerate other parameters after boundary in multipart C-T
    * Add DebugLog message for bad pattern in rx operator
    * Fix misuses of LMDB API
    * Fix duplication typo in code comment
    * Fix multiMatch msg, etc, population in audit log
    * Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc.
    * Adjust confusing variable name in setRequestBody method
    * Multipart names/filenames may include single quote if double-quote enclosed
    * Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
* Fri Feb 25 2022 Ferdinand Thiessen <rpm@fthiessen.de>
  - Update to version 3.0.6
    * Security issue: Support configurable limit on depth of JSON
      parsing, possible DoS issue. CVE-2021-42717
  - Update to version 3.0.5
    * New: Having ARGS_NAMES, variables proxied
    * Fix: FILES variable does not use multipart part name for key
    * GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE
    * Support configurable limit on number of arguments processed
    * Adds support to lua 5.4
    * Add support for new operator rxGlobal
    * Fix: Replaces put with setenv in SetEnv action
    * Fix: Regex key selection should not be case-sensitive
    * Fix: Only delete Multipart tmp files after rules have run
    * Fixed MatchedVar on chained rules
    * Fix IP address logging in Section A
    * Fix:  rx: exit after full match (remove /g emulation); ensure
      capture groups occuring after unused groups still populate TX vars
    * Fix rule-update-target for non-regex
    * Fix Security Impacting Issues:
    * Handle URI received with uri-fragment, CVE-2020-15598
* Wed Jul 22 2020 Dirk Mueller <dmueller@suse.com>
  - add baselibs, fix packaging (install into %_libdir)
  - update to 3.0.4:
    - Fix: audit log data omitted when nolog,auditlog
    - Fix: ModSecurity 3.x inspectFile operator does not pass
    - XML: Remove error messages from stderr
    - Filter comment or blank line for pmFromFile operator
    - Additional adjustment to Cookie header parsing
    - Restore chained rule part H logging to be more like 2.9 behaviour
    - Small fixes in log messages to help debugging the file upload
    - Fix Cookie header parsing issues
    - Fix rules with nolog are logging to part H
    - Fix argument key-value pair parsing cases
    - Fix: audit log part for response body for JSON format to be E
    - Make sure m_rulesMessages is filled after successfull match
    - Fix @pm lookup for possible matches on offset zero.
    - Regex lookup on the key name instead of COLLECTION:key
    - Missing throw in Operator::instantiate
    - Making block action execution dependent of the SecEngine status
    - Making block action execution dependent of the SecEngine status
    - Having body limits to respect the rule engine state
    - Fix SecRuleUpdateTargetById does not match regular expressions
    - Adds missing check for runtime ctl:ruleRemoveByTag
    - Adds a new operator verifySVNR that checks for Austrian social
    security numbers.
    - Fix variables output in debug logs
    - Correct typo validade in log output
    - fix/minor: Error encoding hexa decimal.
    - Limit more log variables to 200 characters.
    - parser: fix parsed file names
    - Allow empty anchored variable
    - Fixed FILES_NAMES collection after the end of multipart parsing
    - Fixed validateByteRange parsing method
    - Removes a memory leak on the JSON parser
    - Enables LMDB on the regression tests.
    - Fix: Extra whitespace in some configuration directives causing error
    - Refactoring on Regex and SMatch classes.
    - Fixed buffer overflow in Utils::Md5::hexdigest()
    - Implemented merge() method for ConfigInt, ConfigDouble, ConfigString
    - Adds initially support to the drop action.
    - Complete merging of particular rule properties
    - Replaces AC_CHECK_FILE with 'test -f'
    - Fix inet addr handling on 64 bit big endian systems
    - Fix tests on FreeBSD
    - Changes ENV test case to read the default MODSECURTIY env var
    - Regression: Sets MODSECURITY env var during the tests execution
    - Fix setenv action to strdup key=variable
    - Allow 0 length JSON requests.
    - Fix "make dist" target to include default configuration
    - Replaced log locking using mutex with fcntl lock
    - Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES
    - Adds support to multiple ranges in ctl:ruleRemoveById
    - Rule variable interpolation broken
    - Make the boundary check less strict as per RFC2046
    - Fix buffer size for utf8toUnicode transformation
    - Fix double macros bug
    - Override the default status code if not suitable to redirect action
    - parser: Fix the support for CRLF configuration files
    - Organizes the server logs
    - m_lineNumber in Rule not mapping with the correct line number in file
    - Using shared_ptr instead of unique_ptr on rules exceptions
    - Changes debuglogs schema to avoid unecessary str allocation
    - Fix the SecUnicodeMapFile and SecUnicodeCodePage
    - Changes the timing to save the rule message
    - Fix crash in msc_rules_add_file() when using disruptive action in chain
    - Fix memory leak in AuditLog::init()
    - Fix RulesProperties::appendRules()
    - Fix RULE lookup in chained rules
    - @ipMatch "Could not add entry" on slash/32 notation in 2.9.0
    - Using values after transformation at MATCHED_VARS
    - Adds support to UpdateActionById.
    - Add correct C function prototypes for msc_init and msc_create_rule_set
    - Allow LuaJIT 2.1 to be used
    - Match m_id JSON log with RuleMessage and v2 format
    - Adds support to setenv action.
    - Adds new transaction constructor that accepts the transaction id
    as parameter.
    - Adds request IDs and URIs to the debug log
    - Treating variables exception on load-time instead of run time.
    - Fix: function m.setvar in Lua scripts and add testcases
    - Fix SecResponseBodyAccess and ctl:requestBodyAccess directives
    - Fix OpenBSD build
    - Fix parser to support GeoLookup with MaxMind
    - parser: Fix simple quote setvar in the end of the line
    - Fix pc file
    - modsec_rules_check: uses the gnu `.la' instead of `.a' file
    - good practices: Initialize variables before use it
    - Fix utf-8 character encoding conversion
    - Adds support for ctl:requestBodyProcessor=URLENCODED
    - Add LUA compatibility for CentOS and try to use LuaJIT first if available
    - Allow LuaJIT to be used
    - Implement support for Lua 5.1
    - Variable names must match fully, not partially. Match should be case
    insensitive.
    - Improves the performance while loading the rules
    - Allow empty strings to be evaluated by regex::searchAll
    - Adds basic pkg-config info
    - Fixed LMDB collection errors
    - Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors
    - Fix ip tree lookup on netmask content
    - Changes the behavior of the default sec actions
    - Refactoring on {global,ip,resources,session,tx,user} collections
    - Fix race condition in UniqueId::uniqueId()
    - Fix memory leak in error message for msc_rules_merge C APIs
    - Return false in SharedFiles::open() when an error happens
    - Use rvalue reference in ModSecurity::serverLog
    - Build System: Fix when multiple lines for curl version.
    - Checks if response body inspection is enabled before process it
    - Code Cleanup.
    - Fix setvar parsing of quoted data
    - Fix LDFLAGS for unit tests.
    - Adds time stamp back to the audit logs
    - Disables skip counter if debug log is disabled
    - Cosmetics: Represents amount of skipped rules without decimal
    - Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser
    - Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp.
    - Fix memory leak in modsecurity::utils::expandEnv()
    - Initialize m_dtd member in ValidateDTD class as NULL
    - Fix broken @detectxss operator regression test case
    - Fix utils::string::ssplit() to handle delimiter in the end of string
    - Fix variable FILES_TMPNAMES
    - Fix memory leak in Collections
    - Fix lib version information while generating the .so file
    - Adds support for ctl:ruleRemoveByTag
    - Fix SecUploadDir configuration merge
    - Include all prerequisites for "make check" into dist archive
    - Fix: Reverse logic of checking output in @inspectFile
    - Adds support to libMaxMind
    - Adds capture action to detectXSS
    - Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator
    - Adds capture action to detectSQLi
    - Adds capture action to rbl
    - Adds capture action to verifyCC
    - Adds capture action to verifySSN
    - Adds capture action to verifyCPF
    - Prettier error messages for unsupported configurations (UX)
    - Add missing verify*** transformation statements to parser
    - Fix a set of compilation warnings
    - Check for disruptive action on SecDefaultAction.
    - Fix block-block infinite loop.
    - Correction remove_by_tag and remove_by_msg logic.
    - Fix LMDB compile error
    - Fix msc_who_am_i() to return pointer to a valid C string
    - Added some cosmetics to autoconf related code
    - Fix "make dist" target to include necessary headers for Lua
    - Fix "include /foo/*.conf" for single matched object in directory
    - Add missing Base64 transformation statements to parser
    - Fixed resource load on ip match from file
    - Fixed examples compilation while using disable-shared
    - Fixed compilation issue while xml is disabled
    - Having LDADD and LDFLAGS organized on Makefile.am
    - Checking std::deque size before use it
    - perf improvement: Added the concept of RunTimeString and removed
    all run time parser.
    - perf improvement: Checks debuglog level before format debug msg
    - perf. improvement/rx: Only compute dynamic regex in case of macro
    - Fix uri on the benchmark utility
    - disable Lua on systems with liblua5.1
* Sat Jul 14 2018 jengelh@inai.de
  - Remove rhetoric part from descriptions.
* Mon Jul 09 2018 mrostecki@suse.com
  - Remove libltdl7 from build dependencies

Files

/usr/bin/modsec-rules-check
/usr/share/licenses/modsecurity
/usr/share/licenses/modsecurity/LICENSE


Generated by rpm2html 1.8.1

Fabrice Bellet, Sat Nov 16 01:07:39 2024