Package Release Info

modsecurity-3.0.10-bp154.2.3.1

Update Info: openSUSE-2023-269
Available in Package Hub : 15 SP4 Update

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

libmodsecurity3
libmodsecurity3-32bit
libmodsecurity3-64bit
modsecurity
modsecurity-devel

Change Logs

* Mon Sep 04 2023 David Anes <david.anes@suse.com>
- Update to version 3.0.10:
  * Security impacting issue (fix bsc#1213702, CVE-2023-38285)
  - Fix: worst-case time in implementation of four transformations
  - Additional information on this issue is available at
    https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
  * Enhancements and bug fixes
  - Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
  - Make MULTIPART_PART_HEADERS accessible to lua
  - Fix: Lua scripts cannot read whole collection at once
  - Fix: quoted Include config with wildcard
  - Support isolated PCRE match limits
  - Fix: meta actions not applied if multiMatch in first rule of chain
  - Fix: audit log may omit tags when multiMatch
  - Exclude CRLF from MULTIPART_PART_HEADER value
  - Configure: use AS_ECHO_N instead echo -n
  - Adjust position of memset from 2890
* Tue May 09 2023 Danilo Spinella <danilo.spinella@suse.com>
- Update to version 3.0.9:
  * Add some member variable inits in Transaction class (possible segfault)
  * Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
  * Resolve memory leak on reload (bison-generated variable)
  * Support equals sign in XPath expressions
  * Encode two special chars in error.log output
  * Add JIT support for PCRE2
  * Support comments in ipMatchFromFile file via '#' token
  * Use name package name libmaxminddb with pkg-config
  * Fix: FILES_TMP_CONTENT collection key should use part name
  * Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
  * During configure, do not check for pcre if pcre2 specified
  * Use pkg-config to find libxml2 first
  * Fix two rule-reload memory leak issues
  * Correct whitespace handling for Include directive
- Fix CVE-2023-28882, a segfault and a resultant crash of a worker process
  in some configurations with certain inputs, bsc#1210993
* Fri Dec 16 2022 Michael Ströder <michael@stroeder.com>
- Update to version 3.0.8
  * Adjust parser activation rules in modsecurity.conf-recommended [#2796]
  * Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [#2795]
  * Prevent LMDB related segfault [#2755, #2761]
  * Fix msc_transaction_cleanup function comment typo [#2788]
  * Fix: MULTIPART_INVALID_PART connected to wrong internal variable [#2785]
  * Restore Unique_id to include random portion after timestamp [#2752, #2758]
* Sun Aug 14 2022 Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>
- Update to version 3.0.7
  * Support PCRE2
  * Support SecRequestBodyNoFilesLimit
  * Add ctl:auditEngine action support
  * Move PCRE2 match block from member variable
  * Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
  * Fix memory leak when concurrent log includes REMOTE_USER
  * Fix LMDB initialization issues
  * Fix initcol error message wording
  * Tolerate other parameters after boundary in multipart C-T
  * Add DebugLog message for bad pattern in rx operator
  * Fix misuses of LMDB API
  * Fix duplication typo in code comment
  * Fix multiMatch msg, etc, population in audit log
  * Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc.
  * Adjust confusing variable name in setRequestBody method
  * Multipart names/filenames may include single quote if double-quote enclosed
  * Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
* Fri Feb 25 2022 Ferdinand Thiessen <rpm@fthiessen.de>
- Update to version 3.0.6
  * Security issue: Support configurable limit on depth of JSON
    parsing, possible DoS issue. CVE-2021-42717
- Update to version 3.0.5
  * New: Having ARGS_NAMES, variables proxied
  * Fix: FILES variable does not use multipart part name for key
  * GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE
  * Support configurable limit on number of arguments processed
  * Adds support to lua 5.4
  * Add support for new operator rxGlobal
  * Fix: Replaces put with setenv in SetEnv action
  * Fix: Regex key selection should not be case-sensitive
  * Fix: Only delete Multipart tmp files after rules have run
  * Fixed MatchedVar on chained rules
  * Fix IP address logging in Section A
  * Fix:  rx: exit after full match (remove /g emulation); ensure
    capture groups occuring after unused groups still populate TX vars
  * Fix rule-update-target for non-regex
  * Fix Security Impacting Issues:
  * Handle URI received with uri-fragment, CVE-2020-15598
* Wed Jul 22 2020 Dirk Mueller <dmueller@suse.com>
- add baselibs, fix packaging (install into %_libdir)
- update to 3.0.4:
  - Fix: audit log data omitted when nolog,auditlog
  - Fix: ModSecurity 3.x inspectFile operator does not pass
  - XML: Remove error messages from stderr
  - Filter comment or blank line for pmFromFile operator
  - Additional adjustment to Cookie header parsing
  - Restore chained rule part H logging to be more like 2.9 behaviour
  - Small fixes in log messages to help debugging the file upload
  - Fix Cookie header parsing issues
  - Fix rules with nolog are logging to part H
  - Fix argument key-value pair parsing cases
  - Fix: audit log part for response body for JSON format to be E
  - Make sure m_rulesMessages is filled after successfull match
  - Fix @pm lookup for possible matches on offset zero.
  - Regex lookup on the key name instead of COLLECTION:key
  - Missing throw in Operator::instantiate
  - Making block action execution dependent of the SecEngine status
  - Making block action execution dependent of the SecEngine status
  - Having body limits to respect the rule engine state
  - Fix SecRuleUpdateTargetById does not match regular expressions
  - Adds missing check for runtime ctl:ruleRemoveByTag
  - Adds a new operator verifySVNR that checks for Austrian social
  security numbers.
  - Fix variables output in debug logs
  - Correct typo validade in log output
  - fix/minor: Error encoding hexa decimal.
  - Limit more log variables to 200 characters.
  - parser: fix parsed file names
  - Allow empty anchored variable
  - Fixed FILES_NAMES collection after the end of multipart parsing
  - Fixed validateByteRange parsing method
  - Removes a memory leak on the JSON parser
  - Enables LMDB on the regression tests.
  - Fix: Extra whitespace in some configuration directives causing error
  - Refactoring on Regex and SMatch classes.
  - Fixed buffer overflow in Utils::Md5::hexdigest()
  - Implemented merge() method for ConfigInt, ConfigDouble, ConfigString
  - Adds initially support to the drop action.
  - Complete merging of particular rule properties
  - Replaces AC_CHECK_FILE with 'test -f'
  - Fix inet addr handling on 64 bit big endian systems
  - Fix tests on FreeBSD
  - Changes ENV test case to read the default MODSECURTIY env var
  - Regression: Sets MODSECURITY env var during the tests execution
  - Fix setenv action to strdup key=variable
  - Allow 0 length JSON requests.
  - Fix "make dist" target to include default configuration
  - Replaced log locking using mutex with fcntl lock
  - Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES
  - Adds support to multiple ranges in ctl:ruleRemoveById
  - Rule variable interpolation broken
  - Make the boundary check less strict as per RFC2046
  - Fix buffer size for utf8toUnicode transformation
  - Fix double macros bug
  - Override the default status code if not suitable to redirect action
  - parser: Fix the support for CRLF configuration files
  - Organizes the server logs
  - m_lineNumber in Rule not mapping with the correct line number in file
  - Using shared_ptr instead of unique_ptr on rules exceptions
  - Changes debuglogs schema to avoid unecessary str allocation
  - Fix the SecUnicodeMapFile and SecUnicodeCodePage
  - Changes the timing to save the rule message
  - Fix crash in msc_rules_add_file() when using disruptive action in chain
  - Fix memory leak in AuditLog::init()
  - Fix RulesProperties::appendRules()
  - Fix RULE lookup in chained rules
  - @ipMatch "Could not add entry" on slash/32 notation in 2.9.0
  - Using values after transformation at MATCHED_VARS
  - Adds support to UpdateActionById.
  - Add correct C function prototypes for msc_init and msc_create_rule_set
  - Allow LuaJIT 2.1 to be used
  - Match m_id JSON log with RuleMessage and v2 format
  - Adds support to setenv action.
  - Adds new transaction constructor that accepts the transaction id
  as parameter.
  - Adds request IDs and URIs to the debug log
  - Treating variables exception on load-time instead of run time.
  - Fix: function m.setvar in Lua scripts and add testcases
  - Fix SecResponseBodyAccess and ctl:requestBodyAccess directives
  - Fix OpenBSD build
  - Fix parser to support GeoLookup with MaxMind
  - parser: Fix simple quote setvar in the end of the line
  - Fix pc file
  - modsec_rules_check: uses the gnu `.la' instead of `.a' file
  - good practices: Initialize variables before use it
  - Fix utf-8 character encoding conversion
  - Adds support for ctl:requestBodyProcessor=URLENCODED
  - Add LUA compatibility for CentOS and try to use LuaJIT first if available
  - Allow LuaJIT to be used
  - Implement support for Lua 5.1
  - Variable names must match fully, not partially. Match should be case
  insensitive.
  - Improves the performance while loading the rules
  - Allow empty strings to be evaluated by regex::searchAll
  - Adds basic pkg-config info
  - Fixed LMDB collection errors
  - Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors
  - Fix ip tree lookup on netmask content
  - Changes the behavior of the default sec actions
  - Refactoring on {global,ip,resources,session,tx,user} collections
  - Fix race condition in UniqueId::uniqueId()
  - Fix memory leak in error message for msc_rules_merge C APIs
  - Return false in SharedFiles::open() when an error happens
  - Use rvalue reference in ModSecurity::serverLog
  - Build System: Fix when multiple lines for curl version.
  - Checks if response body inspection is enabled before process it
  - Code Cleanup.
  - Fix setvar parsing of quoted data
  - Fix LDFLAGS for unit tests.
  - Adds time stamp back to the audit logs
  - Disables skip counter if debug log is disabled
  - Cosmetics: Represents amount of skipped rules without decimal
  - Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser
  - Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp.
  - Fix memory leak in modsecurity::utils::expandEnv()
  - Initialize m_dtd member in ValidateDTD class as NULL
  - Fix broken @detectxss operator regression test case
  - Fix utils::string::ssplit() to handle delimiter in the end of string
  - Fix variable FILES_TMPNAMES
  - Fix memory leak in Collections
  - Fix lib version information while generating the .so file
  - Adds support for ctl:ruleRemoveByTag
  - Fix SecUploadDir configuration merge
  - Include all prerequisites for "make check" into dist archive
  - Fix: Reverse logic of checking output in @inspectFile
  - Adds support to libMaxMind
  - Adds capture action to detectXSS
  - Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator
  - Adds capture action to detectSQLi
  - Adds capture action to rbl
  - Adds capture action to verifyCC
  - Adds capture action to verifySSN
  - Adds capture action to verifyCPF
  - Prettier error messages for unsupported configurations (UX)
  - Add missing verify*** transformation statements to parser
  - Fix a set of compilation warnings
  - Check for disruptive action on SecDefaultAction.
  - Fix block-block infinite loop.
  - Correction remove_by_tag and remove_by_msg logic.
  - Fix LMDB compile error
  - Fix msc_who_am_i() to return pointer to a valid C string
  - Added some cosmetics to autoconf related code
  - Fix "make dist" target to include necessary headers for Lua
  - Fix "include /foo/*.conf" for single matched object in directory
  - Add missing Base64 transformation statements to parser
  - Fixed resource load on ip match from file
  - Fixed examples compilation while using disable-shared
  - Fixed compilation issue while xml is disabled
  - Having LDADD and LDFLAGS organized on Makefile.am
  - Checking std::deque size before use it
  - perf improvement: Added the concept of RunTimeString and removed
  all run time parser.
  - perf improvement: Checks debuglog level before format debug msg
  - perf. improvement/rx: Only compute dynamic regex in case of macro
  - Fix uri on the benchmark utility
  - disable Lua on systems with liblua5.1
Version: 3.0.0-bp151.1.1
* Sat Jul 14 2018 jengelh@inai.de
- Remove rhetoric part from descriptions.
* Mon Jul 09 2018 mrostecki@suse.com
- Remove libltdl7 from build dependencies
* Mon Jul 02 2018 mrostecki@suse.com
- Make use of %license macro
- Make use of %{version} variable
- Sort dependencies alphabetically
* Mon Mar 19 2018 mrostecki@suse.com
- Initial release