File apache2-mod_security2.changes of Package apache2-mod_security2.38969
-------------------------------------------------------------------
Wed Jun 4 08:27:15 UTC 2025 - pgajdos@suse.com
- security update
- added patches
CVE-2025-47947 [bsc#1243978], DoS through sanitiseMatchedBytes
+ apache2-mod_security2-CVE-2025-47947.patch
CVE-2025-48866 [bsc#1243976], excessive number of arguments in sanitiseArg can lead to a denial of service due to high memory consumption
+ apache2-mod_security2-CVE-2025-48866.patch
-------------------------------------------------------------------
Wed Jan 25 17:42:17 UTC 2023 - Danilo Spinella <danilo.spinella@suse.com>
- Fix CVE-2022-48279, HTTP multipart requests were incorrectly
parsed and could bypass the Web Application Firewall
(CVE-2022-48279, bsc#1207378)
* fix-CVE-2022-48279.patch
-------------------------------------------------------------------
Wed Apr 18 10:45:25 UTC 2018 - kstreitova@suse.com
- trigger rebuild for getting the latest SLE12 libpcre version
[bsc#1089692]
-------------------------------------------------------------------
Fri Jul 17 09:45:23 UTC 2015 - pgajdos@suse.com
- buildrequire apache-rpm-macros, require %{apache_suse_maintenance_mmn}
[bnc#915666]
-------------------------------------------------------------------
Wed Aug 27 17:25:33 CEST 2014 - draht@suse.de
- Portability: provide /etc/apache2/mod_security2.d/empty.conf
to avoid a non-match of the file-glob in the Include statement
from /etc/apache2/conf.d/mod_security2.conf . This restores
the Include back from the IncludeOptional, which is not portable.
-------------------------------------------------------------------
Wed Aug 6 15:10:40 CEST 2014 - draht@suse.de
- /etc/apache2/conf.d/mod_security2.conf:
Use IncludeOptional if file glob matching is required.
-------------------------------------------------------------------
Mon Jun 16 19:04:00 CEST 2014 - draht@suse.de
- BuildRequires: libtool missing
-------------------------------------------------------------------
Mon Jun 16 17:31:34 CEST 2014 - draht@suse.de
- apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath
in autoconf m4 macros.
- use automake for build, add autoconf and automake to
BuildRequires:. This fix is combined with [bnc#876878].
- turn on --enable-htaccess-config
- use %{?_smp_mflags} for build
-------------------------------------------------------------------
Thu Jun 12 12:33:49 CEST 2014 - draht@suse.de
- package overhaul with update to version 2.8.0, including new
OWASP rule set. [bnc#876878]
new in 2.8.0:
* Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit)
now support white and suspicious list
* New variables: FULL_REQUEST and FULL_REQUEST_LENGTH
* GPLv2 replaced by Apache License v2
* rules are not part of the source tarball any longer, but
maintaned upstream externally, and included in this package.
* documentation was externalized to a wiki. Package contains
the FAQ and the reference manual in html form.
* renamed the term "Encryption" in directives that actually refer
to hashes. See CHANGES file for more details.
* byte conversion issues on s390x when logging fixed.
* many small issues fixed that were discovered by a Coverity scanner
* updated reference manual
* wrong time calculation when logging for some timezones fixed.
* replaced time-measuring mechanism with finer granularity for
measured request/answer phases. (Stopwatch remains for compat.)
* cookie parser memory leak fix
* parsing of quoted strings in multipart Content-Disposition
headers fixed.
-------------------------------------------------------------------
Mon Aug 27 11:43:47 UTC 2012 - cfarrell@suse.com
- license update: Apache-2.0 and GPL-2.0
Many of the files in the rules/ subdirectory are GPL-2.0 licensed
-------------------------------------------------------------------
Mon Aug 6 20:59:45 UTC 2012 - crrodriguez@opensuse.org
- Update to version 2.6.7, fixes build in apache 2.4
- Update spec file macros.
-------------------------------------------------------------------
Sat Sep 17 11:20:39 UTC 2011 - jengelh@medozas.de
- Remove redundant tags/sections from specfile
- Use %_smp_mflags for parallel build
-------------------------------------------------------------------
Wed Jul 6 04:33:49 CEST 2011 - draht@suse.de
- update to version 2.6.1-rc1 for submission to SLE11-SP2 (fate#309433):
- SecUnicodeCodePage and SecUnicodeMapFile directives added
- fixed bug: SecRequestBodyLimit was truncating the real request
body
additional fixes from 2.6.0:
- buffering filter problems fixed
- memory leak fix when using MATCHED_VAR_NAMES
- SecWriteStateLimit added against slow DoS
additional fixes from 2.6.0 release candidates:
- optimizations
- bug in logging code fixed
- cleanup
- google safe browsing support
-------------------------------------------------------------------
Thu May 14 18:05:26 CEST 2009 - mrueckert@suse.de
- update to version 2.5.9
- Fixed parsing multipart content with a missing part header name
which would crash Apache. Discovered by "Internet Security
Auditors" (isecauditors.com).
- Added ability to specify the config script directly using
--with-apr and --with-apu.
- Added macro expansion for append/prepend action.
- Fixed race condition in concurrent updates of persistent
counters. Updates are now atomic.
- Cleaned up build, adding an option for verbose configure output
and making the mlogc build more portable.
- additional changes from 2.5.8
- Fixed PDF XSS issue where a non-GET request for a PDF file
would crash the Apache httpd process. Discovered by Steve
Grubb at Red Hat.
- Removed an invalid "Internal error: Issuing "%s" for
unspecified error." message that was logged when denying with
nolog/noauditlog set and causing the request to be audited.
- additional changes from 2.5.7
- Fixed XML DTD/Schema validation which will now fail after
request body processing errors, even if the XML parser returns
a document tree.
- Added ctl:forceRequestBodyVariable=on|off which, when enabled,
will force the REQUEST_BODY variable to be set when a request
body processor is not set. Previously the REQUEST_BODY target
was only populated by the URLENCODED request body processor.
- Integrated mlogc source.
- Fixed logging the hostname in the error_log which was logging
the request hostname instead of the Apache resolved hostname.
- Allow for disabling request body limit checks in phase:1.
- Added transformations for processing parity for legacy
protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit,
t:parityZero7bit
- Added t:cssDecode transformation to decode CSS escapes.
- Now log XML parsing/validation warnings and errors to be in the
debug log at levels 3 and 4, respectivly.
- build and package mlogc
- remove --with-apxs from the configure args as it breaks the build
configure now finds our apxs2
-------------------------------------------------------------------
Fri Jan 23 16:56:55 CET 2009 - skh@suse.de
- fix broken config [bnc#457200]
-------------------------------------------------------------------
Mon Sep 15 14:05:05 CEST 2008 - skh@suse.de
- update to version 2.5.6
- initial submit to FACTORY
-------------------------------------------------------------------
Mon May 12 05:25:07 CEST 2008 - jg@internetx.de
-update to 2.1.7
-------------------------------------------------------------------
Thu Feb 3 05:44:12 CEST 2008 - jg@internetx.de
-update to 2.1.6
-------------------------------------------------------------------
Wed Aug 8 05:36:42 CEST 2007 - mrueckert@suse.de
- update to 2.1.2
-------------------------------------------------------------------
Mon Apr 16 10:34:05 CEST 2007 - mrueckert@suse.de
- update to 2.1.1
- switched to perl based patching instead of cmdline params for make
-------------------------------------------------------------------
Fri Sep 22 08:31:51 CEST 2006 - poeml@suse.de
- fix build (./install was vanished)
