------------------------------------------------------------------- Wed Jan 25 16:56:38 UTC 2023 - Danilo Spinella - Fix CVE-2022-48279, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall (CVE-2022-48279, bsc#1207378) * fix-CVE-2022-48279.patch ------------------------------------------------------------------- Wed Aug 6 15:05:29 CEST 2014 - draht@suse.de - correction to last patch: use function m_strcasestr() as substitute for strstr(). [bnc#871309] CVE-2013-5705 ------------------------------------------------------------------- Wed Jul 30 18:16:38 CEST 2014 - draht@suse.de - apache2-mod_security2-2.7.x-bnc871309-CVE-2013-5705-chunked_requests_bypass.diff Fix for a flaw with which restrictions imposed by mod_security2 could be bypassed with chunked requests. [bnc#871309] CVE-2013-5705 ------------------------------------------------------------------- Tue Jul 30 14:33:49 CEST 2013 - draht@suse.de - apache2-mod_security2-2.7.x-bnc822664-CVE-2013-2765-nullpointer_deref.diff fix for null pointer dereference crash known as CVE-2013-2765; This crash also has the side effect of leaving behind temporary files in a directory configured by the SecTmpDir directive. [bnc#822664] - apache2-mod_security2-2.7.x-bnc822664-double_free.diff fixes double free() of pointer in apache2/msc_unicode.c:122 [bnc#822664] ------------------------------------------------------------------- Fri Apr 5 16:19:39 CEST 2013 - draht@suse.de - apache2-mod_security2-2.7.x-bnc813190-CVE-2013-1915-xxe.diff: fix for XML external entity vulnerability. [bnc#813190] CVE-2013-1915 - Addendum to changelog entry of Thu Jan 17: The version upgrade to 2.7.1 also fixes the rule bypass issue known as CVE-2012-4528, [bnc#789393], which was addressed with version 2.7.0. ------------------------------------------------------------------- Wed Mar 27 13:26:54 CET 2013 - draht@suse.de - Add remark about activation of both the mod_security2 and the mod_unique_id (which is required by mod_security2) modules to /etc/apache2/conf.d/mod_security2.conf. [bnc#811624] ------------------------------------------------------------------- Thu Jan 17 16:37:03 CET 2013 - draht@suse.de - version upgrade to 2.7.1. [fate#309433] - fix for [bnc#768293]: multi-part bypass; This minor security threat is not mediated by the old version, and the corresponding configuration directives are not present there. - new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf - obsoletes apache2-mod_security2-CVE-2009-5031_CVE-2012-2751.diff from prior changelog entry. - obsoletes apache2-mod_security2-pdf-xss.patch and apache2-mod_security2-DOS.patch (DoS vuln by apache crash, [bnc#487751]) - New from 2.5.6 to 2.7.1 (excerpt, the most important changes): * GPLv2 replaced by Apache License v2 * rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. * documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. * renamed the term "Encryption" in directives that actually refer to hashes. See CHANGES file for more details. * byte conversion issues on s390x when logging fixed. * many small issues fixed that were discovered by a Coverity scanner * updated reference manual * wrong time calculation when logging for some timezones fixed. * replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.) * cookie parser memory leak fix * parsing of quoted strings in multipart Content-Disposition headers fixed. ------------------------------------------------------------------- Tue Jul 31 16:13:09 CEST 2012 - draht@suse.de - apache2-mod_security2-CVE-2009-5031_CVE-2012-2751.diff: 2 CVE IDs for the same issue that was incompletely fixed in 2009. Fix for improper handling of quotes of request parameter values in the Content-Disposition field of a request with a multipart/form-data Content-Type header. This is CVE-2009-5031 and CVE-2012-2751. [bnc#768293] ------------------------------------------------------------------- Wed May 27 05:48:01 CEST 2009 - crrodriguez@suse.de - VUL-0: apache2-mod_security2 DoS [bnc#487751] ------------------------------------------------------------------- Fri Jan 23 16:56:55 CET 2009 - skh@suse.de - fix broken config [bnc#457200] ------------------------------------------------------------------- Mon Sep 15 14:05:05 CEST 2008 - skh@suse.de - update to version 2.5.6 - initial submit to FACTORY ------------------------------------------------------------------- Mon May 12 05:25:07 CEST 2008 - jg@internetx.de -update to 2.1.7 ------------------------------------------------------------------- Thu Feb 3 05:44:12 CEST 2008 - jg@internetx.de -update to 2.1.6 ------------------------------------------------------------------- Wed Aug 8 05:36:42 CEST 2007 - mrueckert@suse.de - update to 2.1.2 ------------------------------------------------------------------- Mon Apr 16 10:34:05 CEST 2007 - mrueckert@suse.de - update to 2.1.1 - switched to perl based patching instead of cmdline params for make ------------------------------------------------------------------- Fri Sep 22 08:31:51 CEST 2006 - poeml@suse.de - fix build (./install was vanished)