From 7376a77a6b56b96133f7503b278f02c33f0797e3 Mon Sep 17 00:00:00 2001 From: CentOS Buildsys Date: Apr 03 2014 09:52:27 +0000 Subject: import mod_security-2.7.3-5.el7.src.rpm --- diff --git a/SOURCES/modsecurity-2.7.3-CVE-2013-5705.patch b/SOURCES/modsecurity-2.7.3-CVE-2013-5705.patch new file mode 100644 index 0000000..1b99904 --- /dev/null +++ b/SOURCES/modsecurity-2.7.3-CVE-2013-5705.patch @@ -0,0 +1,12 @@ +diff -up modsecurity-apache_2.7.3/apache2/modsecurity.c.CVE-2013-5705 modsecurity-apache_2.7.3/apache2/modsecurity.c +--- modsecurity-apache_2.7.3/apache2/modsecurity.c.CVE-2013-5705 2014-04-03 11:39:46.451454455 +0200 ++++ modsecurity-apache_2.7.3/apache2/modsecurity.c 2014-04-03 11:40:47.176660100 +0200 +@@ -297,7 +297,7 @@ apr_status_t modsecurity_tx_init(modsec_ + if (msr->request_content_length == -1) { + /* There's no C-L, but is chunked encoding used? */ + char *transfer_encoding = (char *)apr_table_get(msr->request_headers, "Transfer-Encoding"); +- if ((transfer_encoding != NULL)&&(strstr(transfer_encoding, "chunked") != NULL)) { ++ if ((transfer_encoding != NULL)&&(m_strcasestr(transfer_encoding, "chunked") != NULL)) { + msr->reqbody_should_exist = 1; + msr->reqbody_chunked = 1; + } diff --git a/SPECS/mod_security.spec b/SPECS/mod_security.spec index 55679f7..1654e75 100644 --- a/SPECS/mod_security.spec +++ b/SPECS/mod_security.spec @@ -10,7 +10,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.7.3 -Release: 2%{?dist} +Release: 5%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -18,6 +18,8 @@ Source: http://www.modsecurity.org/tarball/%{version}/modsecurity-apache_%{versi Source1: mod_security.conf Source2: 10-mod_security.conf Patch0: mod_security-2.7.3-fix-mem-leak-and-cve-2013-2765.patch +Patch1: modsecurity-2.7.3-CVE-2013-5705.patch + Requires: httpd httpd-mmn = %{_httpd_mmn} BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel @@ -39,6 +41,7 @@ This package contains the ModSecurity Audit Log Collector. %prep %setup -q -n modsecurity-apache_%{version} %patch0 -p1 +%patch1 -p1 %build %configure --enable-pcre-match-limit=1000000 \ @@ -109,6 +112,16 @@ rm -rf %{buildroot} %endif %changelog +* Thu Apr 3 2014 Daniel Kopecek - 2.7.3-5 +- Fix Chunked string case sensitive issue (CVE-2013-5705) + Resolves: rhbz#1082907 + +* Fri Jan 24 2014 Daniel Mach - 2.7.3-4 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 2.7.3-3 +- Mass rebuild 2013-12-27 + * Tue May 28 2013 Athmane Madjoudj 2.7.3-2 - Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) (RHBZ #967615) - Fix a possible memory leak.