From 7376a77a6b56b96133f7503b278f02c33f0797e3 Mon Sep 17 00:00:00 2001
From: CentOS Buildsys <bugs@centos.org>
Date: Apr 03 2014 09:52:27 +0000
Subject: import mod_security-2.7.3-5.el7.src.rpm


---

diff --git a/SOURCES/modsecurity-2.7.3-CVE-2013-5705.patch b/SOURCES/modsecurity-2.7.3-CVE-2013-5705.patch
new file mode 100644
index 0000000..1b99904
--- /dev/null
+++ b/SOURCES/modsecurity-2.7.3-CVE-2013-5705.patch
@@ -0,0 +1,12 @@
+diff -up modsecurity-apache_2.7.3/apache2/modsecurity.c.CVE-2013-5705 modsecurity-apache_2.7.3/apache2/modsecurity.c
+--- modsecurity-apache_2.7.3/apache2/modsecurity.c.CVE-2013-5705	2014-04-03 11:39:46.451454455 +0200
++++ modsecurity-apache_2.7.3/apache2/modsecurity.c	2014-04-03 11:40:47.176660100 +0200
+@@ -297,7 +297,7 @@ apr_status_t modsecurity_tx_init(modsec_
+     if (msr->request_content_length == -1) {
+         /* There's no C-L, but is chunked encoding used? */
+         char *transfer_encoding = (char *)apr_table_get(msr->request_headers, "Transfer-Encoding");
+-        if ((transfer_encoding != NULL)&&(strstr(transfer_encoding, "chunked") != NULL)) {
++        if ((transfer_encoding != NULL)&&(m_strcasestr(transfer_encoding, "chunked") != NULL)) {
+             msr->reqbody_should_exist = 1;
+             msr->reqbody_chunked = 1;
+         }
diff --git a/SPECS/mod_security.spec b/SPECS/mod_security.spec
index 55679f7..1654e75 100644
--- a/SPECS/mod_security.spec
+++ b/SPECS/mod_security.spec
@@ -10,7 +10,7 @@
 Summary: Security module for the Apache HTTP Server
 Name: mod_security 
 Version: 2.7.3
-Release: 2%{?dist}
+Release: 5%{?dist}
 License: ASL 2.0
 URL: http://www.modsecurity.org/
 Group: System Environment/Daemons
@@ -18,6 +18,8 @@ Source: http://www.modsecurity.org/tarball/%{version}/modsecurity-apache_%{versi
 Source1: mod_security.conf
 Source2: 10-mod_security.conf
 Patch0: mod_security-2.7.3-fix-mem-leak-and-cve-2013-2765.patch
+Patch1: modsecurity-2.7.3-CVE-2013-5705.patch
+
 Requires: httpd httpd-mmn = %{_httpd_mmn}
 BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
 
@@ -39,6 +41,7 @@ This package contains the ModSecurity Audit Log Collector.
 %prep
 %setup -q -n modsecurity-apache_%{version}
 %patch0 -p1
+%patch1 -p1
 
 %build
 %configure --enable-pcre-match-limit=1000000 \
@@ -109,6 +112,16 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Thu Apr  3 2014 Daniel Kopecek <dkopecek@redhat.com> - 2.7.3-5
+- Fix Chunked string case sensitive issue (CVE-2013-5705)
+  Resolves: rhbz#1082907
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.7.3-4
+- Mass rebuild 2014-01-24
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.7.3-3
+- Mass rebuild 2013-12-27
+
 * Tue May 28 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.3-2
 - Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) (RHBZ #967615)
 - Fix a possible memory leak.