debian/0000755000000000000000000000000012265451451007173 5ustar debian/security2.conf0000644000000000000000000000055312147377536012010 0ustar # Default Debian dir for modsecurity's persistent data SecDataDir /var/cache/modsecurity # Include all the *.conf files in /etc/modsecurity. # Keeping your local configuration in that directory # will allow for an easy upgrade of THIS file and # make your life easier IncludeOptional /etc/modsecurity/*.conf debian/copyright0000644000000000000000000000152411777527431011141 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: modsecurity-apache Source: http://www.modsecurity.org Files: * Copyright: (c) 2006-2011 Trustwave Holdings, Inc. License: ASLv2 ModSecurity for Apache is provided to you under the terms and conditions of Apache Software License Version 2 (ASLv2). . On Debian systems, the complete text of the Apache Software License Version 2 can be found in "/usr/share/common-licenses/Apache-2.0". Files: debian/* Copyright: (c) 2006-2012 Alberto Gonzalez Iniesta License: ASLv2 Debian packaging for ModSecurity is provided to you under the terms and conditions of Apache Software License Version 2 (ASLv2). . On Debian systems, the complete text of the Apache Software License Version 2 can be found in "/usr/share/common-licenses/Apache-2.0". debian/libapache2-mod-security2.install0000644000000000000000000000025212255025076015257 0ustar mlogc/mlogc usr/bin mlogc/README.mlogc usr/share/doc/libapache2-modsecurity mlogc/mlogc-default.conf usr/share/doc/libapache2-modsecurity unicode.mapping etc/modsecurity debian/security2.load0000644000000000000000000000016112147377536011775 0ustar # Depends: unique_id LoadFile libxml2.so.2 LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so debian/patches/0000755000000000000000000000000012164316272010621 5ustar debian/patches/CVE-2013-2765.patch0000644000000000000000000000117412153314362013242 0ustar Index: modsecurity-apache-2.6.6/apache2/msc_reqbody.c =================================================================== --- modsecurity-apache-2.6.6.orig/apache2/msc_reqbody.c 2012-06-14 13:39:00.000000000 +0000 +++ modsecurity-apache-2.6.6/apache2/msc_reqbody.c 2013-05-29 09:44:28.886388876 +0000 @@ -170,6 +170,7 @@ /* Would storing this chunk mean going over the limit? */ if ((msr->msc_reqbody_spilltodisk) + && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON) && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit)) { msc_data_chunk **chunks; debian/patches/debian_log_dir.patch0000644000000000000000000000127112164316272014564 0ustar Description: Set correct path to log file Author: Alberto Gonzalez Iniesta Index: modsecurity-apache/modsecurity.conf-recommended =================================================================== --- modsecurity-apache.orig/modsecurity.conf-recommended 2013-07-01 17:13:59.073050051 +0200 +++ modsecurity-apache/modsecurity.conf-recommended 2013-07-01 17:13:59.069050036 +0200 @@ -184,7 +184,7 @@ # assumes that you will use the audit log only ocassionally. # SecAuditLogType Serial -SecAuditLog /var/log/modsec_audit.log +SecAuditLog /var/log/apache2/modsec_audit.log # Specify the path for concurrent audit logging. #SecAuditLogStorageDir /opt/modsecurity/var/audit/ debian/patches/CVE-2013-1915.patch0000644000000000000000000000734312127763044013250 0ustar Description: CVE-2013-1915: Vulnerable to XXE attacks This upstream patch has been backported to the Wheezy version. Author: Thomas Goirand Bug-Debian: http://bugs.debian.org/704625 Origin: upstream, https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe Reviewed-By: Alberto Gonzalez Iniesta Last-Update: <2013-04-06> --- modsecurity-apache-2.6.6.orig/apache2/msc_xml.c +++ modsecurity-apache-2.6.6/apache2/msc_xml.c @@ -14,17 +14,27 @@ #include "msc_xml.h" +static xmlParserInputBufferPtr +xml_unload_external_entity(const char *URI, xmlCharEncoding enc) { + return NULL; +} /** * Initialise XML parser. */ int xml_init(modsec_rec *msr, char **error_msg) { + xmlParserInputBufferCreateFilenameFunc entity; + if (error_msg == NULL) return -1; *error_msg = NULL; msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data)); if (msr->xml == NULL) return -1; + if(msr->txcfg->xml_external_entity == 0) { + entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity); + } + return 1; } --- modsecurity-apache-2.6.6.orig/apache2/apache2_config.c +++ modsecurity-apache-2.6.6/apache2/apache2_config.c @@ -128,6 +128,9 @@ void *create_directory_config(apr_pool_t /* Collection timeout */ dcfg->col_timeout = NOT_SET; + /* xml external entity */ + dcfg->xml_external_entity = NOT_SET; + return dcfg; } @@ -518,6 +521,10 @@ void *merge_directory_configs(apr_pool_t merged->col_timeout = (child->col_timeout == NOT_SET ? parent->col_timeout : child->col_timeout); + /* xml external entity */ + merged->xml_external_entity = (child->xml_external_entity == NOT_SET + ? parent->xml_external_entity : child->xml_external_entity); + return merged; } @@ -615,6 +622,9 @@ void init_directory_config(directory_con if (dcfg->disable_backend_compression == NOT_SET) dcfg->disable_backend_compression = 0; if (dcfg->col_timeout == NOT_SET) dcfg->col_timeout = 3600; + + /* xml external entity */ + if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0; } /** @@ -1961,6 +1971,32 @@ static const char *cmd_web_app_id(cmd_pa return NULL; } +/** +* \brief Add SecXmlExternalEntity configuration option +* +* \param cmd Pointer to configuration data +* \param _dcfg Pointer to directory configuration +* \param p1 Pointer to configuration option +* +* \retval NULL On failure +* \retval apr_psprintf On Success +*/ +static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1) +{ + directory_config *dcfg = (directory_config *)_dcfg; + if (dcfg == NULL) return NULL; + + if (strcasecmp(p1, "on") == 0) { + dcfg->xml_external_entity = 1; + } + else if (strcasecmp(p1, "off") == 0) { + dcfg->xml_external_entity = 0; + } + else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1); + + return NULL; +} + /* PCRE Limits */ static const char *cmd_pcre_match_limit(cmd_parms *cmd, @@ -2295,6 +2331,14 @@ const command_rec module_directives[] = "component signature to add to ModSecurity signature." ), + AP_INIT_TAKE1 ( + "SecXmlExternalEntity", + cmd_xml_external_entity, + NULL, + CMD_SCOPE_ANY, + "On or Off" + ), + AP_INIT_FLAG ( "SecContentInjection", cmd_content_injection, --- modsecurity-apache-2.6.6.orig/apache2/modsecurity.h +++ modsecurity-apache-2.6.6/apache2/modsecurity.h @@ -522,6 +522,9 @@ struct directory_config { /* Collection timeout */ int col_timeout; + + /* xml */ + int xml_external_entity; }; struct error_message { debian/patches/CVE-2012-4528.patch0000644000000000000000000001025612041253156013240 0ustar Index: modsecurity-apache/apache2/msc_multipart.c =================================================================== --- modsecurity-apache.orig/apache2/msc_multipart.c 2012-06-15 12:32:21.316004131 +0200 +++ modsecurity-apache/apache2/msc_multipart.c 2012-10-22 16:21:24.234389205 +0200 @@ -653,6 +653,7 @@ } } else { + msr->mpd->flag_invalid_part = 1; msr_log(msr, 3, "Multipart: Skipping invalid part %pp (part name missing): " "(offset %u, length %u)", msr->mpd->mpp, msr->mpd->mpp->offset, msr->mpd->mpp->length); @@ -944,7 +945,7 @@ if (msr->mpd->flag_header_folding) { msr_log(msr, 4, "Multipart: Warning: header folding used."); - } + } if (msr->mpd->flag_crlf_line && msr->mpd->flag_lf_line) { msr_log(msr, 4, "Multipart: Warning: mixed line endings used (CRLF/LF)."); @@ -961,9 +962,13 @@ msr_log(msr, 4, "Multipart: Warning: invalid quoting used."); } + if (msr->mpd->flag_invalid_part) { + msr_log(msr, 4, "Multipart: Warning: invalid part parsing."); + } + if (msr->mpd->flag_invalid_header_folding) { msr_log(msr, 4, "Multipart: Warning: invalid header folding used."); - } + } } if ((msr->mpd->seen_data != 0) && (msr->mpd->is_complete == 0)) { Index: modsecurity-apache/apache2/msc_multipart.h =================================================================== --- modsecurity-apache.orig/apache2/msc_multipart.h 2012-03-16 13:23:17.667622550 +0100 +++ modsecurity-apache/apache2/msc_multipart.h 2012-10-22 16:21:24.258389323 +0200 @@ -117,6 +117,7 @@ int flag_boundary_whitespace; int flag_missing_semicolon; int flag_invalid_quoting; + int flag_invalid_part; int flag_invalid_header_folding; int flag_file_limit_exceeded; }; Index: modsecurity-apache/apache2/re_variables.c =================================================================== --- modsecurity-apache.orig/apache2/re_variables.c 2012-03-16 13:23:17.671622573 +0100 +++ modsecurity-apache/apache2/re_variables.c 2012-10-22 16:21:24.226389170 +0200 @@ -1377,6 +1377,18 @@ } } +/* MULTIPART_INVALID_PART */ + +static int var_multipart_invalid_part_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, + apr_table_t *vartab, apr_pool_t *mptmp) +{ + if ((msr->mpd != NULL)&&(msr->mpd->flag_invalid_part != 0)) { + return var_simple_generate(var, vartab, mptmp, "1"); + } else { + return var_simple_generate(var, vartab, mptmp, "0"); + } +} + /* MULTIPART_INVALID_QUOTING */ static int var_multipart_invalid_quoting_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, @@ -1429,6 +1441,7 @@ ||(msr->mpd->flag_lf_line != 0) ||(msr->mpd->flag_missing_semicolon != 0) ||(msr->mpd->flag_invalid_quoting != 0) + ||(msr->mpd->flag_invalid_part != 0) ||(msr->mpd->flag_invalid_header_folding != 0) ||(msr->mpd->flag_file_limit_exceeded != 0) ) { @@ -2835,6 +2848,17 @@ VAR_DONT_CACHE, /* flag */ PHASE_REQUEST_BODY ); + + /* MULTIPART_INVALID_PART */ + msre_engine_variable_register(engine, + "MULTIPART_INVALID_PART", + VAR_SIMPLE, + 0, 0, + NULL, + var_multipart_invalid_part_generate, + VAR_DONT_CACHE, /* flag */ + PHASE_REQUEST_BODY + ); /* MULTIPART_INVALID_QUOTING */ msre_engine_variable_register(engine, Index: modsecurity-apache/modsecurity.conf-recommended =================================================================== --- modsecurity-apache.orig/modsecurity.conf-recommended 2012-10-22 16:20:21.474077998 +0200 +++ modsecurity-apache/modsecurity.conf-recommended 2012-10-22 16:21:24.258389323 +0200 @@ -70,6 +70,7 @@ LF %{MULTIPART_LF_LINE}, \ SM %{MULTIPART_SEMICOLON_MISSING}, \ IQ %{MULTIPART_INVALID_QUOTING}, \ +IQ %{MULTIPART_INVALID_PART}, \ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'" debian/patches/series0000644000000000000000000000002512164316247012035 0ustar debian_log_dir.patch debian/rules0000755000000000000000000000440512265451334010256 0ustar #!/usr/bin/make -f # Sample debian/rules that uses debhelper. # GNU copyright 1997 to 1999 by Joey Hess. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS) LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) build: build-arch build-indep build-arch: build-stamp build-indep: # Nothing to do here build-stamp: dh_testdir dh_autoreconf ./configure --prefix=/usr --with-apxs=/usr/bin/apxs2 --with-apr=/usr/bin/apr-config --with-lua=/usr/include/lua5.1 CPPFLAGS='$(CPPFLAGS)' CFLAGS='$(CFLAGS)' LDFLAGS='$(LDFLAGS)' # remove rpath sed -i -r 's/(hardcode_into_libs)=.*/\1=no/' $(CURDIR)/libtool cd apache2 && $(MAKE) cd mlogc && $(MAKE) # since we cannot rename with dh_install, create a copy of the file with the desired name cp mlogc/INSTALL mlogc/README.mlogc touch build-stamp clean: dh_testdir dh_testroot rm -f build-stamp [ ! -f Makefile ] || $(MAKE) distclean cd mlogc && [ ! -f Makefile ] || $(MAKE) clean rm -f mlogc/README.mlogc dh_autoreconf_clean dh_clean rm -f config.log install: build dh_testdir dh_testroot dh_prep dh_installdirs dh_install dh_apache2 binary-indep: build install dh_testdir -i dh_testroot -i dh_installdocs -i dh_installchangelogs -i dh_link -i dh_compress -i -Xexample dh_fixperms -i dh_installdeb -i dh_gencontrol -i dh_md5sums -i dh_builddeb -i # Build architecture-dependent files here. binary-arch: build install dh_testdir -a dh_testroot -a # dh_installdebconf -a dh_installdocs -a # dh_installexamples -a cp modsecurity.conf-recommended debian/libapache2-mod-security2/etc/modsecurity # dh_installmenu -a # dh_installlogrotate -a # dh_installemacsen -a # dh_installpam -a # dh_installmime -a # dh_installinit -a # dh_installcron -a # dh_installman -a # dh_installinfo -a # dh_undocumented -a dh_installchangelogs CHANGES -a dh_link -a dh_strip -a # don't compress examples dh_compress -a -Xexample dh_fixperms -a chown www-data debian/libapache2-mod-security2/var/cache/modsecurity # dh_makeshlibs -a dh_installdeb -a # dh_perl -a dh_shlibdeps -a dh_gencontrol -a dh_md5sums -a dh_builddeb -a binary: binary-arch binary-indep .PHONY: build clean binary-indep binary-arch binary install build-arch build-indep debian/compat0000644000000000000000000000000211730630265010367 0ustar 7 debian/libapache2-mod-security2.dirs0000644000000000000000000000007611730630265014555 0ustar usr/lib/apache2/modules etc/modsecurity var/cache/modsecurity debian/libapache2-mod-security2.NEWS0000644000000000000000000000270312255016665014374 0ustar modsecurity-apache (2.7.7-1) unstable; urgency=low New name -------- From this version libapache2-modsecurity changes name to libapache2-mod-security2, to follow the naming of other Apache 2 modules. -- Alberto Gonzalez Iniesta Fri, 20 Dec 2013 11:36:30 +0100 modsecurity-apache (2.5.13-1) unstable; urgency=low New name -------- From this version libapache-mod-security changes name to libapache2-modsecurity, to follow the naming of other Apache 2 modules. It's source package is now named modsecurity-apache, in accordance with its upstream name. Previous source package name came from the 1.x series. New way to handle configuration ------------------------------- Previous versions of libapache2-modsecurity did not offer a standard way to handle its configuration. Starting with this version mod-security.conf, in /etc/apache2/mods-available/, sets SecDataDir and includes all the *.conf files in /etc/modsecurity, where you can deploy you configuration files. And example file is provided in /etc/modsecurity so you can start using it now! (see README.Debian) mod-security-common will now be modsecurity-crs ----------------------------------------------- Using upstream's indepedent tarball for Core Rules as the source package, allowing for easy updating of the rules without the need to upgrade the module too. -- Alberto Gonzalez Iniesta Wed, 23 Mar 2011 18:36:29 +0100 debian/clean0000644000000000000000000000060011730630265010172 0ustar apache2/mlogc-src/mlogc-batch-load.pl apache2/t/run-unit-tests.pl apache2/t/run-regression-tests.pl apache2/t/gen_rx-pm.pl apache2/t/csv_rx-pm.pl apache2/t/regression/server_root/conf/httpd.conf tools/rules-updater.pl apache2/build/apxs-wrapper apache2/t/run-tests.pl apache2/mlogc-src/Makefile apache2/config.log apache2/config.status apache2/mod_security2_config.h apache2/Makefile debian/control0000644000000000000000000000303712265451272010602 0ustar Source: modsecurity-apache Section: httpd Priority: optional Maintainer: Alberto Gonzalez Iniesta Build-Depends: debhelper (>> 8.1.0~), apache2-dev, libxml2-dev (>= 2.0.50-10), liblua5.1-0-dev, libcurl4-gnutls-dev, dh-autoreconf Standards-Version: 3.9.5 Homepage: http://www.modsecurity.org/ Package: libapache2-mod-security2 Architecture: any Replaces: libapache2-modsecurity (<< 2.7.7-1~) Breaks: libapache2-modsecurity (<< 2.7.7-1~) Recommends: modsecurity-crs Depends: libxml2, ${shlibs:Depends}, ${misc:Depends} Description: Tighten web applications security for Apache Modsecurity is an Apache module whose purpose is to tighten the Web application security. Effectively, it is an intrusion detection and prevention system for the web server. . At the moment its main features are: * Audit log; store full request details in a separate file, including POST payloads. * Request filtering; incoming requests can be analysed and offensive requests can be rejected (or simply logged, if that is what you want). This feature can be used to prevent many types of attacks (e.g. XSS attacks, SQL injection, ...) and even allow you to run insecure applications on your servers (if you have no other choice, of course). Package: libapache2-modsecurity Architecture: all Priority: extra Section: oldlibs Depends: libapache2-mod-security2, ${misc:Depends} Description: Dummy transitional package This package is provided to ease the updating of modsecurity to the new package name. You may safely remove it. debian/watch0000644000000000000000000000012011730630265010213 0ustar version=3 http://www.modsecurity.org/download/ modsecurity-apache_(.*)\.tar\.gz debian/libapache2-mod-security2.maintscript0000644000000000000000000000031212147377536016156 0ustar mv_conffile /etc/apache2/mods-available/mod-security.conf /etc/apache2/mods-available/security2.conf mv_conffile /etc/apache2/mods-available/mod-security.load /etc/apache2/mods-available/security2.load debian/libapache2-mod-security2.docs0000644000000000000000000000002011730630265014531 0ustar README.TXT doc/ debian/libapache2-mod-security2.apache20000644000000000000000000000012712147377536015130 0ustar mod apache2/.libs/mod_security2.so mod debian/security2.load mod debian/security2.conf debian/README.Debian0000644000000000000000000000107111750526501011230 0ustar Starting with modsecurity ------------------------- If you want to start using Modsecurity without the risk of blocking your current sites, you may rename /etc/modsecurity/modsecurity.conf-recommended to /etc/modsecurity/modsecurity.conf and restart Apache. By default this configuration will run modsecurity in DetectOnly mode, thus just logging matching rules, but not acting on the requests. You may also install the modsecurity-crs package wich includes lots of well tested rules. -- Alberto Gonzalez Iniesta Thu, 03 May 2012 18:07:24 +0200 debian/source/0000755000000000000000000000000011730630265010471 5ustar debian/source/format0000644000000000000000000000001411730630265011677 0ustar 3.0 (quilt) debian/changelog0000644000000000000000000003210412265451250011042 0ustar modsecurity-apache (2.7.7-2) unstable; urgency=medium * Use dh-autoreconf to fix FTBFS on ppc64el. (Closes: #734573) Thanks Logan Rosen for the patch. -- Alberto Gonzalez Iniesta Wed, 15 Jan 2014 10:18:58 +0100 modsecurity-apache (2.7.7-1) unstable; urgency=low * New upstream version * Bumped Standards-Version to 3.9.5 * Renamed binary package so that it follows naming standards -- Alberto Gonzalez Iniesta Thu, 19 Dec 2013 17:09:28 +0100 modsecurity-apache (2.7.5-1) unstable; urgency=low * New upstream version -- Alberto Gonzalez Iniesta Fri, 11 Oct 2013 11:24:43 +0200 modsecurity-apache (2.7.4-1) unstable; urgency=low * New upstream version. * Remove doc-base since doc files were removed upstream. -- Alberto Gonzalez Iniesta Mon, 01 Jul 2013 17:14:29 +0200 modsecurity-apache (2.6.6-9) unstable; urgency=high * Applied upstream patch to fix NULL pointer dereference. CVE-2013-2765. (Closes: #710217) -- Alberto Gonzalez Iniesta Tue, 04 Jun 2013 09:34:41 +0200 modsecurity-apache (2.6.6-8) unstable; urgency=low * Upload to unstable. -- Alberto Gonzalez Iniesta Tue, 28 May 2013 18:20:39 +0200 modsecurity-apache (2.6.6-7) experimental; urgency=low [Arno Töll] * Add support for Apache 2.4 using the patch provided by Ondřej Surý (Closes: #666848) * Move apache2 configuration files to their canonical name: - mod-security.load -> security2.load - mod-security.conf -> security2.conf Thus, also slightly raise the debhelper build dependency to 8.1. * Update security2.conf for changes in Apache 2.4 -- Alberto Gonzalez Iniesta Thu, 23 May 2013 13:38:35 +0200 modsecurity-apache (2.6.6-6) unstable; urgency=high * Applied upstream patch to fix XXE attacks. CVE-2013-1915 Thanks Thomas Goirand for backporting the patch. (Closes: #704625) Adds new SecXmlExternalEntity option which by default (Off) disables the external entity load task executed by libxml2. -- Alberto Gonzalez Iniesta Sat, 06 Apr 2013 11:09:12 +0200 modsecurity-apache (2.6.6-5) unstable; urgency=high * Applied upstream patch to fix multipart/invalid part ruleset bypass. CVE-2012-4528. (Closes: #691146) -- Alberto Gonzalez Iniesta Mon, 22 Oct 2012 16:23:19 +0200 modsecurity-apache (2.6.6-4) unstable; urgency=low * Fix dangling symlink to /usr/share/doc/mod-security-common. (Closes: #687866) -- Alberto Gonzalez Iniesta Mon, 01 Oct 2012 18:05:09 +0200 modsecurity-apache (2.6.6-3) unstable; urgency=low * Relicense debian/* files to ASLv2 to avoid conflicts with upstream license. -- Alberto Gonzalez Iniesta Thu, 12 Jul 2012 13:05:20 +0200 modsecurity-apache (2.6.6-2) unstable; urgency=low * Updated debian/copyright with right license. -- Alberto Gonzalez Iniesta Mon, 02 Jul 2012 17:23:08 +0200 modsecurity-apache (2.6.6-1) unstable; urgency=low * New upstream release. * Remove patches/fix_non_linux.patch. Applied upstream. * debian/rules: cleanup. * Add hardening flags to build process. -- Alberto Gonzalez Iniesta Fri, 15 Jun 2012 12:34:20 +0200 modsecurity-apache (2.6.5-2) unstable; urgency=low * mod-security.load: removed /usr/lib/ from libxml2's LoadFile path. (Closes: #670247) * README.Debian: Fix name of example configuration file. (Closes: #668938, #659858) * debian/control: Remove mention to modsecurity-common. (Closes: #662862) -- Alberto Gonzalez Iniesta Thu, 03 May 2012 17:36:01 +0200 modsecurity-apache (2.6.5-1) unstable; urgency=low * New upstream release -- Alberto Gonzalez Iniesta Tue, 20 Mar 2012 20:05:09 +0100 modsecurity-apache (2.6.4-1) unstable; urgency=low * New upstream release * Apply patch by Peter Michael Green to fix FTBFS on non-linux kernels. (Closes: #631649, #654719) * Added doc-base entry * Set Priority to extra for transitional libapache-mod-security -- Alberto Gonzalez Iniesta Fri, 16 Mar 2012 13:26:32 +0100 modsecurity-apache (2.6.3-1) unstable; urgency=low * New upstream release * Include mlogc (still missing manpage). (Closes: #645875) * postinst: changed force-reload to restart to avoid apache from segfaulting when upgrading modsecurity module (Closes: #574376) -- Alberto Gonzalez Iniesta Wed, 28 Dec 2011 16:51:11 +0100 modsecurity-apache (2.6.2-1) unstable; urgency=low * New upstream release (Closes: #634844) -- Alberto Gonzalez Iniesta Sun, 02 Oct 2011 11:34:03 +0200 modsecurity-apache (2.6.0-1) unstable; urgency=low * New upstream release (Closes: #627858, #607763) * Bumped Standards-Version to 3.9.2 -- Alberto Gonzalez Iniesta Thu, 16 Jun 2011 13:58:40 +0200 modsecurity-apache (2.5.13-1) unstable; urgency=low * The "Rename the whole thing" release Move to libapache2- for the binary package to match the rest of Apache 2.x modules. Rename the source package to its current name, modsecurity-apache, since the former source name came from very old versions (1.x). Also allowing the future modsecurity-crs to have a more related source name. (Closes: #516540) * Merge documentation in libapache2-modsecurity temporarily. mod-security-common is going away. modsecurity-crs will soon come. * New upstream release * debian/control: - Added Homepage field - Bumped Standards-Version to 3.9.1 * Added watch file -- Alberto Gonzalez Iniesta Wed, 23 Mar 2011 18:36:29 +0100 libapache-mod-security (2.5.12-1) unstable; urgency=low * New upstream release. Fixes several security issues. (Closes: #569658) * Moved to dpkg-source 3.0 (quilt). * Bumped Standards-Version to 3.8.4.0 -- Alberto Gonzalez Iniesta Thu, 11 Mar 2010 13:36:25 +0100 libapache-mod-security (2.5.11-1) unstable; urgency=low * New upstream release * Changed section to httpd (from web) -- Alberto Gonzalez Iniesta Thu, 12 Nov 2009 11:50:33 +0100 libapache-mod-security (2.5.10-1) unstable; urgency=low * New upstream version. * debian/control: remove mod-security-common dependency on libapache-mod-security. (Closes: #529064) * liblua correctly detected on build now. (Closes: #524913) -- Alberto Gonzalez Iniesta Thu, 01 Oct 2009 12:57:44 +0200 libapache-mod-security (2.5.9-1) unstable; urgency=high * New upstream release. (Closes: #512472) Urgency high due to it fixing multiple remote DoS. Bugtraq ID: 34096 * Moved to debhelper compatibility level 7: - echo 7 > debian/compat - Added ${misc:Depends} to debian/control - Bumped debhelper version dependency in debian/control * Fixed long description formatting. (Closes: #516540) * Prepared build of mlogc, not releasing this time due to urgency of release and missing man page. -- Alberto Gonzalez Iniesta Mon, 23 Mar 2009 09:56:42 +0100 libapache-mod-security (2.5.6-1) unstable; urgency=low * The 'Back to the archive!' Release (Closes: #487431) * Drop '2' from package name, now libapache-mod-security * New upstream release - Includes a new licensing exception that allows binary distribution with licenses not compatible with GPLv2, such as Apache's. See MODSECURITY_LICENSING_EXCEPTION * Removed debian/bug and debian/rules entry to install bug handling when out of the archive. * Bumped Standards-Version to 3.8.0.0 -- Alberto Gonzalez Iniesta Fri, 08 Aug 2008 13:31:56 +0200 libapache-mod-security2 (2.5.5-1) unstable; urgency=low * New upstream release -- Alberto Gonzalez Iniesta Tue, 10 Jun 2008 17:21:48 +0200 libapache-mod-security2 (2.5.0-1) unstable; urgency=low * New upstream release * Added liblua5.1-0-dev to Build-Depends * Added apache2-prefork-dev as Build-Depends alternative -- Alberto Gonzalez Iniesta Sun, 09 Mar 2008 19:41:47 +0100 libapache-mod-security2 (2.1.5-1) unstable; urgency=low * New upstream release -- Alberto Gonzalez Iniesta Thu, 31 Jan 2008 16:27:29 +0100 libapache-mod-security2 (2.1.2-1) unstable; urgency=low * New upstream version -- Alberto Gonzalez Iniesta Mon, 06 Aug 2007 21:55:28 +0200 libapache-mod-security2 (2.1.0-1) unstable; urgency=low * New upstream version * Added Core Rules to examples directory -- Alberto Gonzalez Iniesta Sun, 4 Mar 2007 15:17:08 +0100 libapache-mod-security2 (2.0.4-1) unstable; urgency=low * New upstream version -- Alberto Gonzalez Iniesta Sat, 18 Nov 2006 11:00:21 +0100 libapache-mod-security2 (2.0.3-1) unstable; urgency=low * Initial release (Only available for Apache 2.x) -- Alberto Gonzalez Iniesta Mon, 06 Nov 2006 17:55:54 +0100 libapache-mod-security (1.9.4-2) unstable; urgency=low * Moved to apache2.2-common * Fixed Depends between libapache2-mod-security, libapache-mod-security and mod-security-common, so they can be binNMUed * Bumped Standards-Version to 3.7.2.2 -- Alberto Gonzalez Iniesta Mon, 30 Oct 2006 16:52:16 +0100 libapache-mod-security (1.9.4-1) unstable; urgency=low * New upstream release. * Added bug control files to avoid spamming Debian's BTS. Thanks Daniel Baumann for the patch. -- Alberto Gonzalez Iniesta Thu, 1 Jun 2006 09:29:40 +0200 libapache-mod-security (1.9.2.0-1) unstable; urgency=low * New upstream release. Note: Added extra .0 to version number to ease upgrading from -rc3 packages. -- Alberto Gonzalez Iniesta Fri, 27 Jan 2006 14:32:04 +0100 libapache-mod-security (1.9.2-rc3-1) unstable; urgency=low * New upstream release. * Moved away from Debian's archive due to license problems. (You may find updates @ http://inittab.org/debian) * Removed tests, as upstream did. Removed README.debian as it only mentioned tests. -- Alberto Gonzalez Iniesta Sat, 14 Jan 2006 21:44:50 +0100 libapache-mod-security (1.8.7-1) unstable; urgency=medium * New upstream release. (Closes: #285365) * Fixes several security issues, thus the urgency. * Set proper permissions on test suite scripts (Closes: #304195) * Corrected minor typo in README.Debian (Closes: #304196) * debian/control: Reworded packages descriptions to be more useful. (Closes: #304445) -- Alberto Gonzalez Iniesta Sun, 10 Apr 2005 12:28:03 +0200 libapache-mod-security (1.8.4-2) unstable; urgency=medium * New maintainer (Closes: #303613) * Thanks Adam Conrad for helping with the apache2 LFS transition. (Closes: #267353) * Patched apache2/mod_security.c to include regex.h and build correctly. (Closes: #297983). Thanks Andreas Jochens. This was RC, thus the urgency. -- Alberto Gonzalez Iniesta Fri, 8 Apr 2005 08:48:11 +0200 libapache-mod-security (1.8.4-1.1) unstable; urgency=high * NMU: Back out the ill-fated apache2 LFS transition. (closes: #267353) * Bump the apache2-threaded-dev build-dep to (>= 2.0.50-10) -- Adam Conrad Sun, 22 Aug 2004 22:49:06 -0700 libapache-mod-security (1.8.4-1) unstable; urgency=medium * Upload/fixes on maintainer's behalf (hence non-NMU version) * New upstream version (Closes: #256414) * Rebuilt with latest apache2-dev (Closes: #266187) * Change apache2-dev build-dep to apache2-threaded-dev, as the former is a virtual package, and can't have a versioned dep. -- Adam Conrad Tue, 17 Aug 2004 05:42:20 -0600 libapache-mod-security (1.7.1-1) unstable; urgency=low * New upstream version * Fix example http.conf path references in README.Debian (Closes: #216464) * Fix upstream url in copyright file * Also install new util directory with snort2modsec scripts * Added doc-base support for pdf documentation * Updated to use modules-config for apache 1.x instead of deprecated apacheconfig * Added http.example from CVS as upstream forgot to update it in tarball and there was some failing new tests -- Bruno Rodrigues Wed, 22 Oct 2003 14:29:09 +0100 libapache-mod-security (1.6-1) unstable; urgency=low * New upstream version (1.5 and 1.5.1 missed due to old information in old site; new site at http://www.modsecurity.org) * Fix typo in description (Closes: #195860) * Bumped Standards-Version to 3.6.1 * Since 1.5, mod_security supports apache 2.x, so there's a corresponding new libapache2-mod-security and a -common package -- Bruno Rodrigues Mon, 29 Sep 2003 14:48:32 +0100 libapache-mod-security (1.4.2-1) unstable; urgency=low * New upstream version * New package (Closes: #178722) * Fixed a bug in postrm -- Bruno Rodrigues Wed, 19 Mar 2003 02:51:55 +0000 libapache-mod-security (1.4-0) unstable; urgency=low * Initial release -- Bruno Rodrigues Tue, 28 Jan 2003 04:22:39 +0000