summaryrefslogtreecommitdiff
path: root/security
AgeCommit message (Collapse)AuthorFilesLines
2014-02-24Update to 0.14:wiz3-13/+25
2014-01-09 Jean-Paul Calderone <exarkun@twistedmatrix.com> * OpenSSL: Port to the cffi-based OpenSSL bindings provided by <https://github.com/pyca/cryptography> 2013-10-06 Jean-Paul Calderone <exarkun@twistedmatrix.com> * OpenSSL/ssl/context.c: Add support for negotiating TLS v1.1 or v1.2. 2013-10-03 Christian Heimes <christian@python.org> * OpenSSL/crypto/x509.c: Fix an inconsistency in memory management in X509.get_serial_number which leads to crashes on some runtimes (certain Windows/Python 3.3 environments, at least).
2014-02-22Fix int types on SunOSwiedi1-1/+3
2014-02-22Additionally check underlying builtin openssl for builtin detection.obache1-2/+10
It will be done in mk/buildlink3/bsd.buildlink3.mk later, but not for standalone builtin check (with CHECK_BUILTIN.heimdal=yes).
2014-02-22Fixes builtin detection with CHECK_BUILTIN.openssl=yes.obache1-1/+6
Define BUILTINK_API_DEPENDS.openssl same as buildlink3.mk if not defined yet for the case checking builtin (CHECK_BUILTIN.openssl==yes).
2014-02-21gtk-doc-1.2 is responsible for recent PLIST change, record updated dependencyrichard1-2/+3
2014-02-21update PLIST with missing '*-insensitive.png' filesrichard1-1/+4
2014-02-21Update netpgp to version 20140220agc2-6/+6
Changes from previous version: + portability fixes from xtraeme for his Linux distribution: + add search for ar(1) into autoconf (I fixed this differently so as not to rely on an automake check) + define __printflike if it's not already defined + fix missing asprintf (I fixed this differently)
2014-02-20Add -lcrypt on Linux.jperkin1-1/+7
2014-02-20Move check of builtin openssl below to buildlink with openssl and exactly set asobache1-10/+11
checking builtin before including openssl/builtin.mk, so that wanted openssl will be picked up (formerly, BUILTINK_API_DEPENDS.openssl is ignored). Bump PKGREVISION.
2014-02-18Add missing examples confpettai1-1/+3
2014-02-17validns 0.8pettai3-10/+10
Miscellaneous bug fixes. Miscellaneous portability fixes. Support ECDSA and SHA-256 in SSHFP. Add support for SHA-384 digests in DS (RFC 6605). Support multiple -t options.
2014-02-17Update security/netpgp from version 20140210 to 20140211agc2-6/+6
Changes: Avoid a warning on Gentoo Linux about fwrite(3) -- their glibc declares fwrite(3) with the warn_unused_result attribute, from Razvan Cojocaru Manual page improvements from Anthony J. Bentley
2014-02-17+ crednspettai1-1/+2
2014-02-17Credns is a software program aimed at fortifying DNSSEC by performingpettai5-0/+56
validation in the DNS notify/transfer-chain. Currently credns is a fork of the NSD_3_2 branch that has been extended with the possibility to assess zones (received or updated by AXFR or IXFR) by running an external verifier. Only zones that are deemed correct by the verifier will be notified to (public) slave servers and offered for transfer.
2014-02-17Update netpgp package from 20101107 to 20140210agc3-10/+7
Main change is that the netpgpverify binary is no longer part of this package - instead, pkgsrc/security/netpgpverify and pkgsrc/security/libnetpgpverify should be used. Other changes since previous version include: > ---------------------------- > revision 1.96 > date: 2012-02-21 22:58:54 -0800; author: agc; state: Exp; lines: +5 -15; > Add the --trusted-keys argument to netpgpkeys(1) to print out PGP ids in a > machine-readable manner. > ---------------------------- > revision 1.95 > date: 2012-02-21 22:29:40 -0800; author: agc; state: Exp; lines: +1 -3; > re-order the fields that we print out in the pgp_sprint_pubkey() function > to be more usual. > > print out the name from within pgp_sprint_pubkey() rather than tagging it > onto the end of the output from the function. > ---------------------------- > revision 1.94 > date: 2011-08-02 00:16:56 -0700; author: agc; state: Exp; lines: +19 -8; > branches: 1.94.2; > plug some memory leaks in error paths > ---------------------------- > revision 1.93 > date: 2011-08-01 22:36:45 -0700; author: agc; state: Exp; lines: +19 -13; > when matching pubkeys, also return the first (pgp) uid for the key in the > resultant key listing > > when using json to format keys returned from libnetpgp, also prepare for > machine-readable format ("mr") as well as human ("human"), even though > it's not yet used. > ---------------------------- > revision 1.92 > date: 2011-06-27 20:35:28 -0700; author: agc; state: Exp; lines: +45 -24; > get some things off the TODO list > > when initialising, recognise keys in a different order. > > 1. read the public keyring > > 2. if a userid has been specified, use it > > 3. if not, check the configuration file (~/.gnupg/gpg.conf) for a > default user id > > 4, only read the secret keyring if we need to (decrypting or signing) > > 5. if signing, and we still don't have a userid, use the first key in > the secret keyring > > 6. if encrypting, and we still have no userid, use the first in the > public keyring > > ssh keys remain the same as previously. > ---------------------------- > revision 1.91 > date: 2011-06-27 00:05:31 -0700; author: agc; state: Exp; lines: +7 -5; > only attempt to load the secret key if we need to (for signing or for > decrypting). > ---------------------------- > revision 1.90 > date: 2011-06-24 17:37:44 -0700; author: agc; state: Exp; lines: +11 -7; > change mj library to take an additional argument for a string type, > denoting its length. this allows binary strings to be encoded using > libmj. > > escape magic characters in json strings in a more efficient manner. > the previous method was not scalable. > > update callers to suit > > bump libmj major version number > > add examples to the libmj(3) man page > ---------------------------- > revision 1.89 > date: 2011-01-02 21:34:53 -0800; author: agc; state: Exp; lines: +2 -2; > avoid a double free - from Anthony Bentley. > ---------------------------- > revision 1.88 > date: 2011-01-01 15:00:24 -0800; author: agc; state: Exp; lines: +17 -15; > clean up lint (on amd64) > ---------------------------- > revision 1.87 > date: 2010-12-01 14:14:52 -0800; author: agc; state: Exp; lines: +5 -2; > avoid nameclash - call the generated user id variable "generated userid" > avoid nameclash - call the generated user id variable "generated userid" > > also keep the time of structure initialisation as an internal variable. > ---------------------------- > revision 1.86 > date: 2010-12-01 14:01:41 -0800; author: agc; state: Exp; lines: +4 -2; > When generating a key, set the new key's userid (last 16 bytes of > fingerprint) as an internal netpgp variable. > > This can then be queried using netpgp_getvar(netpgp, "userid") to find the > new key's id. > ---------------------------- > revision 1.85 > date: 2010-11-28 20:20:12 -0800; author: agc; state: Exp; lines: +73 -18; > Fix PR 44075 from Peter Pentchev, but do this by adding a > --numtries=<attempts> option to netpgp(1) to provide the maximum > number of attempts to retrieve the correct passphrase when signing or > decrypting, and use it in libnetpgp(3). The default number of > attempts is 3, and a value of "unlimited" will loop until the correct > passphrase has been entered. > ---------------------------- > revision 1.84 > date: 2010-11-15 00:27:40 -0800; author: agc; state: Exp; lines: +13 -4; > Use a regular expression to match the various ASCII-armoured headers we > may encounter - fixes PR 44074 from Peter Pentchev in a different way. > ---------------------------- > revision 1.83 > date: 2010-11-15 00:03:39 -0800; author: agc; state: Exp; lines: +48 -3; > Changes to help with netpgp key generation and interoperability: > > + use plain SHA1 for session key s2k negotiation > + don't warn on some conditions when inflating (reading a compressed file) > since the conditions don't hold for partial block lengths > + prompt for a passphrase when generating a new key - used in the upcoming > secret-sharing functionality for netpgp > ----------------------------
2014-02-16Update security/netpgpverify to 20140210agc3-5/+5
minor lint fix
2014-02-16Update the libnetpgpverify package to version 20140210agc39-13027/+94
Switch over to using the zero-pre-requisite netpgpverify sources by using reachover infrastructure to make sure we have one set of sources. This also brings with it the benefit of being able to use SSH public keys, as well as PGP pub keys, when verifying signatures. Extend the package building mechanism so that it can be built using libtool (the default), or without libtool, depending on whether "BOOTSTRAP" is defined at package build time.
2014-02-16Updating package for Perl5 module IO::Socket::SSL from CPAN insno2-6/+6
security/p5-IO-Socket-SSL from 1.953 to 1.967. Upstream changes: 1.967 2014/02/06 - verify the hostname inside a certificate by default with a superset of common verification schemes instead of not verifying identity at all. For now it will only complain if name verification failed, in the future it will fail certificate verification, forcing you to set the expected SSL_verifycn_name if you want to accept the certificate. - new option SSL_fingerprint and new methods get_fingerprint and get_fingerprint_bin. Together they can be used to selectively accept specific certificates which would otherwise fail verification, like self-signed, outdated or from unknown CAs. This makes another reason to disable verification obsolete. - Utils: - default RSA key length 2048 - digest algorithm to sign certificate in CERT_create can be given, defaults to SHA-256 - CERT_create can now issue non-CA selfsigned certificate - CERT_create add some more useful constraints to certificate - spelling fixes, thanks to ville[dot]skytta[at]iki[dot]fi 1.966 2014/01/21 - fixed bug introduced in 1.964 - disabling TLSv1_2 worked no longer with specifying !TLSv12, only !TLSv1_2 worked - fixed leak of session objects in SessionCache, if another session replaced an existing session (introduced in 1.965) 1.965 2014/01/16 - new key SSL_session_key to influence how sessions are inserted and looked up in the clients session cache. This makes it possible to share sessions over different ip:host (like required with some FTPS servers) - t/core.t - handle case, were default loopback source is not 127.0.0.1, like in FreeBSD jails 1.964 2014/01/15 - Disabling TLSv1_1 did not work, because the constant was wrong. Now it gets the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc - The new syntax for the protocols is TLSv1_1 instead of TLSv11. This matches the syntax from OpenSSL. The old syntax continues to work in SSL_version. - New functions get_sslversion and get_sslversion_int which get the SSL version of the establish session as string or int. - disable t/io-socket-inet6.t if Acme::Override::INET is installed 1.963 2014/01/13 - fix behavior of stop_SSL: for blocking sockets it now enough to call it once, for non-blocking it should be called again as long as EAGAIN and SSL_ERROR is set to SSL_WANT_(READ|WRITE). - don't call blocking if start_SSL failed and downgraded socket has no blocking method, thanks to tokuhirom - documentation enhancements: - special section for differences to IO::Socket - describe problem with blocking accept on non-blocking socket - describe arguments to new_from_fd and make clear, that for upgrading an existing IO::Socket start_SSL should be used directly 1.962 2013/11/27 - work around problems with older F5 BIG-IP by offering fewer ciphers on the client side by default, so that the client hello stays below 255 byte 1.961 2013/11/26 - IO::Socket::SSL::Utils::CERT_create can now create CA-certificates which are not self-signed (by giving issuer_*) 1.960 2013/11/12 only documentation enhancements: - clarify with text and example code, that within event loops not only select/poll should be used, but also pending has to be called. - better introduction into SSL, at least mention anonymous authentication as something you don't want and should take care with the right cipher - make it more clear, that user better does not change the cipher list, unless he really know what he is doing 1.959 2013/11/12 - bugfix test core.t windows only 1.958 2013/11/11 - cleanup: remove workaround for old IO::Socket::INET6 but instead require at least version 2.55 which is now 5 years old - fix t/session.t #RT90240, thanks to paul[AT]city-fan[DOT]org 1.957 2013/11/11 - fixed t/core.t: test uses cipher_list of HIGH, which includes anonymous authorization. With the DH param given by default since 1.956 old versions of openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous authorization) instead of AES256-SHA and thus the check for the peer certificate failed (because ADH does not exchanges certificates). Fixed by explicitly specifying HIGH:!aNULL as cipher RT#90221, thanks to paul[AT]city-fan[DOT]org - cleaned up tests: - remove ssl_settings.req and 02settings.t, because all tests now create a simple socket at 127.0.0.1 and thus global settings are no longer needed. - some tests did not have use strict(!), fixed it. - removed special handling for older Net::SSLeay versions, which are less than our minimum requirement - some syntax enhancements, removed some SSL_version and SSL_cipher_list options where they were not really needed 1.956 2013/11/10 lots of behavior changes for more secure defaults: - BEHAVIOR CHANGE: make default cipher list more secure, especially - no longer support MD5 by default (broken) - no longer support anonymous authentication by default (vulnerable to man in the middle attacks) - prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that it uses by default forward secrecy, if underlying Net::SSLeay/openssl supports it - move RC4 at the end, e.g. 3DES is preferred (BEAST attack should hopefully been fixed and now RC4 is considered less safe than 3DES) - default SSL_honor_cipher_order to 1, e.g. when used as server it tries to get the best cipher even if client prefers other ciphers PLEASE NOTE that this might break connections with older, less secure implementations. In this case revert to 'ALL:!LOW:!EXP:!aNULL' or so. - BEHAVIOR CHANGE: SSL_cipher_list now gets set on context not SSL object and thus gets reused if context gets reused. PLEASE NOTE that using SSL_cipher_list together with SSL_reuse_ctx has no longer effect on the ciphers of the context. - rework hostname verification schemes - add rfc names as scheme (e.g. 'rfc2818',...) - add SIP, SNMP, syslog, netconf, GIST - BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName - BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN - BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1', 'www2'.. but not 'www' - anywhere wildcards like x* are no longer applied to IDNA names (which start with 'xn--') - fix crash of Utils::CERT_free - support TLSv11, TLSv12 as handshake protocols 1.955 2013/10/11 - support for forward secrecy using ECDH, if the Net::SSLeay/openssl version supports it. 1.954 2013/9/15 - accept older versions of ExtUtils::MakeMaker and add meta information like link to repository only for newer versions.
2014-02-16Updating package for Perl5 module Net::SSLeay in CPAN insno2-7/+6
security/p5-Net-SSLeay from 1.55nb1 to 1.58. Upstream changes: 1.58 2014-01-15 Always use size_t for strlen() return value, requested by Alexander Bluhm. t/external/20_cert_chain.t was missing from dist. Version number in META.yml was incorrect Improvements to test t/external/20_cert_chain.t to provoke following bug: Fixed crash due to SSL_get_peer_cert_chain incorrectly free'ing the chain after use. Fixed a problem when compiling against openssl where OPENSSL_NO_EC is set. 1.57 2014-01-09 Fixed remaining problems with test suite: pod coverage and kwalitee tests are only enabled with RELEASE_TESTING=1 1.56 2014-01-08 Fixed a typo in documentation of BEAST Attack, patched by gregor herrmann. Added LICENSE file copied form OpenSSL distribution to prevent complaints from various versions of kwalitee. Adjusted license: in META.yml to be 'openssl' Adds support for the basic operations necessary to support ECDH for PFS, e.g. EC_KEY_new_by_curve_name, EC_KEY_free and SSL_CTX_set_tmp_ecdh. Improvements to t/handle/external/50_external.t to handle the case when a test connection was not possible. Patched by Alexandr Ciornii. Added support for ALPN TLS extension. Patch from Lubomir Rintel. Tested with openssl-1.0.2-stable-SNAP-20131205. Fix an use-after-free error. Patch from Lubomir Rintel. Fixed a problem with Invalid comparison on OBJ_cmp result in t/local/36_verify.t. Contributed by paul. Added support for get_peer_cert_chain(). Patch by Markus Benning. Fixed a bug that cold cause stack faults: mixed up PUTBACK with SPAGAIN in ssleay_RSA_generate_key_cb_invoke() a final PUTBACK is needed here. A second issue is also fixed: cb->data defaults to &PL_sv_undef but throught the code you do not check against &PL_sv_undef, just NULL. To avoid passing the 3rd optional arg at all, do not create it. This fixes all the cb->data checks and wrong refcounts on &PL_sv_undef. Patched by Reini Urban. Deleted support for SSL_get_tlsa_record_byname: it is not included in OpenSSL git master.
2014-02-14update to 3.2.11drochner7-80/+16
changes: Fix bug that prevented the rejection of v1 intermediate CA certificates (CVE-2014-1959)
2014-02-14Updated to apg-2.3.0b, released 09/08/2003. From CHANGES:rodent3-23/+27
Added support for cracklib Improved Makefile structure
2014-02-13Fix for Darwin version higher that 10adam1-2/+2
2014-02-13Note that EasyPG is built into emacs23 and later.gdt2-3/+5
Therefore, also drop emacs23 as an acceptable version of emacs for this package. (xemacs versions need review.)
2014-02-12Undo undesired ABI version bump done by "blbump" script.tron1-2/+2
2014-02-12Recursive PKGREVISION bump for OpenSSL API version bump.tron131-238/+262
2014-02-12Set minimum required API version of OpenSSL to 1.0.1c:tron1-3/+3
1.) OpenSSL 0.9.8* doesn't support TLS 1.2, Elliptic curve cryptography and other modern TLS features. 2.) Supporting OpenSSL 0.9.8* causes extra maintenance overhead. As a result NetBSD 5.*, all versions of Mac OS X and possibly other platforms will now use OpenSSL from "pkgsrc".
2014-02-10Add patch from GnuTLS repository to fix build of assembler routinestron7-9/+77
under Mac OS X. Crucial hint provided by Nikos Mavrogiannopoulos.
2014-02-10Update the example ssh-key-signed input file, so that there's no embeddedagc3-2/+0
RCS Id in it. Re-sign (both embedded and detached) signatures on this data. No functional change, so no version bumps.
2014-02-09Add network libs on SunOSwiedi1-3/+5
2014-02-06Update ap-modsecurity2 to 2.7.7.obache4-72/+17
17 Dec 2013 - 2.7.7 ------------------- Fixes: - Changed release version to 2.7.7 - Got the configure scripts inside the release tarball 16 Dec 2013 - 2.7.6 ------------------- Improvements: - Organizes all Makefile.am - 1cde4d2dd9d96747536c1c25d06ba0677069477f Now using one file per line (sorted). This is the better way to handle it, since it reduces the possibility of merge conflicts. - nginx: generates config file using configure input. - 351b9cc357d439e30ebd61d89a9e38ecf55c6827 The nginx config file was looking for depedencies by its own, by doing that it was ignoring the options that were passed to configure script. This commit deletes this config file and adds a meta-config which is populated by configure whenever the standalone-module is enabled. - nginx: adds lua support - da16d9e5d51d4ef8734687514a4e1368e7fb4284 - iis: Cosmetics fixies on sqli. - 5046c8327ea21c69b4c0d0c0057c692b05b09fef This is needed to get it compiled with VS2011 on Windows8 - Regression tests: makes configuration compatible with 2.2 and 2.4 (try 2) - ae252ee8767069363906e5a611dff487b799b839 - nginx: Trying apxs and apxs2 while compiling nginx module - 65d9272fdc353e1263567b60604542d377d19672 - nginx: Trying apxs and apxs2 while compiling nginx module - 35fd75d859e4a8873b8843da1db13e04a1b08140 - macos: Using glibtoolize instead of libtoolize - 751a9f4e45213cd69f00c62c71edc9d7ad99b82d - regression-tests: makes configuration compatible with 2.2 and 2.4 - 6fc4cac37ab1be8d1232140042b58fe4bd93ee17 - Regression test: get it working with apache 2.4 - e9813cd0d9bfc5b0c9aa5832634ec1b39b805108 Changes in httpd.conf.in to get it working with apache 2.4 - Code cosmetics. - 7366f35c1d80772d739b35da8faa972f92a72b97 Changed to reduce the number of possible fails during Build Bot compilation. - iis: Waiting for 5 seconds before move curl directory - 9bf2959c919587ebc63f5a1b8c0785da8927bff5 Testing buildbot. - Redefines unixd_set_global_mutex_perms on tests - f70f6f4281b806627e0cf0dbb9c84ae5864bdb16 Avoding conflicts with the standalone implementation - Adds verbose quality check - 388943440cc9b8c6fdea09f5e365a2e5a3e792e2 Vera++ and ccpcheck are not outputing to the stderr instead stdout allowing the buildbot to extract some numbers about it. - Adds support for coding style and quality check - b77e90152d119609ac78a7028383c3b79898b2cf Initial effort to get the code on shape. This will be executed by the buildbots as soon as they get ready for it. - iis: New improvements on the Wix installer - 2ea5a74a7bfb00f21312e51e48aa6dac03d84600 * Now the installation is divided in modules: ModSecurity and CRS. * Added default configuration * Configuration was moved to "Program Files" folder * Build_msi script now using candle available in %PATH% - iis: Removes the installer helper dependency - 1a12648c9f6028f251af0f03c889397c7954b74c Now using appcmd directly with WiX instead of calling the installer helper. - iis: Remove readme.html - 550d5aae21cba696cac1ce75ab8113e5255d5a59 This HTML is about "Creating a Native Module for IIS7" not straight related to ModSecurity itself. - iis: Adds batch script to compile Wix - a2c5fc831baf0b324ebb66b0f878dacf1ec2f808 This batch script can be used to generate our msi installer. - iis: Adds Wix installer resources - 3604763e15a665eb7a6ecae1f7e7c65cebbb1d17 This is all about cosmetic changes. - iss: Removes Post-Build event. - 28bbde1bb218b004654cb865fc8563d69b848dc2 There was a copy on Post-Build event using a hard coded path. This patch removes this Post-Build event. - iis: Relative paths on the VS project file - 368617ddb2443f9b6036f80a648d467d07c9a054 There are a ModSecurityIIS solution and project files, those were using hard coded paths to meet the dependencies. As consequence of the last update in our build scripts, now we are able to built the dependencies and load it to our Visual Studio project using relative paths. - iis: Adds release script - 9477118903861ce80c4c27cb581bf3462315e98e - iis: fixies the Installer.cpp coding style - 79875b1af8e8571098345b91557bab9c06eb7c88 - iis: Removes AppWizard remade file - 91738f93bcc82b6ab756c550a66b6cf6af2fa9f8 Apparently the AppWizard was used to generate part of this Installer, the ReadMe.txt created by the AppWizard was removed by this commit - iss: Removes pre-compiled headers - adfbeb85dcfa9466b72eebb8d1bd8eb7728bab79 No need to use the pre-compiled headers in InstallerHelper, removing it, in order to keep the project lean. - iis: Moves installer to InstallerHelper - 6adf25667dd4bfa33010bd6d8ae3d35046a69967 To organize the folder the Installer application was renamed to installer helper. It is not the real installer, it is just an helper which is executed during the installation phase. - iss: Removes fart dependencies - 8c3b8d81b613aaa38f28472af1eb26c90c7fc9da This commit removes the dependency of the fart.exe utility. The utility was responsible to rename contents inside some dependencies build files. Those modifications are not longer needed. - iss: Better err handling in build scripts. - 192599bf63b6ae5aa08e4536a90d5d0a17f969f7 Now checking for errors in every step of the build phase - iis: Moves build_module.bat to build_modsecurity.bat - e25c6b2e85ced7beba4d41867dbdf30e9c1286d3 The build_modsecurity.bat is now on the iis sub-directory, not in the dependencies anymore. Its content was also changed fixing all the paths. - iis: Identifies arch before unzip apache - cf5de78dfb9fffd21edf17af9e1db8f2fd83c804 Currently we need the Apache binary which could be used in 32 or 64 bits. This patch makes usage of 'cl' to identify which architecture is set. - iis: Renamves winbuild to dependencies - 1447766e816a896e88c9c8f053fcc3f62797bac1 Since the directory becomes all about dependencies there is no need to call it winbuild anymore. - iis: Removes unnecessary files from winbuild dir - 9f8cbf6ed8034ba42aa4967699308df09864fd18 Those .mak files seems to be part of an old build system. Since the script are now working fine, this commit removes all those .mac files and also a CMakeList.txt and the Makefile.win. - iis: Improves the iis build system - b277e538f28c87c81c1b50925dd8b82996b88294 Now checking for common errors while building. Refactoring on the build scripts, now there is this build_dependencies.bat script on the iis sub-folder. By calling this script all the dependencies should be build under the winbuild/. This commit also removes build scripts that were not needed anymore. - iis: Fixes the vcxproj file - a946a163f0ad822c760af80ca32dda61f0e6b2a9 Versions of the dependencies were changed, as long as the version of the Visual Studio, now 12. - iis: Removes unecessary files from the build system - 26738d2e34bcc7620047bd23180e0e26a64c71ee The following files were removed: * VCVarsQueryRegistry.bat * vcvars64.bat * vsvars32.bat The visual studio files can be called direcltly, not necessary to distribute those files, at least in VS12. - iss: Changes httpd version 2.4.6 - 0a772cb0748aa51a01800e0473309b9de792b456 Apache version was changed to 2.4.6 to sync with the current apache lounge version. - iis: Changes the version of the dependencies - 3e6fb41d36b7a5e98a55d8f52b88b29d1bd50b64 * pcre from 8.30 to 8.33 * zlib from 1.2.7 to 1.2.8 * libxml2 from 2.7.7 to 2.9.1 * curl from 7.24 to 7.33.0 - Removes standalone/Makefile.in - e3c19d53d23c48fea337aae76a87b2a85c36a1f1 Makefile.in is recommended to be in the repository whenever it is edit manually, in our case the automatically generated Makefile.in is ok. Bug Fixes: - test: Avoids conflict of fuctions definition - cef72855e4106ce29e1d39103ebf9eb9ab28f17e - test: Makes the unit tests to work again - cc982ae42ec86c79a67be1a01c6ee35fb06c272c The unit tests was not working due to lack update. This patch adds the necessary stuff to have it work again. - iis: Avoids directory link while building - ad330a44bfa39430cf6340cb52971568cccdf1d6 Build scripts was creating links allowing the project to be loaded into Visual Studio without care about the dependencies versions. Sometimes windows refuse to delete those links leading the script to fail. This patch moves the sources directories instead of create links to it. - QA: Avoids the utilization of 3rd filedescriptor - 69c5ccac662f4e11a6eefd54a3e912583c067b9d No need to use a 3rd description on the quality check scripts. Stderr is now redirected to stdout and filtered as needed. - Supports WarningCountingShellCommand in cppcheck and vera - baaf502363e68c3240b60adb7f7c91f5b4f0ba03 WarningCountingShellCommand allow us to have some measurements on the buildbot waterfall. - iis: Using base_rules instead of activated_rules - 7b1537058fa451e0df7098cd907ef19f04102f9d - iis: Fix inet_pton build problem - a4202146b8d26b6615bbab986383fe0afae60d77 There is a function named inet_pton on windows API, with different signature. This patch just override the windows function and point the inet_pton to our implementation. - iis: Adds Wix installer xml file.c - b32cb7d9ab397160f0154aa4bd4e9638658b41e6 This commit adds the Wix template to our git repository. - iis: build_modsecurity.bat fixies - 7e03e3f840375ed682c35a5bb67932461cc77013 This commit enable a cleanup on the mod_security build directory avoiding symbols with different architectures. - iis: Fix mlogc build on windows - 9b7663fa79377a0685130a019916d810f31e7478 The libcurl path was not pointing to the correct directory - Fix #154, Uses addn instead of apr_table_setn - 1734221d9d3a78f9aafd68e35717da9ee1a4fe51 The headers are represented in the format of an apr_table, which is able to handle elements with the same key, however the function apr_table_setn checks if the key exists before add the element, if so it replaces the old value with the new one. This was making our implementation to just keep the last added Cookie. The apr_table_addn function, which is now used, just add a new item without check for olders one. - Merge pull request #579 from zimmerle/revert_139 - 61e54f2067ae760808359926ff91d57275df1aac Revert merge request #139 - Revert "Merge pull request #139 from chaizhenhua/remotes/trunk" - 7f7d00fa2c364716691df1b45779304b24a0debb This reverts commit 10fd40fb0d06f6c577d870b6f15d2f6e2a3a5b1b, reversing changes made to 414033aafa94cd50c9b310afd3f164740caccc94. - Merge pull request #578 from client9/remotes/trunk - b0c3977845f60747b15ae10531b7d20355a22627 libinjection sync to v3.8.0 - libinjection sync - a5f175d79fac1e69124da4e1e227b622e7e233d7 - Merge pull request #152 from client9/remotes/trunk - 88ebf8a0bdbc4db1be76f3a2e70df77cc52a5925 Sync to libinjection v3.7.1 - libinjection sync - fcb6dc13ed6efb066fb9b70405eecab8b83a2d96 - libinjection sync - f52242a013f301ca5c17e59b662124833cb7cc6d - Merge pull request #148 from zimmerle/bugfix_charset_missing_string_terminator - b76e26d81ddafc2b99bffad53d1426f8fd33080a Bugfix: missing string terminator while mounting the charset (nginx) - Bugfix: missing string terminator while mounting the charset (nginx) - ff19dcd5c53d4af61d0a9397d4616f47f80ee207 The charset in headers is mounted using ngx_snprintf which does not place the string terminator. This patch adds the terminator at the end of the string. The size was correctly allocated, just missing the terminator. - Merge pull request #141 from client9/remotes/trunk - 9a630eea23a7ead4e77617c86dc937fd7a421a57 libinjection sync to v3.6.0 - libinjection sync - 11217207e8f2e0cf15742273836399866971071a - Fix Chunked string case sensitive issue - CVE-2013-5705 - f8d441cd25172fdfe5b613442fedfc0da3cc333d - Revert "Fix Chuncked string case sensitive issue" - 3901128f17e0763ac1a260106b79859d2aad6d90 This reverts commit 16a815a3c2735f62238ef99af26090a2b8430d3d. - Fix Chuncked string case sensitive issue - 16a815a3c2735f62238ef99af26090a2b8430d3d - Merge pull request #139 from chaizhenhua/remotes/trunk - 10fd40fb0d06f6c577d870b6f15d2f6e2a3a5b1b Fixed fd leackage after reload - Merge pull request #138 from client9/remotes/trunk - 414033aafa94cd50c9b310afd3f164740caccc94 libinjection sync - Fixed fd leackage after reload - e0993fcd7a166ce9e1a279a47d050af1311d9001 - libinjection sync - 2268626c20260e88cab9b7830f8a06101fa7172a - Fix logical disjunction and conjunction issues - 7e0a9ecf7d492e85650671a0cfcfd53e5f15df2c 23 Jul 2013 - 2.7.5 ------------------- Improvements: * SecUnicodeCodePage is deprecated. SecUnicodeMapFile now accepts the code page as a second parameter. * Updated Libinjection to version 3.4.1. Many improvements were made. * Severity action now supports strings (emergency, alert, critical, error, warning, notice, info, debug). Bug Fixes: * Fixed utf8toUnicode tfn null byte conversion. * Fixed NGINX crash when issue reload command. * Fixed flush output buffer before inject modified hashed response body. * Fixed url normalization for Hash Engine. * Fixed NGINX ap_unixd_set_global_perms_mutex compilation error with apache 2.4 devel files. Security Issues: 10 May 2013 - 2.7.4 ------------------- Improvements: * Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath). * Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries. * NGINX is now set to STABLE. Thanks chaizhenhua and all the people in community who help the project testing, sending feedback and patches. Bug Fixes: * Fixed SecRulePerfTime storing unnecessary rules performance times. * Fixed Possible SDBM deadlock condition. * Fixed Possible @rsub memory leak. * Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present. * Fixed NGINX Audit engine in Concurrent mode was overwriting existing alert files because a issue with UNIQUE_ID. * Fixed CPU 100% issue in NGINX port. This is also related to an memory leak when loading response body. Security Issues: * Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable action is triggered and a unknown Content-Type is used, mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI). 28 Mar 2013 - 2.7.3 ------------------- * Fixed IIS version race condition when module is initialized. * Fixed IIS version failing config commands in libapr. * Nginx version is now RC quality. The rule engine should works for all phases. We fixed many issues and missing features (for more information please check jira). Code is running well with latest Nginx 1.2.7 stable. Thanks chaizhenhua for your help. * Added MULTIPART_NAME and MULTIPART_FILENAME. Should be used soon by CRS and will help prevent attacks using multipart data. * Added --enable-htaccess-config configure option. It will allow the follow directives to be used into .htaccess files when AllowOverride Options is set: - SecAction - SecRule - SecRuleRemoveByMsg - SecRuleRemoveByTag - SecRuleRemoveById - SecRuleUpdateActionById - SecRuleUpdateTargetById - SecRuleUpdateTargetByTag - SecRuleUpdateTargetByMsg * Improvements in the ID duplicate code checking. Should be faster now. * SECURITY: Added SecXmlExternalEntity (On|Off - default it Off) that will disable by default the external entity load task executed by LibXml2. This is a security issue [CVE-2013-1915] reported by Timur Yunusov, Alexey Osipov (Positive Technologies). 21 Jan 2013 - 2.7.2 ------------------- * IIS version is now stable. * Fixed IIS version does not pass through POST data to ASP.NET when SecRequestBodyAccess is set to On (MODSEC-372). * Fixed IIS version HTTP Request Smuggling protection does not work (MODSEC-344). * Fixed IIS version PHP Injection Attack (958976) protection does not work (MODSEC-346). * Fixed IIS version Request limit protections are not working (MODSEC-349). * Fixed IIS version Outbound protections are not working (MODSEC-350). * Added IIS version better installer. * NGINX version removed ModSecurityPassCommand (Thanks chaizhenhua). * Fixed NGINX version ngx_http_read_client_request_body returned unexpected buffer type (Thanks chaizhenhua). * Fixed NGINX version INCS config directories on fedora (Thanks chaizhenhua). * Added NGINX version Added drop action for nginx (Thanks chaizhenhua). * Fixed bug in cpf_verify operator (Thanks Hideaki Hayashi). * Fixed build modsecurity under Arch Linux. * Fixed make test crashing when JIT pcre is enabled. * Fixed better cookie separator detection code. * Fixed mod_security displaying wrong ip address in error.log using apache 2.4 and mod_remoteip. * Fixed mod_security was not compiling when use apr without ipv6 support. * Fixed mod_security was not compiling when use lua 5.2. * Fixed issue when execute make install under Solaris. * Fixed ipmatchf operator was not working as expected. 01 Nov 2012 - 2.7.1 ------------------- * Changed "Encryption" name of directives and options related to hmac feature to "Hash". SecEncryptionEngine to SecHashEngine SecEncryptionKey to SecHashKey SecEncryptionParam to SecHashParam SecEncryptionMethodRx to SecHashMethodRx SecEncryptionMethodPm to SecHashMethodPm @validateEncryption to @validateHash ctl:EncryptionEnforcement to ctl:HashEnforcement ctl:EncryptionEngine to ctl:HashEngine * Added a better random bytes generator using apr_generate_random_bytes() to create the HMAC key. * Fixed byte conversion issue during logging under Linux s390x platform. * Fixed compilation bug with LibXML2 2.9.0 (Thanks Athmane Madjoudj). * Fixed parsing error with modsecurity-recommended.conf and Apache 2.4. * Fixed DROP action was disabled for Apache 2 module by mistake. * Fixed bug when use ctl:ruleRemoveTargetByTag. * Fixed IIS and NGINX modules bugs. * Fixed bug when @strmatch patterns use invalid escape sequence (Thanks Hideaki Hayashi). * Fixed bugs in @verifySSN (Thanks Hideaki Hayashi). * The doc/ directory now contains the instructions to access online documentation. 15 Oct 2012 - 2.7.0 ------------------- * Fixed Pause action should work as a disruptive action (MODSEC-297). * Fixed Problem loading mod_env variables in phase 2 (MODSEC-226). * Fixed Detect cookie v0 separator and use it for parsing (MODSEC-261). * Fixed Variable REMOTE_ADDR with wrong IP address in NGINX version (MODSEC-337). * Fixed Errors compiling NGINX version. * Added Include directive into standalone module. IIS and NGINX module should support Include directive like Apache2. * Added MULTIPART_INVALID_PART flag. Also used in rule id 200002 for multipart strict validation. https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20121017-0_mod_security_ruleset_bypass.txt). * Updated Reference Manual. 25 Sep 2012 - 2.6.8 ------------------- * Fixed ctl:ruleRemoveTargetByID order issue (MODSEC-333). Thanks to Armadillo Dasypodidae. * Fixed variable HIGHEST_SEVERITY incorrectly gets reset in a chain rule (MODSEC-315). Thanks to Valery Reznic. 10 Sep 2012 - 2.7.0-rc3 ------------------- * Fixed requests bigger than SecRequestBodyNoFilesLimit were truncated even engine mode was detection only. * Fixed double close() for multipart temporary files (Thanks Seema Deepak). * Fixed many small issues reported by Coverity Scanner (Thanks Peter Vrabek). * Fixed format string issue in ngnix experimental code. (Thanks Eldar Zaitov). * Added ctl:ruleRemoveTargetByTag/Msg and removed ctl:ruleUpdateTargetByTag/Msg. * Added IIS and Ngnix platform code. * Added new transformation utf8toUnicode. 23 Jul 2012 - 2.6.7 ------------------- * Fixed explicit target replacement using SecUpdateTargetById was broken. * The ctl:ruleUpdateTargetById is deprecated and will be removed for future versions since there is no safe way to use it per-request. * Added ctl:ruleRemoveTargetById that can be used to exclude targets to be processed per-request. 22 Jun 2012 - 2.7.0-rc2 ------------------- * Fixed compilation errors and warnings under Windows platform. * Fixed SecEncryptionKey was not working as expected. 08 Jun 2012 - 2.7.0-rc1 ------------------- * Added SecEncryptionEngine. Initial crypt engine support, at the momment it will sign some Html and Response Header options. * Added SecEncryptionKey to define the a rand or static key for crypt engine. * Added SecEncryptionParam to define the new parameter name. * Added SecEncryptionMethodRx used with a regular expression to inspect the html in response body/header and decide what to protect. * Added SecEncryptionMethodPm used with multiple or single strings to inspect the html in response body/header and decide what to protect. * Added ctl encryptionEngine as a per transaction version of SecEncryptionEgine diretive. * Added ctl encryptionEnforcement that will allow the engine to sign the data but the enforcement is disabled. * Added validateEncryption operator to enforce the signed elements. * Added rsub operator supports the syntax |hex| allowing users to use special chars like \n \r. * Added SecRuleUpdateTargetById now supports id range. * Added SecRuleUpdateTargetByMsg and its ctl version (Thanks Scott Gifford). * Added SecRuleUpdateTargetByTag and its ctl version (Thanks Scott Gifford). * Added SecRulePerfTime when greater than zero it will fill rule id's execution time into PERF_RULE and log id=usec information in the new Perf-rule-info: line in part H. * Added PERF_RULES variable that contains rule execution time. * Added Engine-mode: section in part H. * Added ruleRemoveByMsg ctl version. * Added removeCommentsChar and removeComments now can work with <!-- --> style. * Added SecArgumentSeparator and SecCookieFormat can be used in different scope locations. * Added Rules must have ID action and must be numeric. * Added The use of tfns are deprecated in SecDefaultAction. Should be forbid in the future. * Added Macro expansion support to the action pause. * Added IpmatchFromFile/IpmatchF operator. * Added New setrsc action, the RESOURCE collection used SecWebAppId Name Space * Added Configure option --enable-cache-lua that allows reuse of Lua VM per transaction. It will only take any effect when ModSecurity has multiple scripts to run per transaction. * Added Configure option --enable-pcre-jit that allows ModSecurity regex engine to use PCRE Jit support. * Added Configure option --enable-request-early that allows ModSecurity run phase 1 in post_read_request hook. * Added RBL operator now support the httpBl api (http://www.projecthoneypot.org/httpbl_api.php). * Added SecHttpBlKey to be used with httpBl api. * Added SecSensorId will specify the modsecurity sensor name into audit log part H. * Added aliases to phase:2 (phase:request), phase:4 (phase:response) and phase:5 (phase:logging). * Added USERAGENT_IP variable. Created when Apache24 is used with mod_remoteip to know the real client ip address. ^ Added new rule metadata actions ver, maturity and accuracy. Also included into RULE collection. * Updated Reference manual into doc/ directory. * Fixed Variable DURATION contains the elapsed time in microseconds for compatible reasons with apache and other variables. * Fixed Preserve names/identity of the variables going into MATCHED_VARS. * Fixed Redirect macro expansion does not work in SecDefaultAction when SecRule uses block action. * Fixed rsub operator does not work as expect if regex contains parentheses (Thanks Jerome Freilinger). * Current Google Safe Browsing implementation is deprecated. Google changed the API and does not allow anymore the malware database for download. 08 Jun 2012 - 2.6.6 ------------------- * Added build system support for KfreeBSD and HURD. * Fixed a multipart bypass issue related to quote parsing Credits to Qualys Vulnerability & Malware Research Labs (VMRL). 20 Mar 2012 - 2.6.5 ------------------- * Fixed increased a specific message debug level in SBDM code (MODSEC-293). * Cleanup build system. 09 Mar 2012 - 2.6.4 ------------------- * Fixed Mlogc 100% CPU consume (Thanks Klaubert Herr and Ebrahim Khalilzadeh). * Fixed ModSecurity cannot load session and user sdbm data. * Fixed updateTargetById was creating rule unparsed content making apache memory grow. * Code cleanup. 23 Feb 2012 - 2.6.4-rc1 ------------------- * Fixed @rsub adding garbage data into stream variables. * Fixed regex for section A into mlogc-batch-load.pl (Thanks Ebrahim Khalilzadeh). * Fixed logdata cuts message without closing it with final chars. * Added sanitizeMatchedBytes support to verifyCPF, verifyCC and verifySSN. 06 Dec 2011 - 2.6.3-rc1 ------------------- * Fixed MATCHED_VARS does not correctly handle multiple VARS with the same name. * Fixed SDBM garbage collection was not working as expected, increasing the size of files. * Fixed wrong timestamp calculation for some time zones in log files. * Fixed SecUpdateTargetById failed to load multiple VARS (MODSEC-270). * Fixed Reverted hexDecode for hexEncode compatibility reason. * Added SecCollectionTimeout to set collection timeout, default is 3600. * Added sqlHexDecode transformation to decode sql hex data. Thanks Marc Stern. 30 Sep 2011 - 2.6.2 ------------------- * Fixed hexDecode test during make. * Updated the reference manual into doc/ directory. 5 Sep 2011 - 2.6.2-rc1 ------------------- * Added support to macro expansion for rx operator. * Added new transformations removeComments and removeCommentsChars * Fixed colletion names are not case-sensitive anymore. * Fixed compilation errors with apache 2.0. * Fixed build system was not using some libraries CFLAGS. * Fixed check for valid hex values into hexDecode transformation. * Fixed ctl:ruleUpdateTargetById appending multiple targets. 18 Jun 2011 - 2.6.1 ------------------- * Updated the reference manual into doc/ directory. 11 Jul 2011 - trunk ------------------- * Add HttpBl support to rbl operator. 30 Jun 2011 - 2.6.1-rc1 ------------------- * Fixed SecUploadFileMode doesn't work with the new build system. * Fixed building with Lua library (Thanks Diego Elio). * Fixed some ./configure --enable* features not being enabled in compilation time. * Improvements on GSB database add/search operations. * Log part K was removed from modsecurity.conf-recommended. * Added SecUnicodeMapFile directive. Must be use to load the unicode.mapping file. * Added SecUnicodeCodePage directive. Used to define the unicode code page. There are a few already available: 1250 (ANSI - Central Europe) 1251 (ANSI - Cyrillic) 1252 (ANSI - Latin I) 1253 (ANSI - Greek) 1254 (ANSI - Turkish) 1255 (ANSI - Hebrew) 1256 (ANSI - Arabic) 1257 (ANSI - Baltic) 1258 (ANSI/OEM - Viet Nam) 20127 (US-ASCII) 20261 (T.61) 20866 (Russian - KOI8) 28591 (ISO 8859-1 Latin I) 28592 (ISO 8859-2 Central Europe) 28605 (ISO 8859-15 Latin 9) 37 (IBM EBCDIC - U.S./Canada) 437 (OEM - United States) 500 (IBM EBCDIC - International) 850 (OEM - Multilingual Latin I) 860 (OEM - Portuguese) 861 (OEM - Icelandic) 863 (OEM - Canadian French) 865 (OEM - Nordic) 874 (ANSI/OEM - Thai) 932 (ANSI/OEM - Japanese Shift-JIS) 936 (ANSI/OEM - Simplified Chinese GBK) 949 (ANSI/OEM - Korean) 950 (ANSI/OEM - Traditional Chinese Big5) Also mapping some extra unicode chars defined at http://tools.ietf.org/html/rfc3490#section-3.1 * Fixed SecRequestBodyLimit was truncating the real request body. 18 May 2011 - 2.6.0 ------------------- * Added SecWriteStateLimit for Slow Post DoS mitigation. * Fix problem when buffering in input filter. * Fix memory leak when use MATCHED_VAR_NAMES. 2 May 2011 - 2.6.0-rc2 ------------------- * Added code optimizations - thanks Diego Elio. * Added support to AIX and HPUX in the build system (untested). * Renamed decodeBase64Ext to base64DecodeExt. * Build system improvements - thanks Diego Elio. * Improvements on gsblookup parser. * Fixed input filter bug when upload files and SecStreamInBodyInspect is enabled. * Logging improvements and bug fix. * Remove extra useless files when make clean and maintainer-clean 18 Apr 2011 - 2.6.0-rc1 ------------------- * Replaced previous GPLv2 License to Apachev2. * Added Google Safe Browsing lookups operator and directive. It should be used to extract and lookup urls from http packets. * Added Data Modification operator. It must be used with STREAM_* variables to replace/add/edit any data from http bodies. * Added STREAM_OUPUT_BODY and STREAM_INPUT_BODY variables to work with data modification operators. * Added fast ip address operator. It supports partial ip address, cidr for IPv4 and IPv6. Thanks Tom Donovan. * Added new sensitive data tracking verifyCPF and verifySSN. * Added MATCHED_VARS and MATCHED_VARS_NAMES. It is similiar to MATCHED_VAR, but now we should see all matched variables. * Added UNIQUE_ID variable. It holds the data created my mod_unique_id. * Added new tranformation cmdline. Thanks Marc Stern. * Added new exception handling operators and directives. It should help users reduce FN and FPs. The directives SecRuleUpdateTargetById, SecRuleRemoveByTag and its ctl actions were included. * Added SecStreamOutBodyInspection and SecStreamInBodyInspection to enable STREAM_* variables. * Added SecGsbLookupDB used to load Google Safe Browsing malware databse into memory. * Added the directive SecInterceptOnError to control what to do if a rule returns values less than zero. * Improvements in DetectionOnly engine mode. Also added SecRequestBodyLimitAction to control what to do if the engine receive a http request over a hard limit. Note that there is now many combinations with SecRuleEngine and the limit action directives for response and request data. Please see the reference manual. * Improvements under RBL operator. It now will parse return code values for some RBL lists. * Added new Log Part J. It should log some informations about uploaded files. * Added new sanitizeMatchedBytes action. It will give more flexibilty for user to sanitize logged data, also improving peformance when sanitize big amount of data. * Improvements on Logging phase. It is possible now see full chains, distinguish between simple rules, chain starters and chain nodes. * Improvements on AutoTools usage. * Improvements on pattern matching operators, pmf, pm and strmatch now supports more flexible input data allowing any kind of special char. * Improvements on SecRuleUpdateActionById to update chain nodes. * Many bugs were fixed. Please see the ModSecurity Jira for more details 19 Mar 2010 - trunk ------------------- * Added SecDisableBackendCompression, which disabled backend compression while keeping the frontend compression enabled (assuming mod_deflate in installed and configured in the proxy). [Ivan Ristic] * Added REQUEST_BODY_LENGTH, which contains the number of request body bytes read. [Ivan Ristic] * Integrate with mod_log_config using the %{VARNAME}M format string. (MODSEC-108) [Ivan Ristic] * Replaced the previous time-measuring mechanism with a new one, which provides the following information: request time, request duration, phase duration (for all 5 phases), time spent dealing with persistent storage, and time spent on audit logging. The new information is now available in the Stopwatch2 audit log header. The Stopwatch header remains for backward compatiblity, although it now only includes the request time and request duration values. Added the following variables: PERF_COMBINED, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3, PERF_PHASE4, PERF_PHASE5, PERF_SREAD, PERF_SWRITE, PERF_LOGGING, PERF_GC. [Ivan Ristic] * Added DURATION, which contains the time ellapsed since the beginning of the current transaction, in milliseconds. [Ivan Ristic] * Adjusted phase 5 to execute just prior to mod_log_config. This should allow phase 5 rules to to implement conditional logging, as well as pave support for allowing access to all ModSecurity variables from mog_log_config. [Ivan Ristic] * Added the URLENCODED_ERROR flag, which is raised whenever invalid URL encoding is encountered in the query string or in the request body (but only if URLENCODED request body processor is used). (MODSEC-111) [Ivan Ristic] * Removed the obsolete PDF UXSS functionality. (MODSEC-96) [Ivan Ristic] * Renamed normalisePath to normalizePath and normalisePathWin to normalizePathWin. Kept the previous names for backward compatibility. (MODSEC-103) [Ivan Ristic] * Moved phase 1 to be run in the same Apache hook as phase 2. This means that you can now have phase 1 rules in <Location> tags and, more importantly, override server configuration in <Location> and others. (MODSEC-98) [Ivan Ristic] * Renamed the sanitise family of actions to sanitize. Kept the old variants for backward compatibility. (MODSEC-95) [Ivan Ristic] * Improve the logging of the ctl action. (MODSEC-99) [Ivan Ristic] * Cleanup build files that were from the Apache source.
2014-02-05Enforce -D_POSIX_C_SOURCE=199506 so that strtok_r() is defined bymanu4-3/+40
<string.h>, otherwise the compiler assumes it returns an int, and it breaks on LP64 machines.
2014-02-04Added DSA-2826-2 fixpettai3-8/+8
2014-02-04forgot a file in the previous changesagc1-0/+55
2014-02-04Update security/netpgpverify to version 20140202agc18-64/+1324
Changes from previous version: Add the ability for netpgpverify to verify ssh-pub-key-based signatures. It is much more likely for ssh (rather than pgp) keys to be available, and used, as a source of authentication data. These changes add the ability for netpgpverify(1) -- the standalone, zero-prereq utility - to verify signatures made by netpgp when using ssh keys. Running the regression tests in WRKDIR gives the following output: % mk -f *.bsd tst ./netpgpverify -k pubring.gpg NetBSD-6.0_RC1_hashes.asc Good signature for NetBSD-6.0_RC1_hashes.asc made Thu Aug 23 11:47:50 2012 signature 4096/RSA (Encrypt or Sign) 064973ac4c4a706e 2009-06-23 fingerprint ddee 2bdb 9c98 a0d1 d4fb dbf7 0649 73ac 4c4a 706e uid NetBSD Security Officer <security-officer@NetBSD.org> ./netpgpverify -k pubring.gpg NetBSD-6.0_RC1_hashes.gpg Good signature for NetBSD-6.0_RC1_hashes.gpg made Thu Mar 14 13:32:59 2013 signature 4096/RSA (Encrypt or Sign) 064973ac4c4a706e 2009-06-23 fingerprint ddee 2bdb 9c98 a0d1 d4fb dbf7 0649 73ac 4c4a 706e uid NetBSD Security Officer <security-officer@NetBSD.org> ./netpgpverify -v netpgpverify portable 20140202 ./netpgpverify -S sshtest-20140202.pub data.gpg Good signature for data.gpg made Mon Feb 3 17:54:21 2014 signature 4096/RSA (Encrypt or Sign) 4d129225945bbb8f 1970-01-01 fingerprint 874b 75de d6a3 341f 2d5a 2219 4d12 9225 945b bb8f uid netbsd-001.cupertino.alistaircrooks.com (sshtest-20140202.pub) <agc@netbsd-001.cupertino.alistaircrooks.com> ./netpgpverify -S sshtest-20140202.pub data.sig Good signature for data.sig made Sun Feb 2 21:45:05 2014 signature 4096/RSA (Encrypt or Sign) 4d129225945bbb8f 1970-01-01 fingerprint 874b 75de d6a3 341f 2d5a 2219 4d12 9225 945b bb8f uid netbsd-001.cupertino.alistaircrooks.com (sshtest-20140202.pub) <agc@netbsd-001.cupertino.alistaircrooks.com> expected failure, to check bad signatures fail to verify sed -e 's|A|B|' data.gpg | ./netpgpverify -S sshtest-20140202.pub Signature did not match contents -- Signature on data did not match *** Error code 1 (ignored) % A new HOWTO file is provided in the sources (files/HOWTO) to show how to sign data using ssh keys and netpgp(1).
2014-02-03Update to 1.6.1. Remove lots of integrated patches.wiz7-1745/+6
Noteworthy changes in version 1.6.1 (2014-01-29) ------------------------------------------------ * Added emulation for broken Whirlpool code prior to 1.6.0. * Improved performance of KDF functions. * Improved ECDSA compliance. * Fixed locking for Windows and non-ELF Pthread systems (regression in 1.6.0) * Fixed message digest lookup by OID (regression in 1.6.0). * Fixed a build problem on NetBSD. * Fixed memory leaks in ECC code. * Fixed some asm build problems and feature detection bugs. * Interface changes relative to the 1.6.0 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GCRY_MD_FLAG_BUGEMU1 NEW (minor API change).
2014-02-03Update to 1.1.5: bugfixes, e.g. for perl-5.18 compat.wiz2-7/+6
2014-02-01Update to KDE SC 4.11.5markd4-12/+10
bug fixes
2014-01-31First part of minor dropbear package cleanup - this part lets theagc4-34/+67
package build as a normal user + don't refer to MAKEFLAGS outside of pkgsrc/mk + add comments to patch files + use BSD_INSTALL_* definitions in the build Makefile + re-order some parts of the pkgsrc Makefile + use pkgsrc definitions for CFLAGS.${OPSYS} rather than conditionals XXX - TO DO - fix the xauth issue here
2014-01-27Update to 0.16:wiz3-10/+20
0.16 * Clarify documentation for secret_service_clear_xxx() [#705629] * Pass return_type to prompt async begin functions, rather than finish * Simpler way to use custom service/collection/item types * service: Rename secret_service_new() and friends to xxx_open() * Add secret_value_get_text() function to return NULL terminated secret * Fix return types in secret_service_search_finish() on error paths [#698040] * Testing fixes [#705202] * Build fixes [#704233] * Updated translations
2014-01-27+ py-backports.ssl_match_hostnamewiz1-1/+2
2014-01-27Import py27-backports.ssl_match_hostname-3.4.0.2 aswiz4-0/+46
security/py-backports.ssl_match_hostname. The Secure Sockets layer is only actually secure if you check the hostname in the certificate returned by the server to which you are connecting, and verify that it matches to hostname that you are trying to reach. But the matching logic, defined in RFC2818, can be a bit tricky to implement on your own. So the ssl package in the Standard Library of Python 3.2 and greater now includes a match_hostname() function for performing this check instead of requiring every application to implement the check separately. This package contains the backport of this functionality to Python 2.
2014-01-27update to 2013.62drochner4-40/+32
changes: -ECC (elliptic curve) support -curve25519-sha256@libssh.org support -misc fixes and improvements approved by The Maintainer
2014-01-27Use REPLACE_PYTHON instead of reimplementing it.wiz1-5/+3
2014-01-27Do not set FETCH_USING, should not be set in a package Makefile.wiz5-16/+5
2014-01-26Update "stunnel" package to version 4.56. Changes since 4.55:tron2-7/+6
- Fixed a regression bug introduced in version 4.55 causing random crashes on several platforms, including Windows 7. - Fixed incorrect "stunnel -exit" process synchronisation. - Fixed FIPS detection with new versions of the OpenSSL library. - Failure to open the log file at startup is no longer ignored.
2014-01-26Fix permissions so taht "etc/stunnel" belongs to the actual "root" usertron1-3/+3
and not to the user that build the package. Bump package revision because of this fix.
2014-01-26Update comment:tron1-2/+2
Assembler support is still broken under Mac OS X in version 3.2.9. Somebody should re-check Solaris as well.
2014-01-25Update to 3.2.9 based on patch from Richard Palo.wiz2-9/+7
Assembler issues still seem to be there at least on SunOS. * Version 3.2.9 (released 2014-01-24) ** libgnutls: The %DUMBFW option in priority string only appends data to client hello if the expected size is in the "black hole" range. ** libgnutls: %COMPAT implies %DUMBFW. ** libgnutls: gnutls_session_get_desc() returns a more compact ciphersuite description. * libgnutls: In PKCS #11 allow deleting multiple non-certificate data. ** libgnutls: When a PKCS #11 trust store is specified (e.g. using the configure option --with-default-trust-store-pkcs11), then the PKCS #11 token is used on demand to obtain the trusted anchors, rather than preloading all trusted certificates. That delegates CA certificate management and blacklist checking to the PKCS #11 module. ** libgnutls: When a PKCS #11 trust store is specified in configure option or in gnutls_x509_trust_list_add_trust_file(), then the module is used to obtain the verification anchors and any required blacklists as in http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html ** libgnutls: Fix in OCSP certificate status extension handling in non-blocking servers. Patch by Nils Maier. ** p11tool: Added --so-login option to force login as security officer (admin). ** API and ABI modifications: No changes since last version.
2014-01-25No need to have two variables for the same logic.wiz4-9/+9
Replace PYTHON_PATCH_SCRIPTS with REPLACE_PYTHON.
2014-01-25Mark packages as not ready for python-3.x where applicable;wiz22-59/+53
either because they themselves are not ready or because a dependency isn't. This is annotated by PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z or PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar respectively, please use the same style for other packages, and check during updates. Use versioned_dependencies.mk where applicable. Use REPLACE_PYTHON instead of handcoded alternatives, where applicable. Reorder Makefile sections into standard order, where applicable. Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default with the next commit. Whitespace cleanups and other nits corrected, where necessary.