Upgraded mod_security to version 2.9.7 (microsoft#11802)

Author: aninda-al

SPECS-EXTENDED/mod_security/mod_security-2.9.7-send_error_bucket.patch

@@ -0,0 +1,30 @@
+From b2fa083522c70368c7ab911696dcb87dde5dc688 Mon Sep 17 00:00:00 2001
+From: Tomas Korbar <[email protected]>
+Date: Thu, 22 Dec 2022 14:49:34 +0100
+Subject: [PATCH] Clear original response code in send_error_bucket function
+
+If this is left intact, then apache thinks that this code
+was generated during processing of ErrorDocument and does not
+handle it properly
+
+Fix #2849
+---
+ apache2/apache2_util.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/apache2/apache2_util.c b/apache2/apache2_util.c
+index cdae2b580..520a30f2f 100644
+--- a/apache2/apache2_util.c
++++ b/apache2/apache2_util.c
+@@ -31,6 +31,11 @@ apr_status_t send_error_bucket(modsec_rec *msr, ap_filter_t *f, int status) {
+     /* Set the status line explicitly for the error document */
+     f->r->status_line = ap_get_status_line(status);
+ 
++    /* Clear previously set response code to make clear that this is
++     * not a recursive error
++     */
++    f->r->status = 200;
++
+     brigade = apr_brigade_create(f->r->pool, f->r->connection->bucket_alloc);
+     if (brigade == NULL) return APR_EGENERAL;
+ 

SPECS-EXTENDED/mod_security/mod_security.signatures.json

@@ -2,7 +2,7 @@
  "Signatures": {
   "10-mod_security.conf": "01a1e5ed3357a2de6b9dbd0f6b02cde2d92ebf0fcb6d6adcfa2b064c7fcdf0a0",
   "mod_security.conf": "c945d2d940121ee8eaa8a29c5b1eabdcc589d46644a152e9d809fb3340a1e368",
-  "modsecurity-2.9.4.tar.gz": "970e1801907d181e94faec74d595868a3b4abeb07b790b0f30aea3a5d0e05929",
+  "modsecurity-2.9.7.tar.gz": "2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839",
   "modsecurity_localrules.conf": "9aa9e822f13552d5159ab5543d92551d1200a3ae52870907f1b0dafcf0c67c22"
  }
 }

SPECS-EXTENDED/mod_security/mod_security.spec

@@ -11,9 +11,9 @@ Distribution:   Azure Linux
 
 Summary: Security module for the Apache HTTP Server
 Name: mod_security
-Version: 2.9.4
-Release: 1%{?dist}
-License: ASL 2.0
+Version: 2.9.7
+Release: 8%{?dist}
+License: Apache-2.0
 URL: http://www.modsecurity.org/
 Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/modsecurity-%{version}.tar.gz
 Source1: mod_security.conf
@@ -22,15 +22,17 @@ Source3: modsecurity_localrules.conf
 Patch0: modsecurity-2.9.3-lua-54.patch
 Patch1: modsecurity-2.9.3-apulibs.patch
 Patch2: mod_security-2.9.3-remote-rules-timeout.patch
+Patch3: mod_security-2.9.7-send_error_bucket.patch
 
-Requires: httpd httpd-mmn = %{_httpd_mmn}
+Requires: httpd 
+Provides: httpd-mmn = %{_httpd_mmn}
 Requires(pre): httpd-filesystem
 
 BuildRequires: gcc, make, autoconf, automake, libtool
 BuildRequires: httpd-devel
 BuildRequires: perl-generators
+BuildRequires: pcre2-devel
 BuildRequires: pkgconfig(libcurl)
-BuildRequires: pkgconfig(libpcre)
 BuildRequires: pkgconfig(libxml-2.0)
 BuildRequires: pkgconfig(lua)
 
@@ -66,6 +68,7 @@ This package contains the ModSecurity Audit Log Collector.
            --enable-pcre-match-limit-recursion=1000000 \
            --with-apxs=%{_httpd_apxs} \
            --with-yajl \
+           --with-pcre2 \
            --disable-static
 
 # remove rpath
@@ -116,8 +119,8 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 
 
 %files
-%license LICENSE
-%doc CHANGES README.* NOTICE
+%license LICENSE NOTICE
+%doc CHANGES README.* 
 %{_httpd_moddir}/mod_security2.so
 %config(noreplace) %{_httpd_confdir}/*.conf
 %if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
@@ -140,12 +143,70 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 %endif
 
 %changelog
-* Fri Mar 04 2022 Pawel Winogrodzki <[email protected]> - 2.9.4-1
-- Updating to version 2.9.4 using Fedora 36 spec (license: MIT) for guidance.
-- License verified.
+* Mon Jan 06 2025 Aninda Pradhan <[email protected]> - 2.9.7-8
+- Initial Azure Linux import from Fedora 41 (license: MIT)
+- License verified
 
-* Fri Oct 15 2021 Pawel Winogrodzki <[email protected]> - 2.9.3-5
-- Initial CBL-Mariner import from Fedora 32 (license: MIT).
+* Thu Jul 18 2024 Fedora Release Engineering <[email protected]> - 2.9.7-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Thu Jan 25 2024 Fedora Release Engineering <[email protected]> - 2.9.7-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <[email protected]> - 2.9.7-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Tue Jan 02 2024 Tomas Korbar <[email protected]> - 2.9.7-4
+- Clear original response code in send_error_bucket function
+
+* Thu Jul 20 2023 Fedora Release Engineering <[email protected]> - 2.9.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Jun 02 2023 Luboš Uhliarik <[email protected]> - 2.9.7-2
+- SPDX migration
+
+* Thu Apr 13 2023 Luboš Uhliarik <[email protected]> - 2.9.7-1
+- new version 2.9.7
+- use pcre2 instead of deprecated pcre (rhbz #2128330)
+
+* Thu Jan 19 2023 Fedora Release Engineering <[email protected]> - 2.9.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Sep 14 2022 Luboš Uhliarik <[email protected]> - 2.9.6-1
+- new version 2.9.6
+
+* Wed Aug 31 2022 Luboš Uhliarik <[email protected]> - 2.9.5-1
+- new version 2.9.5
+
+* Thu Jul 21 2022 Fedora Release Engineering <[email protected]> - 2.9.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Thu Jan 20 2022 Fedora Release Engineering <[email protected]> - 2.9.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Aug 18 2021 Luboš Uhliarik <[email protected]> - 2.9.4-1
+- new version 2.9.4
+
+* Thu Jul 22 2021 Fedora Release Engineering <[email protected]> - 2.9.3-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jan 26 2021 Fedora Release Engineering <[email protected]> - 2.9.3-10
+- Resolves: #1930664 - RFE: Add a feature that can set a mod_security/libcurl
+  timeout for retrieving the rules
+- rename mlogc to mod_security-mlogc
+
+* Fri Jan 22 2021 Joe Orton <[email protected]> - 2.9.3-8
+- don't link against redundant apr-util dependent libraries
+
+* Sat Aug 08 2020 Othman Madjoudj <[email protected]> - 2.9.3-7
+- Add a patch to fix build with Lua 5.4 until we completely switch to mod_sec3 as default
+
+* Sat Aug 01 2020 Fedora Release Engineering <[email protected]> - 2.9.3-6
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <[email protected]> - 2.9.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
 * Wed Jan 29 2020 Fedora Release Engineering <[email protected]> - 2.9.3-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

cgmanifest.json

@@ -13642,8 +13642,8 @@
         "type": "other",
         "other": {
           "name": "mod_security",
-          "version": "2.9.4",
-          "downloadUrl": "https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.4/modsecurity-2.9.4.tar.gz"
+          "version": "2.9.7",
+          "downloadUrl": "https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz"
         }
       }
     },