I would ask your internal team how they build the apache22 pks.

Lookat this : http://httpd.apache.org/docs/2.2/upgrading.html

Search for PCRE.

On Mon, Oct 22, 2012 at 7:15 PM, Ives Stoddard <ives.stoddard@gmail.com> wrote:
One would think.

I've read the mod_security error correctly, it was compiled with 6.6, but is linking to 5.0 ("loaded version = 5.0")

But the only version I can find anywhere on the file system is 6.6.

How do I figure out where mod_security is getting 5.0 from?

On Mon, Oct 22, 2012 at 7:58 PM, Breno Silva <breno.silva@gmail.com> wrote:
Hello Ives,

Right, you have different pcre lib versions linked and compiled. I would suggest you use the same version in apache and modsecurity.



On Mon, Oct 22, 2012 at 6:34 PM, Ives Stoddard <ives.stoddard@gmail.com> wrote:

Here's the error message...

[Thu Oct 18 13:21:49 2012] [notice] ModSecurity for Apache/2.6.0 (http://www.modsecurity.org/) configured.
[Thu Oct 18 13:21:49 2012] [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"
[Thu Oct 18 13:21:49 2012] [notice] ModSecurity: PCRE compiled version="6.6"; loaded version="5.0 13-Sep-2004"
[Thu Oct 18 13:21:49 2012] [warn] ModSecurity: Loaded PCRE do not match with compiled!
[Thu Oct 18 13:21:49 2012] [notice] ModSecurity: LIBXML compiled version="2.6.26"

And info about the version of pcre that's installed (rhel5)...

$ rpm -qa |grep pcre

$ rpm -q –provides --filesbypkg pcre

pcre = 6.6-6.el5_6.1_x86_64
pcre                      /lib64/libpcre.so.0
pcre                      /lib64/libpcre.so.0.0.1
pcre                      /usr/bin/pcregrep
pcre                      /usr/bin/pcretest
pcre                      /usr/lib64/libpcrecpp.so.0
pcre                      /usr/lib64/libpcrecpp.so.0.0.0
pcre                      /usr/lib64/libpcreposix.so.0
pcre                      /usr/lib64/libpcreposix.so.0.0.0
pcre                      /usr/share/doc/pcre-6.6
pcre                      /usr/share/doc/pcre-6.6/AUTHORS
pcre                      /usr/share/doc/pcre-6.6/LICENCE
pcre                      /usr/share/man/man1/pcregrep.1.gz
pcre                      /usr/share/man/man1/pcretest.1.gz

pcre = 6.6-6.el5_6.1_x86
pcre                      /lib/libpcre.so.0
pcre                      /lib/libpcre.so.0.0.1
pcre                      /usr/bin/pcregrep
pcre                      /usr/bin/pcretest
pcre                      /usr/lib/libpcrecpp.so.0
pcre                      /usr/lib/libpcrecpp.so.0.0.0
pcre                      /usr/lib/libpcreposix.so.0
pcre                      /usr/lib/libpcreposix.so.0.0.0
pcre                      /usr/share/doc/pcre-6.6
pcre                      /usr/share/doc/pcre-6.6/AUTHORS
pcre                      /usr/share/doc/pcre-6.6/LICENCE
pcre                      /usr/share/man/man1/pcregrep.1.gz
pcre                      /usr/share/man/man1/pcretest.1.gz

$ pcretest -C
PCRE version 6.6 06-Feb-2006
Compiled with
  UTF-8 support
  Unicode properties support
  Newline character is LF
  Internal link size = 2
  POSIX malloc threshold = 10
  Default match limit = 10000000
  Default recursion depth limit = 10000000
  Match recursion uses stack

$ ldd /usr/local/apache2/bin/httpd
        linux-vdso.so.1 =>  (0x00007fffc0f99000)
        libm.so.6 => /lib64/libm.so.6 (0x00000036b0800000)
        libaprutil-1.so.0 => /usr/local/apache2/lib/libaprutil-1.so.0 (0x00002ab3f9944000)
        libapr-1.so.0 => /usr/local/apache2/lib/libapr-1.so.0 (0x00002ab3f9b65000)
        libexpat.so.0 => /lib64/libexpat.so.0 (0x00000036b2000000)
        librt.so.1 => /lib64/librt.so.1 (0x00000036b1400000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00000036b1800000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00000036b0000000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00000036afc00000)
        libc.so.6 => /lib64/libc.so.6 (0x00000036af800000)
        /lib64/ld-linux-x86-64.so.2 (0x00000036af400000)

$ ldd /usr/local/apache2/modules/mod_security2.so
ldd: warning: you do not have execution permission for `/usr/local/apache2/modules/mod_security2.so'
        linux-vdso.so.1 =>  (0x00007fffa1874000)
        librt.so.1 => /lib64/librt.so.1 (0x00002b0243084000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002b024328e000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00002b02434c6000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00002b02436e1000)
        libexpat.so.0 => /lib64/libexpat.so.0 (0x00002b02438e6000)
        libapr-1.so.0 => /usr/local/apache2/lib/libapr-1.so.0 (0x00002b0243b09000)
        libaprutil-1.so.0 => /usr/local/apache2/lib/libaprutil-1.so.0 (0x00002b0243d35000)
        libxml2.so.2 => /usr/lib64/libxml2.so.2 (0x00002b0243f56000)
        libz.so.1 => /usr/lib64/libz.so.1 (0x00002b0244293000)
        libm.so.6 => /lib64/libm.so.6 (0x00002b02444a7000)
        libc.so.6 => /lib64/libc.so.6 (0x00002b024472b000)
        /lib64/ld-linux-x86-64.so.2 (0x00000036af400000)

$ /sbin/ldconfig -p |grep pcre
        libpcreposix.so.0 (libc6,x86-64) => /usr/lib64/libpcreposix.so.0
        libpcreposix.so.0 (libc6) => /usr/lib/libpcreposix.so.0
        libpcrecpp.so.0 (libc6,x86-64) => /usr/lib64/libpcrecpp.so.0
        libpcrecpp.so.0 (libc6) => /usr/lib/libpcrecpp.so.0
        libpcre.so.0 (libc6,x86-64) => /lib64/libpcre.so.0
        libpcre.so.0 (libc6) => /lib/libpcre.so.0

$ sudo find / -name "*pcre*" -exec ls -1 {} \;
/lib/libpcre.so.0 -> libpcre.so.0.0.1
/usr/lib/libpcreposix.so.0 -> libpcreposix.so.0.0.0
/usr/lib/libpcrecpp.so.0 -> libpcrecpp.so.0.0.0
/usr/lib64/libpcreposix.so.0 -> libpcreposix.so.0.0.0
/usr/lib64/libpcrecpp.so.0 -> libpcrecpp.so.0.0.0
/lib64/libpcre.so.0 -> libpcre.so.0.0.1


On Mon, Oct 22, 2012 at 3:11 PM, Breno Silva <breno.silva@gmail.com> wrote:
Hello Ives,

Can you send me your error.log ? There is a known issue treating PCRE version 8.02. ModSecurity can alert you for wrong PCRE version when it is OK.

yes, use different compiled/linked version between Apache and ModSecurity may cause segfaults. It is not very common but can happen.



On Mon, Oct 22, 2012 at 2:03 PM, Ives Stoddard <ives.stoddard@gmail.com> wrote:
I've been reading a lot of posts about PCRE mismatches, and the recent patch to fix this, but it seems like there are cases this may or may not be a problem.

At best this is just an annoyance in the log files, but at worst this can cause core dumps of apache.

I have both apache and mod_sec set to use the OS pcre & apr libs (both from RHEL 5.8), but I still get the mismatch errors. The team that builds our internal apache distribution has confirmed they are dynamically linked via ld (which shows matching libs).

In this scenario, what would cause the pcre mismatch error?

In what cases can the mismatch prove fatal vs. which cases is it just a false alarm? How can I test for the fatal cases?

Many thanks,