Re: [Mod-security-developers] ModSecurity version 2.9.0-RC1 released
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] ModSecurity version 2.9.0-RC1 released
|
From: Felipe C. <FC...@tr...> - 2014-11-19 18:30:34
|
Hi Christian, Thank you for the detailed report on the failure and also for testing the release candidate. The details that you have provided seems to be a good starting point for me to start to investigate this issue. I will let you know if the core dump file will be necessary. Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> From: Christian Folini <chr...@ti...> Reply-To: "mod...@li..." <mod...@li...> Date: Wednesday, November 19, 2014 11:21 AM To: "mod...@li..." <mod...@li...> Subject: Re: [Mod-security-developers] ModSecurity version 2.9.0-RC1 released Thanks for the release candidate. It has built successfully on ubuntu 04.14 on apache 2.4.10 and I can confirm that the fix for the bug in the 2.8.0 ipMatch directive works fine. However, I encountered a segfault during init when using the new remote URI feature in ipMatchFromFile. Fetching the files works fine, but enabling the ssl engine _afterwards_ in a VH leads to the segfault: gdb output: ssl_init_ctx_protocol (s=0x75efd8, p=0x6a7138, ptemp=0x6d6368, mctx=0x7243b0) at ssl_engine_init.c:481 481 ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, (gdb) n 484 if (protocol == SSL_PROTOCOL_SSLV3) { (gdb) n 489 else if (protocol == SSL_PROTOCOL_TLSV1) { (gdb) n 495 else if (protocol == SSL_PROTOCOL_TLSV1_1) { (gdb) n 500 else if (protocol == SSL_PROTOCOL_TLSV1_2) { (gdb) n 507 method = mctx->pkp ? (gdb) n 508 SSLv23_client_method() : /* proxy */ (gdb) n 507 method = mctx->pkp ? (gdb) n 511 ctx = SSL_CTX_new(method); (gdb) n 513 mctx->ssl_ctx = ctx; (gdb) n 515 SSL_CTX_set_options(ctx, SSL_OP_ALL); (gdb) s Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5641adb in SSL_CTX_ctrl () from /lib/x86_64-linux-gnu/libssl.so.1.0.0 Apache Compilation: $> CFLAGS="-Og -g -ggdb3"; export CFLAGS $> ./configure --prefix=/apache --with-included-apr --enable-modules=most --enable-mods-shared=all --enable-mime-magic --enable-unique-id --enable-logio --enable-ssl --enable-proxy --enable-proxy-http --enable-deflate --enable-mpms-shared=event worker prefork --enable-nonportable-atomics=yes ModSec Compilation: $> CFLAGS="-Og -g -ggdb3"; export CFLAGS $> ./configure --with-apxs=/apache/bin/apxs --with-apu=/apache/bin/apu-1-config --with-apr=/apache/bin/apr-1-config --with-pcre=/usr/bin/pcre-config Minimal apache configuration producing the error: ServerName localhost ServerAdmin root@localhost ServerRoot /apache PidFile /tmp/httpd.pid Listen 127.0.0.1:443 LoadModule mpm_event_module modules/mod_mpm_event.so LoadModule unixd_module modules/mod_unixd.so LoadModule ssl_module modules/mod_ssl.so LoadModule unique_id_module modules/mod_unique_id.so LoadModule security2_module modules/mod_security2.so SecRule REMOTE_ADDR "@ipMatchFromFile https://blacklistserver.example.com/ip-blacklist.txt <http://scanmail.trustwave.com/?c=4062&d=sqfs1I9cPYBDMuH_bTqzApeucY7c2QMsI_ hmE7t92g&s=5&u=https%3a%2f%2fblacklistserver%2eexample%2ecom%2fip-blacklist %2etxt>" "id:10500,pass" <VirtualHost *:443> ServerName localhost SSLEngine On </VirtualHost> Unfortunately, I have not compiled /lib/x86_64-linux-gnu/libssl.so.1.0.0 myself, so I guess that's why I can not dig into that library with gdb. I have a core-file if that is needed. Best, Christian Folini ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
