Thread: [mod-security-users] ModSecurity 2.5.10 Released
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <bre...@gm...> - 2009-09-24 22:06:39
|
ModSecurity 2.5.10 has been released and is now available. This release fixes a number of small issues. Notable issues that have been fixed are a cleaner build process, fixes to mlogc to build on Windows and allow more reliable SSL neg. to the console, less verbose logging when using anomaly scoring with CRS v2.x and a feature to allow easier use with Apache mpm-itk. Downloads and docs from modsecurity.org as usual. 18 Sep 2009 - 2.5.10 -------------------- * Cleanup mlogc so that it builds on Windows. * Added more detailed messages to replace "Unknown error" in filters. * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning auditlog permissions (especially with mpm-itk). * Cleanup SecUploadFileMode implementation. * Cleanup build scripts. * Fixed crash on configuration if SecMarker is used before any rules. * Fixed SecRuleUpdateActionById so that it will work on chain starters. * Cleanup build system for mlogc. * Allow mlogc to periodically flush memory pools. * Using nolog,auditlog will now log the "Message:" line to the auditlog, but nothing to the error log. Prior versions dropped the "Message:" line from both logs. To do this now, just use "nolog" or "nolog,noauditlog". * Forced mlogc to use SSLv3 to avoid some potential auto negotiation issues with some libcurl versions. * Fixed mlogc issue seen on big endian machines where content type could be listed as zero. * Removed extra newline from audit log message line when logging XML errors. This was causing problems parsing audit logs. * Fixed @pm/@pmFromFile case insensitivity. * Truncate long parameters in log message for "Match of ... against ... required" messages. * Correctly resolve chained rule actions in logs. * Cleanup some code for portability. * AIX does not support hidden visibility with xlc compiler. * Allow specifying EXTRA_CFLAGS during configure to override gcc specific values for non-gcc compilers. * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented. * Handle a newer geo database more gracefully, avoiding a potential crash for new countries that ModSecurity is not yet aware. * Allow checking &GEO "@eq 0" for a failed @geoLookup. * Fixed mlogc global mutex locking issue and added more debugging output. * Cleaned up build dependencies and configure options. |
From: Mike D. <Mik...@no...> - 2009-09-25 19:14:41
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A heads up...I think that this version requires lua 5.1.4 (possibly a little less version tho). I have RHEL 5.4 with lua 5.0.2 from DAG installed currently and 2.5.9 seems fine. However, 2.5.10's make fails... === /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic - -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions - -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic - -fno-strict-aliasing -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread - -I/usr/include/httpd -I/usr/include/apr-1 -I/usr/include/apr-1 -O2 - -g -Wall -I/usr/include/httpd -I/usr/include/httpd -I. - -I/usr/include/apr-1 -I/usr/kerberos/include -I/usr/include/libxml2 - -I/usr/include -DWITH_LUA -c -o msc_lua.lo msc_lua.c && touch msc_lua.slo msc_lua.c: In function 'lua_compile': msc_lua.c:96: warning: implicit declaration of function 'luaL_openlibs' msc_lua.c: In function 'resolve_tfns': msc_lua.c:159: warning: implicit declaration of function 'lua_objlen' msc_lua.c: At top level: msc_lua.c:338: error: array type has incomplete element type msc_lua.c: In function 'lua_execute': msc_lua.c:378: warning: implicit declaration of function 'luaL_register' apxs:Error: Command failed with rc=65536 . make: *** [mod_security2.la] Error 1 === On another RHEL 5.4 with lua 5.1.4 (devel as well) installed everything compiles fine. You can download lua binary packages from here: http://luaforge.net/frs/?group_id=110. Let me know if I am wrong on the versioning or msising something. I guess DAG has not updated this package in some time. Mike Duncan ISSO, Application Security Specialist Government Contractor with STG, Inc. NOAA :: National Climatic Data Center Brian Rectanus wrote: > ModSecurity 2.5.10 has been released and is now available. > > This release fixes a number of small issues. Notable issues that have > been fixed are a cleaner build process, fixes to mlogc to build on > Windows and allow more reliable SSL neg. to the console, less verbose > logging when using anomaly scoring with CRS v2.x and a feature to > allow easier use with Apache mpm-itk. > > Downloads and docs from modsecurity.org as usual. > > > 18 Sep 2009 - 2.5.10 > -------------------- > * Cleanup mlogc so that it builds on Windows. > * Added more detailed messages to replace "Unknown error" in filters. > * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning > auditlog permissions (especially with mpm-itk). > * Cleanup SecUploadFileMode implementation. > * Cleanup build scripts. > * Fixed crash on configuration if SecMarker is used before any rules. > * Fixed SecRuleUpdateActionById so that it will work on chain starters. > * Cleanup build system for mlogc. > * Allow mlogc to periodically flush memory pools. > * Using nolog,auditlog will now log the "Message:" line to the auditlog, but > nothing to the error log. Prior versions dropped the "Message:" line from > both logs. To do this now, just use "nolog" or "nolog,noauditlog". > * Forced mlogc to use SSLv3 to avoid some potential auto negotiation > issues with some libcurl versions. > * Fixed mlogc issue seen on big endian machines where content type > could be listed as zero. > * Removed extra newline from audit log message line when logging XML errors. > This was causing problems parsing audit logs. > * Fixed @pm/@pmFromFile case insensitivity. > * Truncate long parameters in log message for "Match of ... against ... > required" messages. > * Correctly resolve chained rule actions in logs. > * Cleanup some code for portability. > * AIX does not support hidden visibility with xlc compiler. > * Allow specifying EXTRA_CFLAGS during configure to override gcc specific > values for non-gcc compilers. > * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented. > * Handle a newer geo database more gracefully, avoiding a potential crash for > new countries that ModSecurity is not yet aware. > * Allow checking &GEO "@eq 0" for a failed @geoLookup. > * Fixed mlogc global mutex locking issue and added more debugging output. > * Cleaned up build dependencies and configure options. > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkq9FwMACgkQnvIkv6fg9hZCnQCff0odqo/9ex1bkThN0IUXNBXf QHkAmwWop19wTZwhUmq4k1VOKv4JyHFH =y+b5 -----END PGP SIGNATURE----- |
From: Brian R. <bre...@gm...> - 2009-09-25 19:29:19
|
ModSecurity has always required Lua 5.1.x. Perhaps this version is finding 5.0 by mistake instead of ignoring it? The --without-lua configure option should help you. I'll look at adding a version check to the next release. thanks, -B On Fri, Sep 25, 2009 at 12:16 PM, Mike Duncan <Mik...@no...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > A heads up...I think that this version requires lua 5.1.4 (possibly a > little less version tho). I have RHEL 5.4 with lua 5.0.2 from DAG > installed currently and 2.5.9 seems fine. However, 2.5.10's make fails... > > === > /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic > - -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > - -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic > - -fno-strict-aliasing -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread > - -I/usr/include/httpd -I/usr/include/apr-1 -I/usr/include/apr-1 -O2 > - -g -Wall -I/usr/include/httpd -I/usr/include/httpd -I. > - -I/usr/include/apr-1 -I/usr/kerberos/include -I/usr/include/libxml2 > - -I/usr/include -DWITH_LUA -c -o msc_lua.lo msc_lua.c && touch msc_lua.slo > msc_lua.c: In function 'lua_compile': > msc_lua.c:96: warning: implicit declaration of function 'luaL_openlibs' > msc_lua.c: In function 'resolve_tfns': > msc_lua.c:159: warning: implicit declaration of function 'lua_objlen' > msc_lua.c: At top level: > msc_lua.c:338: error: array type has incomplete element type > msc_lua.c: In function 'lua_execute': > msc_lua.c:378: warning: implicit declaration of function 'luaL_register' > apxs:Error: Command failed with rc=65536 > . > make: *** [mod_security2.la] Error 1 > === > > On another RHEL 5.4 with lua 5.1.4 (devel as well) installed everything > compiles fine. You can download lua binary packages from here: > http://luaforge.net/frs/?group_id=110. > > Let me know if I am wrong on the versioning or msising something. I > guess DAG has not updated this package in some time. > > Mike Duncan > ISSO, Application Security Specialist > Government Contractor with STG, Inc. > NOAA :: National Climatic Data Center > > > Brian Rectanus wrote: >> ModSecurity 2.5.10 has been released and is now available. >> >> This release fixes a number of small issues. Notable issues that have >> been fixed are a cleaner build process, fixes to mlogc to build on >> Windows and allow more reliable SSL neg. to the console, less verbose >> logging when using anomaly scoring with CRS v2.x and a feature to >> allow easier use with Apache mpm-itk. >> >> Downloads and docs from modsecurity.org as usual. >> >> >> 18 Sep 2009 - 2.5.10 >> -------------------- >> * Cleanup mlogc so that it builds on Windows. >> * Added more detailed messages to replace "Unknown error" in filters. >> * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning >> auditlog permissions (especially with mpm-itk). >> * Cleanup SecUploadFileMode implementation. >> * Cleanup build scripts. >> * Fixed crash on configuration if SecMarker is used before any rules. >> * Fixed SecRuleUpdateActionById so that it will work on chain starters. >> * Cleanup build system for mlogc. >> * Allow mlogc to periodically flush memory pools. >> * Using nolog,auditlog will now log the "Message:" line to the auditlog, but >> nothing to the error log. Prior versions dropped the "Message:" line from >> both logs. To do this now, just use "nolog" or "nolog,noauditlog". >> * Forced mlogc to use SSLv3 to avoid some potential auto negotiation >> issues with some libcurl versions. >> * Fixed mlogc issue seen on big endian machines where content type >> could be listed as zero. >> * Removed extra newline from audit log message line when logging XML errors. >> This was causing problems parsing audit logs. >> * Fixed @pm/@pmFromFile case insensitivity. >> * Truncate long parameters in log message for "Match of ... against ... >> required" messages. >> * Correctly resolve chained rule actions in logs. >> * Cleanup some code for portability. >> * AIX does not support hidden visibility with xlc compiler. >> * Allow specifying EXTRA_CFLAGS during configure to override gcc specific >> values for non-gcc compilers. >> * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented. >> * Handle a newer geo database more gracefully, avoiding a potential crash for >> new countries that ModSecurity is not yet aware. >> * Allow checking &GEO "@eq 0" for a failed @geoLookup. >> * Fixed mlogc global mutex locking issue and added more debugging output. >> * Cleaned up build dependencies and configure options. >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry® Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart your >> developing skills, take BlackBerry mobile applications to market and stay >> ahead of the curve. Join us from November 9-12, 2009. Register now! >> http://p.sf.net/sfu/devconf >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Appliances, Rule Sets and Support: >> http://www.modsecurity.org/breach/index.html > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkq9FwMACgkQnvIkv6fg9hZCnQCff0odqo/9ex1bkThN0IUXNBXf > QHkAmwWop19wTZwhUmq4k1VOKv4JyHFH > =y+b5 > -----END PGP SIGNATURE----- > |
From: yersinia <yer...@gm...> - 2009-09-26 09:10:19
|
On Fri, Sep 25, 2009 at 9:29 PM, Brian Rectanus <bre...@gm...> wrote: > ModSecurity has always required Lua 5.1.x. Perhaps this version is > finding 5.0 by mistake instead of ignoring it? The --without-lua > configure option should help you. I'll look at adding a version check > to the next release. > > Could be useful for ModSecurity, in order to improve the portability, put in the tarball the corrected versions of lua, or pcre, .. and decide to configure time (or with a switch to configure) whether to include the private version or link to the one on the system? this is what rpm does for years. Are you interested in this development ? I have some experience with autofu and portability issue, some perhaps i can help in trying but i preferer to ask first. Thanks > thanks, > -B > > On Fri, Sep 25, 2009 at 12:16 PM, Mike Duncan <Mik...@no...> > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > A heads up...I think that this version requires lua 5.1.4 (possibly a > > little less version tho). I have RHEL 5.4 with lua 5.0.2 from DAG > > installed currently and 2.5.9 seems fine. However, 2.5.10's make fails... > > > > === > > /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic > > - -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > > - -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic > > - -fno-strict-aliasing -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread > > - -I/usr/include/httpd -I/usr/include/apr-1 -I/usr/include/apr-1 -O2 > > - -g -Wall -I/usr/include/httpd -I/usr/include/httpd -I. > > - -I/usr/include/apr-1 -I/usr/kerberos/include -I/usr/include/libxml2 > > - -I/usr/include -DWITH_LUA -c -o msc_lua.lo msc_lua.c && touch > msc_lua.slo > > msc_lua.c: In function 'lua_compile': > > msc_lua.c:96: warning: implicit declaration of function 'luaL_openlibs' > > msc_lua.c: In function 'resolve_tfns': > > msc_lua.c:159: warning: implicit declaration of function 'lua_objlen' > > msc_lua.c: At top level: > > msc_lua.c:338: error: array type has incomplete element type > > msc_lua.c: In function 'lua_execute': > > msc_lua.c:378: warning: implicit declaration of function 'luaL_register' > > apxs:Error: Command failed with rc=65536 > > . > > make: *** [mod_security2.la] Error 1 > > === > > > > On another RHEL 5.4 with lua 5.1.4 (devel as well) installed everything > > compiles fine. You can download lua binary packages from here: > > http://luaforge.net/frs/?group_id=110. > > > > Let me know if I am wrong on the versioning or msising something. I > > guess DAG has not updated this package in some time. > > > > Mike Duncan > > ISSO, Application Security Specialist > > Government Contractor with STG, Inc. > > NOAA :: National Climatic Data Center > > > > > > Brian Rectanus wrote: > >> ModSecurity 2.5.10 has been released and is now available. > >> > >> This release fixes a number of small issues. Notable issues that have > >> been fixed are a cleaner build process, fixes to mlogc to build on > >> Windows and allow more reliable SSL neg. to the console, less verbose > >> logging when using anomaly scoring with CRS v2.x and a feature to > >> allow easier use with Apache mpm-itk. > >> > >> Downloads and docs from modsecurity.org as usual. > >> > >> > >> 18 Sep 2009 - 2.5.10 > >> -------------------- > >> * Cleanup mlogc so that it builds on Windows. > >> * Added more detailed messages to replace "Unknown error" in filters. > >> * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning > >> auditlog permissions (especially with mpm-itk). > >> * Cleanup SecUploadFileMode implementation. > >> * Cleanup build scripts. > >> * Fixed crash on configuration if SecMarker is used before any rules. > >> * Fixed SecRuleUpdateActionById so that it will work on chain starters. > >> * Cleanup build system for mlogc. > >> * Allow mlogc to periodically flush memory pools. > >> * Using nolog,auditlog will now log the "Message:" line to the > auditlog, but > >> nothing to the error log. Prior versions dropped the "Message:" line > from > >> both logs. To do this now, just use "nolog" or "nolog,noauditlog". > >> * Forced mlogc to use SSLv3 to avoid some potential auto negotiation > >> issues with some libcurl versions. > >> * Fixed mlogc issue seen on big endian machines where content type > >> could be listed as zero. > >> * Removed extra newline from audit log message line when logging XML > errors. > >> This was causing problems parsing audit logs. > >> * Fixed @pm/@pmFromFile case insensitivity. > >> * Truncate long parameters in log message for "Match of ... against ... > >> required" messages. > >> * Correctly resolve chained rule actions in logs. > >> * Cleanup some code for portability. > >> * AIX does not support hidden visibility with xlc compiler. > >> * Allow specifying EXTRA_CFLAGS during configure to override gcc > specific > >> values for non-gcc compilers. > >> * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented. > >> * Handle a newer geo database more gracefully, avoiding a potential > crash for > >> new countries that ModSecurity is not yet aware. > >> * Allow checking &GEO "@eq 0" for a failed @geoLookup. > >> * Fixed mlogc global mutex locking issue and added more debugging > output. > >> * Cleaned up build dependencies and configure options. > >> > >> > ------------------------------------------------------------------------------ > >> Come build with us! The BlackBerry® Developer Conference in SF, CA > >> is the only developer event you need to attend this year. Jumpstart your > >> developing skills, take BlackBerry mobile applications to market and > stay > >> ahead of the curve. Join us from November 9-12, 2009. Register > now! > >> http://p.sf.net/sfu/devconf > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> Commercial ModSecurity Appliances, Rule Sets and Support: > >> http://www.modsecurity.org/breach/index.html > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.9 (GNU/Linux) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > > > iEYEARECAAYFAkq9FwMACgkQnvIkv6fg9hZCnQCff0odqo/9ex1bkThN0IUXNBXf > > QHkAmwWop19wTZwhUmq4k1VOKv4JyHFH > > =y+b5 > > -----END PGP SIGNATURE----- > > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > |
From: Alberto G. I. <ag...@in...> - 2009-09-26 23:10:19
|
On Sat, Sep 26, 2009 at 11:10:11AM +0200, yersinia wrote: > On Fri, Sep 25, 2009 at 9:29 PM, Brian Rectanus <bre...@gm...> wrote: > > > ModSecurity has always required Lua 5.1.x. Perhaps this version is > > finding 5.0 by mistake instead of ignoring it? The --without-lua > > configure option should help you. I'll look at adding a version check > > to the next release. > > > > Could be useful for ModSecurity, in order to improve the portability, put > in the tarball the corrected versions of lua, or pcre, .. and decide to > configure time (or with a switch to configure) whether to include the > private version or link to the one on the system? this is what rpm does for > years. Are you interested in this development ? I have some experience with > autofu and portability issue, some perhaps i can help in trying but i > preferer to ask first. > Thanks I don't think that's a good idea. Having different versions of lua/foobar around your system. The documentation should state which software you need, and which versions are required, to build Modsecurity. Creating a huge tarball with all the build dependencies is plain ugly and will lead to confusions. My 2c. -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 |
From: yersinia <yer...@gm...> - 2009-09-27 06:40:46
|
On Sun, Sep 27, 2009 at 12:51 AM, Alberto Gonzalez Iniesta <ag...@in...>wrote: > On Sat, Sep 26, 2009 at 11:10:11AM +0200, yersinia wrote: > > On Fri, Sep 25, 2009 at 9:29 PM, Brian Rectanus <bre...@gm...> > wrote: > > > > > ModSecurity has always required Lua 5.1.x. Perhaps this version is > > > finding 5.0 by mistake instead of ignoring it? The --without-lua > > > configure option should help you. I'll look at adding a version check > > > to the next release. > > > > > > Could be useful for ModSecurity, in order to improve the portability, > put > > in the tarball the corrected versions of lua, or pcre, .. and decide to > > configure time (or with a switch to configure) whether to include the > > private version or link to the one on the system? this is what rpm does > for > > years. Are you interested in this development ? I have some experience > with > > autofu and portability issue, some perhaps i can help in trying but i > > preferer to ask first. > > Thanks > > I don't think that's a good idea. Having different versions of > lua/foobar around your system. The documentation should state which > software you need, and which versions are required, to build > Modsecurity. Creating a huge tarball with all the build dependencies is > plain ugly and will lead to confusions. > > Could increase the work of the developer, but also make it more free in its choices, but largely simplify the end luser experience and extend the platforms on which a product works. This is my experience, that might not be worth much, and that of the maintainer of this project http://rpm5.org/cvs/fileview?f=rpm/INSTALL&v=2.125 http://rpm5.org/cvs/chngview?cn=13173 But YMMV, as everyone else. Elia > My 2c. > > -- > Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico > agi@(inittab.org|debian.org)| en GNU/Linux y software libre > Encrypted mail preferred | http://inittab.com > > Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > |
From: Brian R. <Bri...@br...> - 2009-09-28 08:52:55
|
yersinia wrote: > On Sun, Sep 27, 2009 at 12:51 AM, Alberto Gonzalez Iniesta > <ag...@in... <mailto:ag...@in...>> wrote: > > On Sat, Sep 26, 2009 at 11:10:11AM +0200, yersinia wrote: > > On Fri, Sep 25, 2009 at 9:29 PM, Brian Rectanus > <bre...@gm... <mailto:bre...@gm...>> wrote: > > > > > ModSecurity has always required Lua 5.1.x. Perhaps this version is > > > finding 5.0 by mistake instead of ignoring it? The --without-lua > > > configure option should help you. I'll look at adding a > version check > > > to the next release. > > > > > > Could be useful for ModSecurity, in order to improve the > portability, put > > in the tarball the corrected versions of lua, or pcre, .. and > decide to > > configure time (or with a switch to configure) whether to include the > > private version or link to the one on the system? this is what > rpm does for > > years. Are you interested in this development ? I have some > experience with > > autofu and portability issue, some perhaps i can help in trying but i > > preferer to ask first. > > Thanks > > I don't think that's a good idea. Having different versions of > lua/foobar around your system. The documentation should state which > software you need, and which versions are required, to build > Modsecurity. Creating a huge tarball with all the build dependencies is > plain ugly and will lead to confusions. > > Could increase the work of the developer, but also make it more free in > its choices, but largely simplify the end luser experience and extend > the platforms on which a product works. This is my experience, that > might not be worth much, and that of the maintainer of this project > http://rpm5.org/cvs/fileview?f=rpm/INSTALL&v=2.125 > <http://rpm5.org/cvs/fileview?f=rpm/INSTALL&v=2.125> > http://rpm5.org/cvs/chngview?cn=13173 > > But YMMV, as everyone else. > > Elia Lua is not required, so I don't want to package it. The docs clearly state Lua 5.1.x and that it is optional (http://modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#installation). Also, as Alberto stated, I don't think any of the people putting ModSecurity into a distribution will want it either (they will build with the distribution's version). On top of that, I just don't think it very wise to distribute another libs's source as that means it becomes my responsibility to have to keep it up-to-date and I don't need the extra work. Nor do I want to have to release another ModSecurity package just because there is a flaw in one of the bundled libs. -B -- Brian Rectanus Breach Security |
From: Mark L. <ml...@sg...> - 2009-09-29 17:52:52
|
Agreed: increasing the scope of the ModSecurity distribution to include an optional package isn't a good pragmatic choice for the reasons already cited by Brian. Furthermore, your example of RPM5 illustrates a reason for those maintainers to bundle Lua (loss of some functionality), but the same doesn't hold for ModSecurity. External (Optional) dependencies are the reason for RPM, .deb, etc. package management: perhaps this issue reveals some demand for a non-source distribution of ModSecurity. Cheers, Mark Lavi Senior Web Producer sgi 46600 Landing Parkway Fremont, CA 94538 (510) 933-5234 direct ml...@sg... <blocked::mailto:ml...@sg...> www.sgi.com <blocked::http://www.sgi.com/> ________________________________ From: yersinia [mailto:yer...@gm...] Sent: Saturday, September 26, 2009 2:10 AM To: Brian Rectanus Cc: Mike Duncan; mod...@li...; mod...@li... Subject: Re: [mod-security-users] ModSecurity 2.5.10 Released On Fri, Sep 25, 2009 at 9:29 PM, Brian Rectanus <bre...@gm...> wrote: ModSecurity has always required Lua 5.1.x. Perhaps this version is finding 5.0 by mistake instead of ignoring it? The --without-lua configure option should help you. I'll look at adding a version check to the next release. Could be useful for ModSecurity, in order to improve the portability, put in the tarball the corrected versions of lua, or pcre, .. and decide to configure time (or with a switch to configure) whether to include the private version or link to the one on the system? this is what rpm does for years. Are you interested in this development ? I have some experience with autofu and portability issue, some perhaps i can help in trying but i preferer to ask first. Thanks thanks, -B On Fri, Sep 25, 2009 at 12:16 PM, Mike Duncan <Mik...@no...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > A heads up...I think that this version requires lua 5.1.4 (possibly a > little less version tho). I have RHEL 5.4 with lua 5.0.2 from DAG > installed currently and 2.5.9 seems fine. However, 2.5.10's make fails... > > === > /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic > - -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > - -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic > - -fno-strict-aliasing -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread > - -I/usr/include/httpd -I/usr/include/apr-1 -I/usr/include/apr-1 -O2 > - -g -Wall -I/usr/include/httpd -I/usr/include/httpd -I. > - -I/usr/include/apr-1 -I/usr/kerberos/include -I/usr/include/libxml2 > - -I/usr/include -DWITH_LUA -c -o msc_lua.lo msc_lua.c && touch msc_lua.slo > msc_lua.c: In function 'lua_compile': > msc_lua.c:96: warning: implicit declaration of function 'luaL_openlibs' > msc_lua.c: In function 'resolve_tfns': > msc_lua.c:159: warning: implicit declaration of function 'lua_objlen' > msc_lua.c: At top level: > msc_lua.c:338: error: array type has incomplete element type > msc_lua.c: In function 'lua_execute': > msc_lua.c:378: warning: implicit declaration of function 'luaL_register' > apxs:Error: Command failed with rc=65536 > . > make: *** [mod_security2.la] Error 1 > === > > On another RHEL 5.4 with lua 5.1.4 (devel as well) installed everything > compiles fine. You can download lua binary packages from here: > http://luaforge.net/frs/?group_id=110. > > Let me know if I am wrong on the versioning or msising something. I > guess DAG has not updated this package in some time. > > Mike Duncan > ISSO, Application Security Specialist > Government Contractor with STG, Inc. > NOAA :: National Climatic Data Center > > > Brian Rectanus wrote: >> ModSecurity 2.5.10 has been released and is now available. >> >> This release fixes a number of small issues. Notable issues that have >> been fixed are a cleaner build process, fixes to mlogc to build on >> Windows and allow more reliable SSL neg. to the console, less verbose >> logging when using anomaly scoring with CRS v2.x and a feature to >> allow easier use with Apache mpm-itk. >> >> Downloads and docs from modsecurity.org as usual. >> >> >> 18 Sep 2009 - 2.5.10 >> -------------------- >> * Cleanup mlogc so that it builds on Windows. >> * Added more detailed messages to replace "Unknown error" in filters. >> * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning >> auditlog permissions (especially with mpm-itk). >> * Cleanup SecUploadFileMode implementation. >> * Cleanup build scripts. >> * Fixed crash on configuration if SecMarker is used before any rules. >> * Fixed SecRuleUpdateActionById so that it will work on chain starters. >> * Cleanup build system for mlogc. >> * Allow mlogc to periodically flush memory pools. >> * Using nolog,auditlog will now log the "Message:" line to the auditlog, but >> nothing to the error log. Prior versions dropped the "Message:" line from >> both logs. To do this now, just use "nolog" or "nolog,noauditlog". >> * Forced mlogc to use SSLv3 to avoid some potential auto negotiation >> issues with some libcurl versions. >> * Fixed mlogc issue seen on big endian machines where content type >> could be listed as zero. >> * Removed extra newline from audit log message line when logging XML errors. >> This was causing problems parsing audit logs. >> * Fixed @pm/@pmFromFile case insensitivity. >> * Truncate long parameters in log message for "Match of ... against ... >> required" messages. >> * Correctly resolve chained rule actions in logs. >> * Cleanup some code for portability. >> * AIX does not support hidden visibility with xlc compiler. >> * Allow specifying EXTRA_CFLAGS during configure to override gcc specific >> values for non-gcc compilers. >> * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented. >> * Handle a newer geo database more gracefully, avoiding a potential crash for >> new countries that ModSecurity is not yet aware. >> * Allow checking &GEO "@eq 0" for a failed @geoLookup. >> * Fixed mlogc global mutex locking issue and added more debugging output. >> * Cleaned up build dependencies and configure options. >> >> ------------------------------------------------------------------------ ------ >> Come build with us! The BlackBerry® Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart your >> developing skills, take BlackBerry mobile applications to market and stay >> ahead of the curve. Join us from November 9-12, 2009. Register now! >> http://p.sf.net/sfu/devconf >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Appliances, Rule Sets and Support: >> http://www.modsecurity.org/breach/index.html > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkq9FwMACgkQnvIkv6fg9hZCnQCff0odqo/9ex1bkThN0IUXNBXf > QHkAmwWop19wTZwhUmq4k1VOKv4JyHFH > =y+b5 > -----END PGP SIGNATURE----- > ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html |
From: Mike D. <Mik...@no...> - 2009-09-25 19:42:29
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That's koOl. I was primarily sending this because RHEL 5 does not have a lua package and DAG's version is quite old. I know someone will probably run into this issue at some point. Thanks Brian and have a good weekend all. Mike Duncan ISSO, Application Security Specialist Government Contractor with STG, Inc. NOAA :: National Climatic Data Center Brian Rectanus wrote: > ModSecurity has always required Lua 5.1.x. Perhaps this version is > finding 5.0 by mistake instead of ignoring it? The --without-lua > configure option should help you. I'll look at adding a version check > to the next release. > > thanks, > -B > > On Fri, Sep 25, 2009 at 12:16 PM, Mike Duncan <Mik...@no...> wrote: > A heads up...I think that this version requires lua 5.1.4 (possibly a > little less version tho). I have RHEL 5.4 with lua 5.0.2 from DAG > installed currently and 2.5.9 seems fine. However, 2.5.10's make fails... > > === > /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic > -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic > -fno-strict-aliasing -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread > -I/usr/include/httpd -I/usr/include/apr-1 -I/usr/include/apr-1 -O2 > -g -Wall -I/usr/include/httpd -I/usr/include/httpd -I. > -I/usr/include/apr-1 -I/usr/kerberos/include -I/usr/include/libxml2 > -I/usr/include -DWITH_LUA -c -o msc_lua.lo msc_lua.c && touch msc_lua.slo > msc_lua.c: In function 'lua_compile': > msc_lua.c:96: warning: implicit declaration of function 'luaL_openlibs' > msc_lua.c: In function 'resolve_tfns': > msc_lua.c:159: warning: implicit declaration of function 'lua_objlen' > msc_lua.c: At top level: > msc_lua.c:338: error: array type has incomplete element type > msc_lua.c: In function 'lua_execute': > msc_lua.c:378: warning: implicit declaration of function 'luaL_register' > apxs:Error: Command failed with rc=65536 > . > make: *** [mod_security2.la] Error 1 > === > > On another RHEL 5.4 with lua 5.1.4 (devel as well) installed everything > compiles fine. You can download lua binary packages from here: > http://luaforge.net/frs/?group_id=110. > > Let me know if I am wrong on the versioning or msising something. I > guess DAG has not updated this package in some time. > > Mike Duncan > ISSO, Application Security Specialist > Government Contractor with STG, Inc. > NOAA :: National Climatic Data Center > > > Brian Rectanus wrote: >>>> ModSecurity 2.5.10 has been released and is now available. >>>> >>>> This release fixes a number of small issues. Notable issues that have >>>> been fixed are a cleaner build process, fixes to mlogc to build on >>>> Windows and allow more reliable SSL neg. to the console, less verbose >>>> logging when using anomaly scoring with CRS v2.x and a feature to >>>> allow easier use with Apache mpm-itk. >>>> >>>> Downloads and docs from modsecurity.org as usual. >>>> >>>> >>>> 18 Sep 2009 - 2.5.10 >>>> -------------------- >>>> * Cleanup mlogc so that it builds on Windows. >>>> * Added more detailed messages to replace "Unknown error" in filters. >>>> * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning >>>> auditlog permissions (especially with mpm-itk). >>>> * Cleanup SecUploadFileMode implementation. >>>> * Cleanup build scripts. >>>> * Fixed crash on configuration if SecMarker is used before any rules. >>>> * Fixed SecRuleUpdateActionById so that it will work on chain starters. >>>> * Cleanup build system for mlogc. >>>> * Allow mlogc to periodically flush memory pools. >>>> * Using nolog,auditlog will now log the "Message:" line to the auditlog, but >>>> nothing to the error log. Prior versions dropped the "Message:" line from >>>> both logs. To do this now, just use "nolog" or "nolog,noauditlog". >>>> * Forced mlogc to use SSLv3 to avoid some potential auto negotiation >>>> issues with some libcurl versions. >>>> * Fixed mlogc issue seen on big endian machines where content type >>>> could be listed as zero. >>>> * Removed extra newline from audit log message line when logging XML errors. >>>> This was causing problems parsing audit logs. >>>> * Fixed @pm/@pmFromFile case insensitivity. >>>> * Truncate long parameters in log message for "Match of ... against ... >>>> required" messages. >>>> * Correctly resolve chained rule actions in logs. >>>> * Cleanup some code for portability. >>>> * AIX does not support hidden visibility with xlc compiler. >>>> * Allow specifying EXTRA_CFLAGS during configure to override gcc specific >>>> values for non-gcc compilers. >>>> * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented. >>>> * Handle a newer geo database more gracefully, avoiding a potential crash for >>>> new countries that ModSecurity is not yet aware. >>>> * Allow checking &GEO "@eq 0" for a failed @geoLookup. >>>> * Fixed mlogc global mutex locking issue and added more debugging output. >>>> * Cleaned up build dependencies and configure options. >>>> >>>> ------------------------------------------------------------------------------ >>>> Come build with us! The BlackBerry® Developer Conference in SF, CA >>>> is the only developer event you need to attend this year. Jumpstart your >>>> developing skills, take BlackBerry mobile applications to market and stay >>>> ahead of the curve. Join us from November 9-12, 2009. Register now! >>>> http://p.sf.net/sfu/devconf >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Appliances, Rule Sets and Support: >>>> http://www.modsecurity.org/breach/index.html >> > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkq9HYAACgkQnvIkv6fg9haW7ACfQMu0dG9ydTP3NIQOCOASe5Q2 FvAAn2Qfz359X+1/lQYhWyWhbLxxeNxI =hnHe -----END PGP SIGNATURE----- |