modsecurity-3.0.10-bp154.2.3.1 4>$  Apd!M@eeed>nqӽlnȫ w:珝+"> "ګuM7ac9wGok 5ϪSCV=eqRE(2cFP2J_tsd%-*A.R}Z8o :\{ZHnń%s`RDQ =kP;+tU5U +8퓍Mɡ Vm\5kI6]|JjK1980f81c5989335d01db01dded7810182a0e39e8ae0b0476b45515a861777a5f59b2eeae4cf24db0f1585e91e7f48404bc7e3259jTd!M@eeeX]qZe#=5|)7|7[l2F;A GNa-bq{7E50Щ.8 ո̾9+~Bj+|U %Q;>Cj"t^K|'&!p)1^zn{Hg=@$޶r>p>:?9d ! A !>DLX ^ d p  "LXxE(n8x 9 : F6G6H6$I60X64Y6<\6d]6p^6b6c7d8=e8Bf8El8Gu8Xv8dw9Dx9Py9\ z99999Cmodsecurity3.0.10bp154.2.3.1Web application firewall engineModSecurity is a toolkit for real-time web application monitoring, logging, and access control.di04-ch2bSUSE Linux Enterprise 15openSUSEBSD-2-Clausehttp://bugs.opensuse.orgProductivity/Networking/Securityhttps://www.modsecurity.org/linuxi586Z,]A큤dddN2990795026c4c38779e4b16b4acf1ef10a997fb0982ea58d7f093b943cd09870c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4rootrootrootrootrootrootmodsecurity-3.0.10-bp154.2.3.1.src.rpmmodsecuritymodsecurity(x86-32)@@@@@@@@@@@@@    libc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1.3)libc.so.6(GLIBC_2.4)libgcc_s.so.1libgcc_s.so.1(GCC_3.0)libmodsecurity.so.3libstdc++.so.6libstdc++.so.6(CXXABI_1.3)libstdc++.so.6(GLIBCXX_3.4)libstdc++.so.6(GLIBCXX_3.4.11)libstdc++.so.6(GLIBCXX_3.4.21)libstdc++.so.6(GLIBCXX_3.4.9)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3ddZ5c]bb_*@[I[CN@[:Z@David Anes Danilo Spinella Michael Ströder Georg Pfuetzenreuter Ferdinand Thiessen Dirk Mueller jengelh@inai.demrostecki@suse.commrostecki@suse.commrostecki@suse.com- Update to version 3.0.10: * Security impacting issue (fix bsc#1213702, CVE-2023-38285) - Fix: worst-case time in implementation of four transformations - Additional information on this issue is available at https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/ * Enhancements and bug fixes - Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED - Make MULTIPART_PART_HEADERS accessible to lua - Fix: Lua scripts cannot read whole collection at once - Fix: quoted Include config with wildcard - Support isolated PCRE match limits - Fix: meta actions not applied if multiMatch in first rule of chain - Fix: audit log may omit tags when multiMatch - Exclude CRLF from MULTIPART_PART_HEADER value - Configure: use AS_ECHO_N instead echo -n - Adjust position of memset from 2890- Update to version 3.0.9: * Add some member variable inits in Transaction class (possible segfault) * Fix: possible segfault on reload if duplicate ip+CIDR in ip match list * Resolve memory leak on reload (bison-generated variable) * Support equals sign in XPath expressions * Encode two special chars in error.log output * Add JIT support for PCRE2 * Support comments in ipMatchFromFile file via '#' token * Use name package name libmaxminddb with pkg-config * Fix: FILES_TMP_CONTENT collection key should use part name * Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro * During configure, do not check for pcre if pcre2 specified * Use pkg-config to find libxml2 first * Fix two rule-reload memory leak issues * Correct whitespace handling for Include directive - Fix CVE-2023-28882, a segfault and a resultant crash of a worker process in some configurations with certain inputs, bsc#1210993- Update to version 3.0.8 * Adjust parser activation rules in modsecurity.conf-recommended [#2796] * Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [#2795] * Prevent LMDB related segfault [#2755, #2761] * Fix msc_transaction_cleanup function comment typo [#2788] * Fix: MULTIPART_INVALID_PART connected to wrong internal variable [#2785] * Restore Unique_id to include random portion after timestamp [#2752, #2758]- Update to version 3.0.7 * Support PCRE2 * Support SecRequestBodyNoFilesLimit * Add ctl:auditEngine action support * Move PCRE2 match block from member variable * Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended * Fix memory leak when concurrent log includes REMOTE_USER * Fix LMDB initialization issues * Fix initcol error message wording * Tolerate other parameters after boundary in multipart C-T * Add DebugLog message for bad pattern in rx operator * Fix misuses of LMDB API * Fix duplication typo in code comment * Fix multiMatch msg, etc, population in audit log * Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc. * Adjust confusing variable name in setRequestBody method * Multipart names/filenames may include single quote if double-quote enclosed * Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended- Update to version 3.0.6 * Security issue: Support configurable limit on depth of JSON parsing, possible DoS issue. CVE-2021-42717 - Update to version 3.0.5 * New: Having ARGS_NAMES, variables proxied * Fix: FILES variable does not use multipart part name for key * GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE * Support configurable limit on number of arguments processed * Adds support to lua 5.4 * Add support for new operator rxGlobal * Fix: Replaces put with setenv in SetEnv action * Fix: Regex key selection should not be case-sensitive * Fix: Only delete Multipart tmp files after rules have run * Fixed MatchedVar on chained rules * Fix IP address logging in Section A * Fix: rx: exit after full match (remove /g emulation); ensure capture groups occuring after unused groups still populate TX vars * Fix rule-update-target for non-regex * Fix Security Impacting Issues: * Handle URI received with uri-fragment, CVE-2020-15598- add baselibs, fix packaging (install into %_libdir) - update to 3.0.4: - Fix: audit log data omitted when nolog,auditlog - Fix: ModSecurity 3.x inspectFile operator does not pass - XML: Remove error messages from stderr - Filter comment or blank line for pmFromFile operator - Additional adjustment to Cookie header parsing - Restore chained rule part H logging to be more like 2.9 behaviour - Small fixes in log messages to help debugging the file upload - Fix Cookie header parsing issues - Fix rules with nolog are logging to part H - Fix argument key-value pair parsing cases - Fix: audit log part for response body for JSON format to be E - Make sure m_rulesMessages is filled after successfull match - Fix @pm lookup for possible matches on offset zero. - Regex lookup on the key name instead of COLLECTION:key - Missing throw in Operator::instantiate - Making block action execution dependent of the SecEngine status - Making block action execution dependent of the SecEngine status - Having body limits to respect the rule engine state - Fix SecRuleUpdateTargetById does not match regular expressions - Adds missing check for runtime ctl:ruleRemoveByTag - Adds a new operator verifySVNR that checks for Austrian social security numbers. - Fix variables output in debug logs - Correct typo validade in log output - fix/minor: Error encoding hexa decimal. - Limit more log variables to 200 characters. - parser: fix parsed file names - Allow empty anchored variable - Fixed FILES_NAMES collection after the end of multipart parsing - Fixed validateByteRange parsing method - Removes a memory leak on the JSON parser - Enables LMDB on the regression tests. - Fix: Extra whitespace in some configuration directives causing error - Refactoring on Regex and SMatch classes. - Fixed buffer overflow in Utils::Md5::hexdigest() - Implemented merge() method for ConfigInt, ConfigDouble, ConfigString - Adds initially support to the drop action. - Complete merging of particular rule properties - Replaces AC_CHECK_FILE with 'test -f' - Fix inet addr handling on 64 bit big endian systems - Fix tests on FreeBSD - Changes ENV test case to read the default MODSECURTIY env var - Regression: Sets MODSECURITY env var during the tests execution - Fix setenv action to strdup key=variable - Allow 0 length JSON requests. - Fix "make dist" target to include default configuration - Replaced log locking using mutex with fcntl lock - Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES - Adds support to multiple ranges in ctl:ruleRemoveById - Rule variable interpolation broken - Make the boundary check less strict as per RFC2046 - Fix buffer size for utf8toUnicode transformation - Fix double macros bug - Override the default status code if not suitable to redirect action - parser: Fix the support for CRLF configuration files - Organizes the server logs - m_lineNumber in Rule not mapping with the correct line number in file - Using shared_ptr instead of unique_ptr on rules exceptions - Changes debuglogs schema to avoid unecessary str allocation - Fix the SecUnicodeMapFile and SecUnicodeCodePage - Changes the timing to save the rule message - Fix crash in msc_rules_add_file() when using disruptive action in chain - Fix memory leak in AuditLog::init() - Fix RulesProperties::appendRules() - Fix RULE lookup in chained rules - @ipMatch "Could not add entry" on slash/32 notation in 2.9.0 - Using values after transformation at MATCHED_VARS - Adds support to UpdateActionById. - Add correct C function prototypes for msc_init and msc_create_rule_set - Allow LuaJIT 2.1 to be used - Match m_id JSON log with RuleMessage and v2 format - Adds support to setenv action. - Adds new transaction constructor that accepts the transaction id as parameter. - Adds request IDs and URIs to the debug log - Treating variables exception on load-time instead of run time. - Fix: function m.setvar in Lua scripts and add testcases - Fix SecResponseBodyAccess and ctl:requestBodyAccess directives - Fix OpenBSD build - Fix parser to support GeoLookup with MaxMind - parser: Fix simple quote setvar in the end of the line - Fix pc file - modsec_rules_check: uses the gnu `.la' instead of `.a' file - good practices: Initialize variables before use it - Fix utf-8 character encoding conversion - Adds support for ctl:requestBodyProcessor=URLENCODED - Add LUA compatibility for CentOS and try to use LuaJIT first if available - Allow LuaJIT to be used - Implement support for Lua 5.1 - Variable names must match fully, not partially. Match should be case insensitive. - Improves the performance while loading the rules - Allow empty strings to be evaluated by regex::searchAll - Adds basic pkg-config info - Fixed LMDB collection errors - Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors - Fix ip tree lookup on netmask content - Changes the behavior of the default sec actions - Refactoring on {global,ip,resources,session,tx,user} collections - Fix race condition in UniqueId::uniqueId() - Fix memory leak in error message for msc_rules_merge C APIs - Return false in SharedFiles::open() when an error happens - Use rvalue reference in ModSecurity::serverLog - Build System: Fix when multiple lines for curl version. - Checks if response body inspection is enabled before process it - Code Cleanup. - Fix setvar parsing of quoted data - Fix LDFLAGS for unit tests. - Adds time stamp back to the audit logs - Disables skip counter if debug log is disabled - Cosmetics: Represents amount of skipped rules without decimal - Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser - Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp. - Fix memory leak in modsecurity::utils::expandEnv() - Initialize m_dtd member in ValidateDTD class as NULL - Fix broken @detectxss operator regression test case - Fix utils::string::ssplit() to handle delimiter in the end of string - Fix variable FILES_TMPNAMES - Fix memory leak in Collections - Fix lib version information while generating the .so file - Adds support for ctl:ruleRemoveByTag - Fix SecUploadDir configuration merge - Include all prerequisites for "make check" into dist archive - Fix: Reverse logic of checking output in @inspectFile - Adds support to libMaxMind - Adds capture action to detectXSS - Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator - Adds capture action to detectSQLi - Adds capture action to rbl - Adds capture action to verifyCC - Adds capture action to verifySSN - Adds capture action to verifyCPF - Prettier error messages for unsupported configurations (UX) - Add missing verify*** transformation statements to parser - Fix a set of compilation warnings - Check for disruptive action on SecDefaultAction. - Fix block-block infinite loop. - Correction remove_by_tag and remove_by_msg logic. - Fix LMDB compile error - Fix msc_who_am_i() to return pointer to a valid C string - Added some cosmetics to autoconf related code - Fix "make dist" target to include necessary headers for Lua - Fix "include /foo/*.conf" for single matched object in directory - Add missing Base64 transformation statements to parser - Fixed resource load on ip match from file - Fixed examples compilation while using disable-shared - Fixed compilation issue while xml is disabled - Having LDADD and LDFLAGS organized on Makefile.am - Checking std::deque size before use it - perf improvement: Added the concept of RunTimeString and removed all run time parser. - perf improvement: Checks debuglog level before format debug msg - perf. improvement/rx: Only compute dynamic regex in case of macro - Fix uri on the benchmark utility - disable Lua on systems with liblua5.1- Remove rhetoric part from descriptions.- Remove libltdl7 from build dependencies- Make use of %license macro - Make use of %{version} variable - Sort dependencies alphabetically- Initial releasei04-ch2b 16940760893.0.10-bp154.2.3.13.0.10-bp154.2.3.1modsec-rules-checkmodsecurityLICENSE/usr/bin//usr/share/licenses//usr/share/licenses/modsecurity/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protectionobs://build.opensuse.org/openSUSE:Maintenance:18063/openSUSE_Backports_SLE-15-SP4_Update/e42d5000c111612c7daea99c07461d89-modsecurity.openSUSE_Backports_SLE-15-SP4_Updatecpioxz5i586-suse-linuxELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=40b4dd1ed4b76c2ed325884d7b6bb0a859c3a02a, for GNU/Linux 3.2.0, not strippeddirectoryASCII text RRRRRR R R R RRRR@I%;wMutf-857570b976b3323ba2906004b2b1d0e01b3600d845f90c0833b9333b51fe76fe3? 7zXZ !t/, ] crv9wyT{˿P8y:ݱ TuZ#M^7(:w8<_o*} f*wkA*g dxB`cՠC^HA[Yv%%BWn•ulp bQjX{YNSpK8Ym2$U\OH+WǦw'  ʫPWqm$ŀsYWb!!/':R ZWOm[Nd3Ρ9OAƮԡ%9!lN,Mkm,OXjR3LC:[ijBS: Ӥ|P˻wY4wjt3 Ip32w5T$Q9s;6.Zx"\~1v{שUByq/Y1spީi'ѢA0ް+-ͥ 7 9.<,|ioz8QgI# 9d E1xqdٰdigEI5jG2vYBԙ FVK\߅4 YqD*<8PQ5WS!/pU=51P0]ay5{vTtJXn1v絈tdJ|ddx?dKOl0/Q?\`E(x0Ucc5oPeRF:`k"}jXH{`lv<"OM*! PcW?CG M]K1݄z$E%|c%r,5w!apGɭ|T|qKX86ymї pB{غUk=/u 5)`=4Z)-WB іyF7(B_I7,Y#"[$}\;R,kTPs w}M{VSb=rҌo.|JU mIO^@rI _h5lK 0>=jH69zc%txOASn b؀3pS+TW5^" 3BQhR-X2xs:h=qHg>mh^.Uhޗd=72ZuC+/LV%d᩸\goJnh$`U *?!yNBDCA4[ j+k,w{1\Xe _ݬ-^/.@ a ]>uM/eED?p^ȩ)B VoK;PAϸJy`"z>f5!yicɡ;߁%.gouuHӴǠKM8F?bjwPk%(q&&I S?Xwp']@ʖe('잊3{O34wj`=\ڶHo0IOմnsFg;ѴַBoxឯŶB<(rw/pE2K`N4*o'.rUGgB:dcWԤЀ\iޣ?TIIJ"*̒ Egg ZP~:c_aw'Ʈ܆F'„I"9 ^Q:78F ~<,  f3Ctgy$(Y|Wx/k[@(ɧUos,_I'Ka?-*YƻȨ@xn9wP=YbW*n?{{Qжg$-9`?1=`ɔ5e(6T Kh<H%LS=~}pA`|@n6\ rjv9$c!lh0効f욄ek !F Vls-Iۢ4F8KpwrKP.qQCFһM#1 %* ޲ȿ[9fs[nk?}oWq|?P 8~KkePc%NIlcz BbOcr.~΃1mO'=9? e^JQ;A!O@ mJ1s9zE6wbނ:Z qfu <+1[6P2͝k藪U-!jNNs0qWDʖr)9߾ L%9g:^)!;?ʷo} =8_=md/߶M!Mm(r<-5OWB]e Fkb ֞]~ԙSn)S&9n&f$l =~[^̬m H$~=`ȪŝEE$;Ȫ2+aɩ@[}tL"QTU@#"5HҵdBu |4Zr Υ^V6vMeJK2s [7S{ !5#Ui @e(_iH2=O/쁍چlҮ#/H2ZdV$:ڢ(HS%wSߴ-h-.\FZO޼fѺn29 #q@@{G`eDeG*@WQGWk8Ng\GYƲR^:XUL>$Q[>kPm*0+J@ JɃaee k_q-xwhL!>=ˑktDO:n69$VX~ {L\j<tIhGiRijYo{yߛ"fS7%cz\oS=u=w &)+G [wtv#?) 1?Zjf/_n28OޒUtU6CkAq6m]gv"I"!T_#?yqR((͖-.xŬoϪN4᪰q3Ξ:?բw3[3׌",\TpOt#An2kL,(|py[ўlU`15`۫*Um4),qWHъ|b඙98,FS]ʠȴ4̝GEKժB yZ=-6l y5)̀4+dc n*=;"&BWjO:kD΃8܅UߓL:_Db#J1!dDe)dH@xMiqy*0$c]O5A4Q_БW1YzK㦱 +&s ׎V}'V96ȿ~})r5ֵ)$V(CuئDV̺M HC*>sK0ꗇ=,m- U eH9o!>:3#v3'r-R{̧H(H%KO\Y~ XL\<HqTB5]"dOm,''L]5ݧ߄#=2oM}6`-C.:SwbH}l:D_: zS`جp_W_>,d"shZ٬e?bV̳~ڿM,$$썢pfv-F5%FK`ЛĔc%ټ8I?7ekRui{<lKi9*}$%s|]6A>,Mxc3eh6h̓z,gq~T ʷ~|UKaH9|A!m)~wA;}'H,lWս/R*f GObX)kD'B:ZSpYY7wI}V4‡ ehv]y֋rEEme64[GGN- pqAjҴ%KI+%;V03j<CU7ӿ#KtIsڦ#L^shٳ54~2g^-qӇS,702ʰ` 4D>BrwlkHV"A"Q>i&<#j]TӦz ,MypsM ) 4bv|݌O$2r„3U_Mb. [mIOa!p t)?DSl^n:"_`*,v1i%{賀R{$a[\+=KhM;"$3^ fH*XL`D{H]3ynnb <V<{])W83nlP(J(<8I!-`hU8g0-\"#Q_MGGDܡvO`tkIep)iv8#o3 ՚}Ԍ7W'ꐒrՇCh5ȊW BOJ}InTp%РX k(͊cyŮ׮="GDg @g=CcƖ|%֨dy!bӌhm 9gB-͊H}I@Xdmʔ h*?cĈ8w^z',ͣ?< x  普?$#TZܼ`v\.g݈%rPP%莁} (:KL99QܔM ~Xx]Gi[B(e{ (MFx+}=BБK:«GX1$va^yCD %Prӡb;w౫Vb uSA+?+%L98&F΢(8^?-4 L3N/"<ӫQae:ȷ̵AoԎv1/L8 g#mkE< Տ-4 )Suxzy<(y ]*P΍H.q+gATXLV:^'lw] i=L,zC⩇.idjfOub#&%i`!aE]+U. nJ9u[[T]sd&ÀkUIjE_KT#bNb״>B+ה J4b/,ґL@Odk9 S,}IGSSnPg@*l$*@?^xgRGy:$:2T@ޗ 7.,[>+0a)ξ勩=3 1' {]UE-",h`lon9[%7 :\W~;0 ;K7p8t!C0oB@tCP#ߍS"'@Dk@'}kEa_#es:Zfu ̴2I߯J5xQIVon$Bm 2cOѡzGHĆ0 ^Pq  hzs0:䃆Xzgh,cY:u歘o5#ʋ .H1wM0$J*( )g9GHs~gK]HNtqcdMuO/XWRIc>S/sLf\C @/kSrCAjS;e~gGQV ?U[ 27djf# hg$>0m\"CT~ hԓ(WA8S,$^vKο"X&]F1/7Xֿ2K-Bn=#r<^(;"P= ,uN\3 r]"J$( 2ȝ~.ޞE[r[ ;zv6%s^X 7HeH𒗫xw5yB),5V}oV-J5Hw ×JwY2Lw=hw}./?N1 `˴x^}>TGfc%veCvEq ɉG]ʉۄ V.ڠ>+?(Qfy AN/4l~?qr e(ǃ*n(``)IPߤwkwDrF@@ԩCЃ|Zd Tk1hdKLk]SWCs9T!p Zʷ PP paG%WBߔDid輁oR `ޙy8lzfx~2FnXP9BIBA9%@N:bÐZFb~ TdȺ ڱ7pEZ< DA?j|:r(cyhp%n (d&*ۍG/#h8Gmqyx?"ـa sB9xl՟cXR$R[͖l]W9 )%`w|V;+qu%K?W>~ ',\: NWGS8~ f]CdbnwxlE@!cۓt..y+e5ZU6(#_Jڋy/$ e,Q YhLhٻ? o?K-b ӮO f]~?C?lZ nJוW{iEEC7:tMoO'>mt5j>2 K npFR[TYe<+ֽUmxv4;=qp=4J n :Ucs5߀lzxݑ{fþk][`@΍0HbXϤh&%BVl^'rɄIn;|hcWX@\r1)76N߯^]G4$IcЊUCu%XVg:Ivao(OoImB_,Q.QX;uO7fyp0>02AbMQzSUO~M]V'-+`6w*\ؙ)NB&C7)/1$"5Z-Ͼ³Ԗ^$Xo^^L]Ƞإ-wew4R)lu?1ut"[u KCt d}&nG/kE愪P#O;T(~OΨ}Ju¥@\ J .Wci1 TO51 S)pCa.Q^^}Cَ J[ȼTgUD1pZ|P%4U{l<(_B9'MŰp<:J6$`9ֆlgaέbD8[8 l'0w(ovC!lV}~DW_b;U8yIҬo6axϥ)ތ٥)6 ^ߤ&".Gw=gGКtC{9atO WEYCZ5IO[jocq}:`t͟ Z[ &yH%+ @NJrVmYwM5deX&PsGAW],I(q}V6GhT] UWAe:'C$|LXc~h9`u `}e(9LHF8Hzp!w?Xg?mT*N2MEq?&c8y6wpy 6ٰέr Z>Us1YpfDtL -;oHt媯xbAM=˿#O _^i׏1J9BIHD|*7krM}D5)T7 ~ls۩b{@xu/?B:R ;C\Bp7SsL?_(SzgΟ?1 V\L.IZj7d 53d0KcFҌ|Z9^7mD1# ~b-\ttj^7Gc>ѕ#g:ҀקN6z(| !.Ο,sF}{pd}J-7y%ذA9r!D[]/Zc'fN:El`LQJfe]Fٴd8SĜh<\ǵslhGՔÄǣ# s0T虧z]K?1F@e$GIqGcQQ]|oE$ZS(.kϥG9>7SLGny.`ONr0,:x;|j.egp]ؿ=j`搹ۂWVܫq|DϛsA*?=v'f'vVo 9VmQ+3kIϼɬ0ƹBUvWn2]h6 ^竸$b1'mM|Rr$I}qw \`d