modsecurity-3.0.10-bp154.2.3.1 4>$  Apdx!M@eeeGz&L}bٚ0)xOZlk4[j֩! RQWv.%ylwء0&&ܟ!Q $p3mԻ@f{ݫ?s`UD+!@}JeQ22oϋ{X9'>Su^ŋ}f2cS_#sHS?@їkbJSk㬿Z9FCW=+8pX*S+FPoaU h끔O AC~e4d7e7e3a5d699594d27a13018edd5884b976739a55733f0f6cbdae5c13c57c48dfa5d0ea98d10d1d59932d0e2ef85845d882da1hdx!M@eeeF^ jzK}t]*#)Dj %8 MjLuxŠ-㝋v atwK HT~QnK*%|7އl5)Э˓/C5,F*}fPΧn Y&g0PDp~: hik}u@@O>!9`lI('9-t6}o;$PTM ݶ |/߬RG Yx|^2YMT-P6>p>:(?:d ! A !>DLX ^ d p  "LX|(8 9 : F6HG6\H6hI6tX6xY6\6]6^6b7c7d8le8qf8tl8vu8v8w9px9|y9 z9999:Cmodsecurity3.0.10bp154.2.3.1Web application firewall engineModSecurity is a toolkit for real-time web application monitoring, logging, and access control.ds390zl24SUSE Linux Enterprise 15openSUSEBSD-2-Clausehttp://bugs.opensuse.orgProductivity/Networking/Securityhttps://www.modsecurity.org/linuxs390xb,]A큤dddN138f20bdcb3ce1d82015859c144db6609550879691fb8158556a8f180f246ceec71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4rootrootrootrootrootrootmodsecurity-3.0.10-bp154.2.3.1.src.rpmmodsecuritymodsecurity(s390-64)@@@@@@@@@@@@    libc.so.6()(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.4)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libmodsecurity.so.3()(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)libstdc++.so.6(GLIBCXX_3.4.11)(64bit)libstdc++.so.6(GLIBCXX_3.4.21)(64bit)libstdc++.so.6(GLIBCXX_3.4.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3ddZ5c]bb_*@[I[CN@[:Z@David Anes Danilo Spinella Michael Ströder Georg Pfuetzenreuter Ferdinand Thiessen Dirk Mueller jengelh@inai.demrostecki@suse.commrostecki@suse.commrostecki@suse.com- Update to version 3.0.10: * Security impacting issue (fix bsc#1213702, CVE-2023-38285) - Fix: worst-case time in implementation of four transformations - Additional information on this issue is available at https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/ * Enhancements and bug fixes - Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED - Make MULTIPART_PART_HEADERS accessible to lua - Fix: Lua scripts cannot read whole collection at once - Fix: quoted Include config with wildcard - Support isolated PCRE match limits - Fix: meta actions not applied if multiMatch in first rule of chain - Fix: audit log may omit tags when multiMatch - Exclude CRLF from MULTIPART_PART_HEADER value - Configure: use AS_ECHO_N instead echo -n - Adjust position of memset from 2890- Update to version 3.0.9: * Add some member variable inits in Transaction class (possible segfault) * Fix: possible segfault on reload if duplicate ip+CIDR in ip match list * Resolve memory leak on reload (bison-generated variable) * Support equals sign in XPath expressions * Encode two special chars in error.log output * Add JIT support for PCRE2 * Support comments in ipMatchFromFile file via '#' token * Use name package name libmaxminddb with pkg-config * Fix: FILES_TMP_CONTENT collection key should use part name * Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro * During configure, do not check for pcre if pcre2 specified * Use pkg-config to find libxml2 first * Fix two rule-reload memory leak issues * Correct whitespace handling for Include directive - Fix CVE-2023-28882, a segfault and a resultant crash of a worker process in some configurations with certain inputs, bsc#1210993- Update to version 3.0.8 * Adjust parser activation rules in modsecurity.conf-recommended [#2796] * Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [#2795] * Prevent LMDB related segfault [#2755, #2761] * Fix msc_transaction_cleanup function comment typo [#2788] * Fix: MULTIPART_INVALID_PART connected to wrong internal variable [#2785] * Restore Unique_id to include random portion after timestamp [#2752, #2758]- Update to version 3.0.7 * Support PCRE2 * Support SecRequestBodyNoFilesLimit * Add ctl:auditEngine action support * Move PCRE2 match block from member variable * Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended * Fix memory leak when concurrent log includes REMOTE_USER * Fix LMDB initialization issues * Fix initcol error message wording * Tolerate other parameters after boundary in multipart C-T * Add DebugLog message for bad pattern in rx operator * Fix misuses of LMDB API * Fix duplication typo in code comment * Fix multiMatch msg, etc, population in audit log * Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc. * Adjust confusing variable name in setRequestBody method * Multipart names/filenames may include single quote if double-quote enclosed * Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended- Update to version 3.0.6 * Security issue: Support configurable limit on depth of JSON parsing, possible DoS issue. CVE-2021-42717 - Update to version 3.0.5 * New: Having ARGS_NAMES, variables proxied * Fix: FILES variable does not use multipart part name for key * GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE * Support configurable limit on number of arguments processed * Adds support to lua 5.4 * Add support for new operator rxGlobal * Fix: Replaces put with setenv in SetEnv action * Fix: Regex key selection should not be case-sensitive * Fix: Only delete Multipart tmp files after rules have run * Fixed MatchedVar on chained rules * Fix IP address logging in Section A * Fix: rx: exit after full match (remove /g emulation); ensure capture groups occuring after unused groups still populate TX vars * Fix rule-update-target for non-regex * Fix Security Impacting Issues: * Handle URI received with uri-fragment, CVE-2020-15598- add baselibs, fix packaging (install into %_libdir) - update to 3.0.4: - Fix: audit log data omitted when nolog,auditlog - Fix: ModSecurity 3.x inspectFile operator does not pass - XML: Remove error messages from stderr - Filter comment or blank line for pmFromFile operator - Additional adjustment to Cookie header parsing - Restore chained rule part H logging to be more like 2.9 behaviour - Small fixes in log messages to help debugging the file upload - Fix Cookie header parsing issues - Fix rules with nolog are logging to part H - Fix argument key-value pair parsing cases - Fix: audit log part for response body for JSON format to be E - Make sure m_rulesMessages is filled after successfull match - Fix @pm lookup for possible matches on offset zero. - Regex lookup on the key name instead of COLLECTION:key - Missing throw in Operator::instantiate - Making block action execution dependent of the SecEngine status - Making block action execution dependent of the SecEngine status - Having body limits to respect the rule engine state - Fix SecRuleUpdateTargetById does not match regular expressions - Adds missing check for runtime ctl:ruleRemoveByTag - Adds a new operator verifySVNR that checks for Austrian social security numbers. - Fix variables output in debug logs - Correct typo validade in log output - fix/minor: Error encoding hexa decimal. - Limit more log variables to 200 characters. - parser: fix parsed file names - Allow empty anchored variable - Fixed FILES_NAMES collection after the end of multipart parsing - Fixed validateByteRange parsing method - Removes a memory leak on the JSON parser - Enables LMDB on the regression tests. - Fix: Extra whitespace in some configuration directives causing error - Refactoring on Regex and SMatch classes. - Fixed buffer overflow in Utils::Md5::hexdigest() - Implemented merge() method for ConfigInt, ConfigDouble, ConfigString - Adds initially support to the drop action. - Complete merging of particular rule properties - Replaces AC_CHECK_FILE with 'test -f' - Fix inet addr handling on 64 bit big endian systems - Fix tests on FreeBSD - Changes ENV test case to read the default MODSECURTIY env var - Regression: Sets MODSECURITY env var during the tests execution - Fix setenv action to strdup key=variable - Allow 0 length JSON requests. - Fix "make dist" target to include default configuration - Replaced log locking using mutex with fcntl lock - Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES - Adds support to multiple ranges in ctl:ruleRemoveById - Rule variable interpolation broken - Make the boundary check less strict as per RFC2046 - Fix buffer size for utf8toUnicode transformation - Fix double macros bug - Override the default status code if not suitable to redirect action - parser: Fix the support for CRLF configuration files - Organizes the server logs - m_lineNumber in Rule not mapping with the correct line number in file - Using shared_ptr instead of unique_ptr on rules exceptions - Changes debuglogs schema to avoid unecessary str allocation - Fix the SecUnicodeMapFile and SecUnicodeCodePage - Changes the timing to save the rule message - Fix crash in msc_rules_add_file() when using disruptive action in chain - Fix memory leak in AuditLog::init() - Fix RulesProperties::appendRules() - Fix RULE lookup in chained rules - @ipMatch "Could not add entry" on slash/32 notation in 2.9.0 - Using values after transformation at MATCHED_VARS - Adds support to UpdateActionById. - Add correct C function prototypes for msc_init and msc_create_rule_set - Allow LuaJIT 2.1 to be used - Match m_id JSON log with RuleMessage and v2 format - Adds support to setenv action. - Adds new transaction constructor that accepts the transaction id as parameter. - Adds request IDs and URIs to the debug log - Treating variables exception on load-time instead of run time. - Fix: function m.setvar in Lua scripts and add testcases - Fix SecResponseBodyAccess and ctl:requestBodyAccess directives - Fix OpenBSD build - Fix parser to support GeoLookup with MaxMind - parser: Fix simple quote setvar in the end of the line - Fix pc file - modsec_rules_check: uses the gnu `.la' instead of `.a' file - good practices: Initialize variables before use it - Fix utf-8 character encoding conversion - Adds support for ctl:requestBodyProcessor=URLENCODED - Add LUA compatibility for CentOS and try to use LuaJIT first if available - Allow LuaJIT to be used - Implement support for Lua 5.1 - Variable names must match fully, not partially. Match should be case insensitive. - Improves the performance while loading the rules - Allow empty strings to be evaluated by regex::searchAll - Adds basic pkg-config info - Fixed LMDB collection errors - Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors - Fix ip tree lookup on netmask content - Changes the behavior of the default sec actions - Refactoring on {global,ip,resources,session,tx,user} collections - Fix race condition in UniqueId::uniqueId() - Fix memory leak in error message for msc_rules_merge C APIs - Return false in SharedFiles::open() when an error happens - Use rvalue reference in ModSecurity::serverLog - Build System: Fix when multiple lines for curl version. - Checks if response body inspection is enabled before process it - Code Cleanup. - Fix setvar parsing of quoted data - Fix LDFLAGS for unit tests. - Adds time stamp back to the audit logs - Disables skip counter if debug log is disabled - Cosmetics: Represents amount of skipped rules without decimal - Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser - Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp. - Fix memory leak in modsecurity::utils::expandEnv() - Initialize m_dtd member in ValidateDTD class as NULL - Fix broken @detectxss operator regression test case - Fix utils::string::ssplit() to handle delimiter in the end of string - Fix variable FILES_TMPNAMES - Fix memory leak in Collections - Fix lib version information while generating the .so file - Adds support for ctl:ruleRemoveByTag - Fix SecUploadDir configuration merge - Include all prerequisites for "make check" into dist archive - Fix: Reverse logic of checking output in @inspectFile - Adds support to libMaxMind - Adds capture action to detectXSS - Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator - Adds capture action to detectSQLi - Adds capture action to rbl - Adds capture action to verifyCC - Adds capture action to verifySSN - Adds capture action to verifyCPF - Prettier error messages for unsupported configurations (UX) - Add missing verify*** transformation statements to parser - Fix a set of compilation warnings - Check for disruptive action on SecDefaultAction. - Fix block-block infinite loop. - Correction remove_by_tag and remove_by_msg logic. - Fix LMDB compile error - Fix msc_who_am_i() to return pointer to a valid C string - Added some cosmetics to autoconf related code - Fix "make dist" target to include necessary headers for Lua - Fix "include /foo/*.conf" for single matched object in directory - Add missing Base64 transformation statements to parser - Fixed resource load on ip match from file - Fixed examples compilation while using disable-shared - Fixed compilation issue while xml is disabled - Having LDADD and LDFLAGS organized on Makefile.am - Checking std::deque size before use it - perf improvement: Added the concept of RunTimeString and removed all run time parser. - perf improvement: Checks debuglog level before format debug msg - perf. improvement/rx: Only compute dynamic regex in case of macro - Fix uri on the benchmark utility - disable Lua on systems with liblua5.1- Remove rhetoric part from descriptions.- Remove libltdl7 from build dependencies- Make use of %license macro - Make use of %{version} variable - Sort dependencies alphabetically- Initial releases390zl24 16940760323.0.10-bp154.2.3.13.0.10-bp154.2.3.1modsec-rules-checkmodsecurityLICENSE/usr/bin//usr/share/licenses//usr/share/licenses/modsecurity/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protectionobs://build.opensuse.org/openSUSE:Maintenance:18063/openSUSE_Backports_SLE-15-SP4_Update/e42d5000c111612c7daea99c07461d89-modsecurity.openSUSE_Backports_SLE-15-SP4_Updatecpioxz5s390x-suse-linuxELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=fd5509b6afaab906c0e12326df7a8b15ced42185, for GNU/Linux 3.2.0, not strippeddirectoryASCII text RRRRR R R RRRRR#m^F)4=utf-8064ec8a72342555c832c3f8d10de0ddb4ba2265e0b047d14f1e58469744fd64d? 7zXZ !t/*+] crv9wyT.zv2vU8~nVU칏7obb#wz'$B?K3t6%5"VQɰ9a7  HHg&@e6LǑm#Q_$S=!XO2I=@/ #g5LG/4H)en•nz1ߧҩܵ<:^$e`ȁLӾ3\0Vk٣GZ%$ӷ 5\n ٬Q:JW߽ 90VnК M$+y2~h\Z.kei@J% :^3\$=r;A_ }C[,s%<)v&Ŀ^s%X2R3Ld(!37Lfp~. q} đTۡh❳ "LUYߜ|0+YߔLuxyl8p/e8Kĕޅ]D'^vfyXwr~'H4T F_FJi~]4"OY+]#-wv-Bݝ:$0N*euz]hF?JRrzd՚߶ט%7ko 7W-H 6lj+D0PۘJBw`m5/X'#F5]TdZ^oIN% tCf'/K3@]c* t.2*Ln Lbc/td|O,6}bQc!*LYN-:Xktr4/c#?yoجd~Tӥ"Wg;w]}!%(倅1i):H^Aqì 0q,g;v&ۼV\wr/:ݥn,G;CX#k xXmUW SDɜYgd-L,[MRᰤW50x9tgNQњI+ #uY8[sw88vFr$x3gyٶ-^^g2:ユ7Xs & %k wXjIV\L&`kN5'u%nҼ8cL.Q%iMr})>Ue~${ݦkZm|-tf[OL!NikgEO X8l|J8:o(C[7yGSi!/O~8˜?#rv>_?k XщˬYĢ]+f&g3YSFx' r<92-;>1 yӊ *9 j1f R.k_J:wa{v:Q d)i"Sڱii}Bd?@U/xiݞUQfO6E5%#՘Anʿg,[ |R/'C.!K먪WzCzOz!a'lq"y$yy+գ_J,fG6N 3`hq3?(=EBhoOxybPNJҭG$}* †@A@M-gXpT8zIϞsA>):,t7C6;E4r#) UfDX_X<1k1V H R%Q,:É{N\VD W5>nޕ$1t(wɅ&AވUB0Tx+P;=r5tq0ۏz;_i/.s>;Y}6:"&Z{T?82Y:}.:M#Sm0rPg:pR<ڊƠ =vt|4408  Y68pn,rxT5`Ƈ&>r$t]--׌haA-kRFɻ+(ȡ= rb tt?х%(?3Ԁu-jr}³p6|(x+( ʈuoM|@f,'d^4InC][ v,?8) Hmi48aj낋4"?BB~*֮~ jR.|yc=MN*N%' `UH@\-;MNr#d:BN){k=+׋h %p$P8=IlrjM zN).b7aZLaf]3VhܙȨ&? >N1KȾ!|tMD[W*]:X] E$&pJ_c5;n?S*D(֧#4OC_ly5N]EI;mm;3t㹭*|;yƗ@$:By_Xwiǎ F/#eVp lUI̦چO8[|7׏UAE޲ĞB,m>a$*f2"YՁ/);pC86LMۊs}h1:G'hyJL{8krOнՇg=YW:.ĒtD)}dԨbK +0kNWv>HNեȨ/SHv)Fe͜~̗V[GL ajJT!0t 8&';0-?%Ǟfއ@Rb-N}lW-L֠0^5 bmT愸ϗ niJXW 2qra9= C{貐js z3"FyRb`t;އr7tVqa;TF |u]F%~W2:\yTqErNLE[BL$Jx \uߦBf!yߤbXN {SuiV+, w(2qj4 c~^y)9};6`]8y{\ LkA!.B/)CHWe} r8p hZҀlQ ݊EΤ&yɜU>:?IIR%`?}b]-x ) \}`O+=']tt,} 腐)zSgG Gu2\\S̺ąXѧ!HPI$.d!Wk0;?o%' 7<洸By\~Ϩj;w< njť!b$P<ƥ0[܏2B>x{$9g"0{.;nDnEҋ7(zZjWbgX_`jܻor& Hñn6+;{[$|L7 n;)Lx`|P ,ǜ& ڗ ju_6@x`qvYuǍb-=!TvwЫ&e*P` l^'ۍEHvcOn'Zqp՗sءrj5P@t8t؅x+ZiV δC=P0p~}/mW{ԅa}/g~ C8L;]J/xNMs6IES42?!6E7#̔۲ /l,93>&Qϒ/Q0lZe8JdhW) %j1k4!ڍ&i %]<;884.b,/Cl-rr<y#<ޚy,2r<[VTy![4.9 -P b1; EWh#jydb0L~.%v:@9B^5(LO w;G5[aqɡݱ}m &)~і ~)pެzor.k8H)ֲ>i6(Bn-BB0ey"Ƒ7<ŦlY̟ʓk6["<ט] lG*dJ%DD#qlX'_4JpULYR|zjb*)u(m*[ (2z*Wfp@5wE ]ojpKG^8''Aޘ?Oo -seSNFSR6a!VCf|wラ:'+̮dB N0$3g: 2 ^/DELpJ!+_iz u2ITA2\TpjT{Q'[dwT)%Z`~~[[g"Wy.o"*:"w4aVRC(RU^aNlF3@:%NC^_?\,L6[1b 6eH~ Ɵk/%Sm0Ydggdc2t/3kqUIW( KZ cI0 fuXN#xVoHE/2NxCnSyUf*zr\W_׍Kۓ wW ~x< A-5<])N#](`L~#[L됡ʷA,#Ub~:Qqp9h6 p\P|(=1 "2%-,]еP;fNt7D=Z#E٩eR@Χϊ)j܄L6 8s3> rf?0@jqp12.8q6[TN D'MeI}D3ee_ ٨с1Ky1i D+Tziy ",>&B&r!ޙ/OC DT.E.Y!<s\bsm=:Vf5|?UXc@T fkN%n3߸^rfh_~HxڭۂOAaC WH> }®?M k}b/_8k mpriCFFxS/ I 2g6#AIgly׳b,k秄3 6XW*VJ )< GQ$ġc])j}iK߯Ut ls4{t'y"h",F'W(Et6[v"-G}ېo(Zosp~OB|(2ҜYS6lmg0$ wBFzWFMHPC[ "ᤰ`h565+2Dg-z@DyUf窄a{1^/ΙBe7(x,d{}("Ow9ڄL*@F@}htXz> \)x:f"~b<].qдM"_{z uy|p# -ΤZ 0}n/&e+P# B6=@ $!6l"곧bg[ "sl /q򌙗CBFr,փxLmXBLxn?4D.n3s:Ɇ#ԏ :Y_f'PF_?܇ՄKbhnE[D~FuWi͌oj oy4rvbH^}٤F۾x6iKH'o% YL+[4&MNrd - s]gr ,DZhH+_^As=OIVِibַHbj#B\-|֭TSڧ'wȯ`.@&CYPX-wa|o@.S%u\^c0NNu :_VL˦T4Tށ38`FއTFsuL[ R+ RFPiOzX.&4wzIpY|5y$Оb;[lE:f 2(%Y:F!Qm<9_AHb8eK~w_VPJbP7gw._I{ڃHmg]Ѳ+w!VWNK5xΝ/*/C`ipnyNDЄܢvI3q플r\Wry,W=ǁi;d^U/|̪㣒l[%!ɵ o^jn #Oxkn7˖>I;;؞7Q/G-C1qzz@Pt,4oi,`b] }sּS9 )S%P` ?g0M%!=9\ ;BSs胴|TR?NuHĊW_C֕_Ztx72Mr lWxbM֒UmyguwC(Z.ZCm |OKz02x?B,sjҜ@:ܬœ-%>+B-J@wsk]4mfj!-,qhi"18((&[F:K]LިSgmp҃Q-D·ƫOO  i5P VX TݞOEƆ[B̲yэDBIּoIzR}6]~5O(q#+{K;MRM gT ^&xxJP %qJk}6 &y ©}捌P"AV&tM6/㻟5E3Yixԯk_Y4u-ދ$[fM@cԐ'Ҙ]zHU^+SRЇCt kytSsUKTĭ<S*Ja " LS@Ňfһ]}JF 1Z]5,Ɋc# YosT^+Dُ .4჉\ZEiֱWŘqe,;ȬKdے LBR1tdW$TY>tRָgwq/dS%%Kl_SG{TLn̩T"7NY;QRk&)E"9>brtL=jsbt>+9OE%QH6A_N{ZKP@T or3horKuf>`]^x#h0uM,_;ȅ\0O-U*|M՘Z:6 T _vBV6:ou yZƭ Hw\G<5T1} YZ