modsecurity-3.0.10-bp154.2.3.1 4>$  Apd!M@eeeXAx33p&qWzăI* ̨(%YnrcPpCT'lY$4߶b7{ abēcc܈|Kk~ܧy"zGdGr,YvbەC0!)W PD2cڽɷ$-ysPJZ1[ Ge BXsczXζhZܼH@ r d#puCףۤo"odm 2b53c8a3f454aeab75687004ea363164a56df39ab07018dfa45928a0197efe7358fc31895757e919a7ab9a093e7adcc7d0ca9877j d!M@eee; $-Đ0榚`'`{H_ySdZry`_8ƍkRצ`1QWlк] p/6z\ƻy`UX`S⡯Yj{KFQ)! qp J"dWEdcrKS}:RnT5]}e 7~iI|\#ol`Ns<|鞏xPgi@' Ѳc۬j0>rkD#J>p>:T?:Dd ! A !>DLX ^ d p  "LXx(8 9 := F6hG6|H6I6X6Y6\6]6^6b7;c7d8e8f8l8u8v8w9x9y9 z9999:@Cmodsecurity3.0.10bp154.2.3.1Web application firewall engineModSecurity is a toolkit for real-time web application monitoring, logging, and access control.di04-ch2dSUSE Linux Enterprise 15openSUSEBSD-2-Clausehttp://bugs.opensuse.orgProductivity/Networking/Securityhttps://www.modsecurity.org/linuxx86_64aH,]A큤dddN6c0deb9e7141c2181d877c436d8ef350f4164af0dde1776bbfe2ada0ca1c6f2ac71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4rootrootrootrootrootrootmodsecurity-3.0.10-bp154.2.3.1.src.rpmmodsecuritymodsecurity(x86-64)@@@@@@@@@@@@@    libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.4)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libmodsecurity.so.3()(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)libstdc++.so.6(GLIBCXX_3.4.11)(64bit)libstdc++.so.6(GLIBCXX_3.4.21)(64bit)libstdc++.so.6(GLIBCXX_3.4.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3ddZ5c]bb_*@[I[CN@[:Z@David Anes Danilo Spinella Michael Ströder Georg Pfuetzenreuter Ferdinand Thiessen Dirk Mueller jengelh@inai.demrostecki@suse.commrostecki@suse.commrostecki@suse.com- Update to version 3.0.10: * Security impacting issue (fix bsc#1213702, CVE-2023-38285) - Fix: worst-case time in implementation of four transformations - Additional information on this issue is available at https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/ * Enhancements and bug fixes - Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED - Make MULTIPART_PART_HEADERS accessible to lua - Fix: Lua scripts cannot read whole collection at once - Fix: quoted Include config with wildcard - Support isolated PCRE match limits - Fix: meta actions not applied if multiMatch in first rule of chain - Fix: audit log may omit tags when multiMatch - Exclude CRLF from MULTIPART_PART_HEADER value - Configure: use AS_ECHO_N instead echo -n - Adjust position of memset from 2890- Update to version 3.0.9: * Add some member variable inits in Transaction class (possible segfault) * Fix: possible segfault on reload if duplicate ip+CIDR in ip match list * Resolve memory leak on reload (bison-generated variable) * Support equals sign in XPath expressions * Encode two special chars in error.log output * Add JIT support for PCRE2 * Support comments in ipMatchFromFile file via '#' token * Use name package name libmaxminddb with pkg-config * Fix: FILES_TMP_CONTENT collection key should use part name * Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro * During configure, do not check for pcre if pcre2 specified * Use pkg-config to find libxml2 first * Fix two rule-reload memory leak issues * Correct whitespace handling for Include directive - Fix CVE-2023-28882, a segfault and a resultant crash of a worker process in some configurations with certain inputs, bsc#1210993- Update to version 3.0.8 * Adjust parser activation rules in modsecurity.conf-recommended [#2796] * Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [#2795] * Prevent LMDB related segfault [#2755, #2761] * Fix msc_transaction_cleanup function comment typo [#2788] * Fix: MULTIPART_INVALID_PART connected to wrong internal variable [#2785] * Restore Unique_id to include random portion after timestamp [#2752, #2758]- Update to version 3.0.7 * Support PCRE2 * Support SecRequestBodyNoFilesLimit * Add ctl:auditEngine action support * Move PCRE2 match block from member variable * Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended * Fix memory leak when concurrent log includes REMOTE_USER * Fix LMDB initialization issues * Fix initcol error message wording * Tolerate other parameters after boundary in multipart C-T * Add DebugLog message for bad pattern in rx operator * Fix misuses of LMDB API * Fix duplication typo in code comment * Fix multiMatch msg, etc, population in audit log * Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc. * Adjust confusing variable name in setRequestBody method * Multipart names/filenames may include single quote if double-quote enclosed * Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended- Update to version 3.0.6 * Security issue: Support configurable limit on depth of JSON parsing, possible DoS issue. CVE-2021-42717 - Update to version 3.0.5 * New: Having ARGS_NAMES, variables proxied * Fix: FILES variable does not use multipart part name for key * GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE * Support configurable limit on number of arguments processed * Adds support to lua 5.4 * Add support for new operator rxGlobal * Fix: Replaces put with setenv in SetEnv action * Fix: Regex key selection should not be case-sensitive * Fix: Only delete Multipart tmp files after rules have run * Fixed MatchedVar on chained rules * Fix IP address logging in Section A * Fix: rx: exit after full match (remove /g emulation); ensure capture groups occuring after unused groups still populate TX vars * Fix rule-update-target for non-regex * Fix Security Impacting Issues: * Handle URI received with uri-fragment, CVE-2020-15598- add baselibs, fix packaging (install into %_libdir) - update to 3.0.4: - Fix: audit log data omitted when nolog,auditlog - Fix: ModSecurity 3.x inspectFile operator does not pass - XML: Remove error messages from stderr - Filter comment or blank line for pmFromFile operator - Additional adjustment to Cookie header parsing - Restore chained rule part H logging to be more like 2.9 behaviour - Small fixes in log messages to help debugging the file upload - Fix Cookie header parsing issues - Fix rules with nolog are logging to part H - Fix argument key-value pair parsing cases - Fix: audit log part for response body for JSON format to be E - Make sure m_rulesMessages is filled after successfull match - Fix @pm lookup for possible matches on offset zero. - Regex lookup on the key name instead of COLLECTION:key - Missing throw in Operator::instantiate - Making block action execution dependent of the SecEngine status - Making block action execution dependent of the SecEngine status - Having body limits to respect the rule engine state - Fix SecRuleUpdateTargetById does not match regular expressions - Adds missing check for runtime ctl:ruleRemoveByTag - Adds a new operator verifySVNR that checks for Austrian social security numbers. - Fix variables output in debug logs - Correct typo validade in log output - fix/minor: Error encoding hexa decimal. - Limit more log variables to 200 characters. - parser: fix parsed file names - Allow empty anchored variable - Fixed FILES_NAMES collection after the end of multipart parsing - Fixed validateByteRange parsing method - Removes a memory leak on the JSON parser - Enables LMDB on the regression tests. - Fix: Extra whitespace in some configuration directives causing error - Refactoring on Regex and SMatch classes. - Fixed buffer overflow in Utils::Md5::hexdigest() - Implemented merge() method for ConfigInt, ConfigDouble, ConfigString - Adds initially support to the drop action. - Complete merging of particular rule properties - Replaces AC_CHECK_FILE with 'test -f' - Fix inet addr handling on 64 bit big endian systems - Fix tests on FreeBSD - Changes ENV test case to read the default MODSECURTIY env var - Regression: Sets MODSECURITY env var during the tests execution - Fix setenv action to strdup key=variable - Allow 0 length JSON requests. - Fix "make dist" target to include default configuration - Replaced log locking using mutex with fcntl lock - Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES - Adds support to multiple ranges in ctl:ruleRemoveById - Rule variable interpolation broken - Make the boundary check less strict as per RFC2046 - Fix buffer size for utf8toUnicode transformation - Fix double macros bug - Override the default status code if not suitable to redirect action - parser: Fix the support for CRLF configuration files - Organizes the server logs - m_lineNumber in Rule not mapping with the correct line number in file - Using shared_ptr instead of unique_ptr on rules exceptions - Changes debuglogs schema to avoid unecessary str allocation - Fix the SecUnicodeMapFile and SecUnicodeCodePage - Changes the timing to save the rule message - Fix crash in msc_rules_add_file() when using disruptive action in chain - Fix memory leak in AuditLog::init() - Fix RulesProperties::appendRules() - Fix RULE lookup in chained rules - @ipMatch "Could not add entry" on slash/32 notation in 2.9.0 - Using values after transformation at MATCHED_VARS - Adds support to UpdateActionById. - Add correct C function prototypes for msc_init and msc_create_rule_set - Allow LuaJIT 2.1 to be used - Match m_id JSON log with RuleMessage and v2 format - Adds support to setenv action. - Adds new transaction constructor that accepts the transaction id as parameter. - Adds request IDs and URIs to the debug log - Treating variables exception on load-time instead of run time. - Fix: function m.setvar in Lua scripts and add testcases - Fix SecResponseBodyAccess and ctl:requestBodyAccess directives - Fix OpenBSD build - Fix parser to support GeoLookup with MaxMind - parser: Fix simple quote setvar in the end of the line - Fix pc file - modsec_rules_check: uses the gnu `.la' instead of `.a' file - good practices: Initialize variables before use it - Fix utf-8 character encoding conversion - Adds support for ctl:requestBodyProcessor=URLENCODED - Add LUA compatibility for CentOS and try to use LuaJIT first if available - Allow LuaJIT to be used - Implement support for Lua 5.1 - Variable names must match fully, not partially. Match should be case insensitive. - Improves the performance while loading the rules - Allow empty strings to be evaluated by regex::searchAll - Adds basic pkg-config info - Fixed LMDB collection errors - Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors - Fix ip tree lookup on netmask content - Changes the behavior of the default sec actions - Refactoring on {global,ip,resources,session,tx,user} collections - Fix race condition in UniqueId::uniqueId() - Fix memory leak in error message for msc_rules_merge C APIs - Return false in SharedFiles::open() when an error happens - Use rvalue reference in ModSecurity::serverLog - Build System: Fix when multiple lines for curl version. - Checks if response body inspection is enabled before process it - Code Cleanup. - Fix setvar parsing of quoted data - Fix LDFLAGS for unit tests. - Adds time stamp back to the audit logs - Disables skip counter if debug log is disabled - Cosmetics: Represents amount of skipped rules without decimal - Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser - Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp. - Fix memory leak in modsecurity::utils::expandEnv() - Initialize m_dtd member in ValidateDTD class as NULL - Fix broken @detectxss operator regression test case - Fix utils::string::ssplit() to handle delimiter in the end of string - Fix variable FILES_TMPNAMES - Fix memory leak in Collections - Fix lib version information while generating the .so file - Adds support for ctl:ruleRemoveByTag - Fix SecUploadDir configuration merge - Include all prerequisites for "make check" into dist archive - Fix: Reverse logic of checking output in @inspectFile - Adds support to libMaxMind - Adds capture action to detectXSS - Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator - Adds capture action to detectSQLi - Adds capture action to rbl - Adds capture action to verifyCC - Adds capture action to verifySSN - Adds capture action to verifyCPF - Prettier error messages for unsupported configurations (UX) - Add missing verify*** transformation statements to parser - Fix a set of compilation warnings - Check for disruptive action on SecDefaultAction. - Fix block-block infinite loop. - Correction remove_by_tag and remove_by_msg logic. - Fix LMDB compile error - Fix msc_who_am_i() to return pointer to a valid C string - Added some cosmetics to autoconf related code - Fix "make dist" target to include necessary headers for Lua - Fix "include /foo/*.conf" for single matched object in directory - Add missing Base64 transformation statements to parser - Fixed resource load on ip match from file - Fixed examples compilation while using disable-shared - Fixed compilation issue while xml is disabled - Having LDADD and LDFLAGS organized on Makefile.am - Checking std::deque size before use it - perf improvement: Added the concept of RunTimeString and removed all run time parser. - perf improvement: Checks debuglog level before format debug msg - perf. improvement/rx: Only compute dynamic regex in case of macro - Fix uri on the benchmark utility - disable Lua on systems with liblua5.1- Remove rhetoric part from descriptions.- Remove libltdl7 from build dependencies- Make use of %license macro - Make use of %{version} variable - Sort dependencies alphabetically- Initial releasei04-ch2d 16940760643.0.10-bp154.2.3.13.0.10-bp154.2.3.1modsec-rules-checkmodsecurityLICENSE/usr/bin//usr/share/licenses//usr/share/licenses/modsecurity/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protectionobs://build.opensuse.org/openSUSE:Maintenance:18063/openSUSE_Backports_SLE-15-SP4_Update/e42d5000c111612c7daea99c07461d89-modsecurity.openSUSE_Backports_SLE-15-SP4_Updatecpioxz5x86_64-suse-linuxELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=fe2a9df4c110201a089891475005719d1c90c1a8, for GNU/Linux 3.2.0, not strippeddirectoryASCII text RRRRRR R R R RRRR[Qlutf-848c263adc1197c84adea422b6cbdde5ceb4cd04de785b1e0e3bbc4ab479ce0c8? 7zXZ !t/+] crv9wyTeɡʌX{;AȏMDsD@*r8htwdSq0G(e^6!#`':g0%W >(ğ 9EH~Wly`pi-r\4}I_x. #?_xu#0#U@Z0#IHˌM= MG`t)t>##cӎ?m %_zN P4:cM/\gcL$Q6m`0Ɏ*!E \A *.Ȳem5:{EԘI_fR0QI͉cYj1hөʥL}4SjBogi؟iXA 0L&Pb. Ysd/C2Bq;@MHSH$s3g536yF}l,W)|qJX2+X*#oP??GP;CL=uf /$#O$7 =dNoٱ7Q/(D/GW(f ֶ?YQ֌ \)dߏҫy$CQ]\{mPG$3S*~?~,͚>WhM L?4in>fǣh QOiGt)R) pZtB@ EA-7|F{f?YrS+D|[aG@wy<<\Xg>pgd,Bc j4YҚ((nz S?mA9" XwvQ G>|Dhq2eX|ijpл(C/oǡ-%] pCzA\AdgU#Hlǭ([ МoUE4ąv*_C qu]FLzI sj$bfg8/e2XQxb[jz9H7i0Ǎ)P_(XBA:k ѲQ$6F1As?縑xv 'jcyMJ:tZO #9G므$ "WrQj"Ya Wc f`1Nj I@-p_p7AybByrS&#hE͋hWR,ܚcnDB>As^HrZdZ<ߗ8P{zJPDT~5TX2Mլ%GJ18,=JӶlD&Ws,J_hR9*i0B6QS7e%+N]LJ/'d{΢wg~WX1DE JIIӝiìwfI$Oyue3'=™;IsI؆8d~hh̄͟B:YyO 9_@;>)>Y6?m@^wÓ%iqvԔYU؝QZ{)s2k:\3kT CqHP;a+ K&p$,~z4Z5{Kſmlb,_$4a-iG-i- N끐;?J|h*5dN6m@3GXoKHpYN$(-OT9 :᧕!u١SGo˗nc̜0 V|7 -D[H㳖BuՀ7&RV9 AH}P:D<9+LR hF*?xز Rcq]j^|)i m;z$ 2C(mnwO@νvQ [P,)ؼ(rF :RN%"vygwhDE Ϻ(7IOXqT'x2$S,Jz aZc꾫Ϭ#O#8Fn},%X7f}Je PmJ\g;wٟkt9Ōs xjMt{ceVƒ3}݄M$|EK*%uhiyR -w=}V8+Kw+i!EKLg=Zb~nt&9@ RG{f w q]:{ &rݎY$APtݎ &K]{fw;s^԰z HB%'JWL WnvKba +U:YG>|X؁Ǝ fXX@:E1Q7PAEv8)@,n١|B!IUjl*ڐ՟3Mh|W P~)Su]Wa+e$(),dS>ZWE-yي0!8y /c~pр!d]/趭Zn,@f }f^fb v WKy'ss鮰voDVa Ե}lۏJaGwWh-A+łnBGYD緜neX>MrJ}Oڎ3WxypuSdeGƝA+bΨ&3={'&.%MO^n\!Wdq8N-/`]zAO9JX!lF!MR*8>4O6y@D(qɷBS"FJ&>ߘ&D,piܟM$Yt7!jr3 }h9: FCWz*sFqLu xK*/.h6eӿW'p")95LJH]^bC*h3s %h[m'QPH07tFd`groJNvRh܈>& T㬨FlZF]OX'(yQ{it t ?2DP+C8 c$'B%Zd(D1ck2]ro&@.S@?L+gk@e8[Pn; }0XO[%y}"KLVD>$c98Dhp0lJڑ^9|i%GWl#x&; &A~o/ƚIҘxs޴ZۯdeOPV{r8:U29~ij+ރoL^rm a}rt13QדU⊲*ihVY)5 ^L|/<0ȭHSL^ z}"N3c pW&+:Qﺐnu5ǣBIhz[gdI2cmbo4m0wt>M({J@ES*SrubBAK41,D,U-=0׵ *|cZ\N evn[̭|jL »”F%띈̞g[-vO|m>/t90/4^R<)-Cg[Zdg,TA-Y!c k4X` >/ӽYdbs=6Mtu˞I9Ґa1-po'DXՇZDŽ+t0ׇ,֔yJq&zD\H4mABhQЧa1stR6S?Jah=abA&IiŐ"V@Z9 FF )sy]C$`wOM"P3>b_zTꞍiW~ӆ71Q?BM: y_Y(Kf'{j<[ABtdh, R@W=.8u2µû}3pd y:ګN5 ]rhӹhކD=yhՈ3N'׳4ӴsPS˽RrhL 86SMT?Um=mo[Qn6K˶[T X2}D!D2Rgg̸L17X u8> m4՛.y njd`6e5$u2fS>T%Rs021D_ S3PP>Mry 6'$pk ($vSvy5ylj=U)/5B )NyPR=)9mTgn+Ds.S%Asڸղ5_Hdq'9jJxq)78K;˼jb,[а)ɦ (AMIP̊YuJyrnouHSTmHAHjkg:\S7cxG :COZ:FsJ7)@ՄG/FrG6goWPT%Lr;1(J']4Vwcɥ](kf˗`uo!*:|lUVN LX<9UtNQ44;8(tL0 г?`xJ.݀j[m?l'Gh+HS|uJGlՋ)~ Zk'a&w O"qOy2^sR\cǫл_ {o7kX^yD ۆ>]9D zEdl $qG|D]2كҜ_ 7α Lxh{E)咎Λf8*izJ!jp1_ -Q/&tY DQLwZ%;A:ט}%.?X2DD>iⳣ/' "0ugx{կuXb'7Gwe5*(&م hdtȖ>1] 7Ph!aU?@T҈8znF y=Bd-SRGig|h(3l>_P.Ö-ߞnq1nqDHv$.cxR6yzG `BAgea` et<\oc\a{$dmԷ΋ڀ8U-V~]ܘhLWe5C^bG.|dF_~RjR | &H^ck{dzAona])! %.)T/5(h_ʇ9(}l.ߐ3X:քU^ I> r${LJ\Qz =4FI vǻǧҤT\ܒ?׈]`)wvƿ]$hN"ۇy!%߯pTvvf뼛!$s gnWIKr+5ç@Ʊ;L&"i&S17I%H~/=ƑVZgwI?{E{ݹ_|]EA:cw>MNj:qsK0-!zGQT)NpNiy({"\PWz6}.CeC]AJ+x_=F^q#ѻ` 4!iGJ+edF J>^ 6@9i5yݼ,]G#S28V'*,3Ⱦo?V0m;"> !] SȕVك b˗jT98$GBv "x-AΩ7 =;CO>"חmiw+/}!-˦ob@ E5:o1+j"]?7O"upqӡy+(1L- `m׻X!drޏI5X}ҳ[:HE/c9͜R+bb2bTa-kܟBk6X|;O[Ƙ*wkaB/6ʰΗ8 7jmhvܹ,'#Z, ½JI21]ǘu+ keTHcvYZ*s d|ou|?MY_ (9%:dtʒqTyzڤzc+l cGpPb-h2H κ{ݑX?r^F!w~U;=j[gwgǒ xD|Dp"ʅqގ~yENOp7I~_nE# zHfN&zTKd&^ir8+Kmj G]BT Ta;ZrތSW؟'Zf YZ