I have the repo for EPEL synced on my satellite server and the upgrade to 2.7 broke. I need to downgrade but I do not have the mod_security-2.5.12-2.el6.x86_64 package. How do I obtain a copy to downgrade? Chad Harriman Principal Systems Engineer U.S. Senate Sergeant At Arms chad_harriman@saa.senate.gov (w) 202-224-1592 (c) 202-213-6413
Hi,
On Fri, Nov 6, 2015 at 1:25 PM, Harriman, Chad (SAA) < Chad_Harriman@saa.senate.gov> wrote:
I have the repo for EPEL synced on my satellite server and the upgrade to 2.7 broke. I need to downgrade but I do not have the mod_security-2.5.12-2.el6.x86_64 package. How do I obtain a copy to downgrade?
I guess, you could rebuild EL5 package (it's 2.6.8 + security pacthes), rules for 2.5 should run fine with 2.6.x.
AFAIK, we don't keep the old version of the package in the repo.
Best regards.
-- Athmane
Yeah, the Koji build has been deleted as well: http://koji.fedoraproject.org/koji/buildinfo?buildID=242226
It would be a good idea to update your rules for 2.7. That mod_security-2.5.12-2.el6 build is over four years old and subject to several CVEs...
CVE-2013-5705 apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.
CVE-2013-2765 The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request with a large body and a crafted Content-Type header.
CVE-2013-1915 ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.
CVE-2012-4528 The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data.
CVE-2012-2751 ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031.
- Ken
On Fri, Nov 6, 2015 at 9:02 AM, Athmane Madjoudj athmane@fedoraproject.org wrote:
Hi,
On Fri, Nov 6, 2015 at 1:25 PM, Harriman, Chad (SAA) Chad_Harriman@saa.senate.gov wrote:
I have the repo for EPEL synced on my satellite server and the upgrade to 2.7 broke. I need to downgrade but I do not have the mod_security-2.5.12-2.el6.x86_64 package. How do I obtain a copy to downgrade?
I guess, you could rebuild EL5 package (it's 2.6.8 + security pacthes), rules for 2.5 should run fine with 2.6.x.
AFAIK, we don't keep the old version of the package in the repo.
Best regards.
-- Athmane
epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel
Am 06.11.2015 um 13:25 schrieb Harriman, Chad (SAA):
I have the repo for EPEL synced on my satellite server and the upgrade to 2.7 broke. I need to downgrade but I do not have the mod_security-2.5.12-2.el6.x86_64 package. How do I obtain a copy to downgrade? Chad Harriman Principal Systems Engineer U.S. Senate Sergeant At Arms /chad_harriman@saa.senate.gov/ (w) 202-224-1592 (c) 202-213-6413
epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel
By rebuilding the package from commit c50316f2698149cea63cd08510321495c6ce1a29 in the el6 branch of the mod_security git repo.
I did that for you. I can understand if you don't trust me, but it takes me a lot more time to explain it than to do it.
If you like to, you can inspect the src.rpm file I built from that commit and build it in mock yourself or do it on COPR.
http://www.geofrogger.net/review/mod_security-debuginfo-2.5.12-2.el6.x86_64.... http://www.geofrogger.net/review/mod_security-2.5.12-2.el6.x86_64.rpm http://www.geofrogger.net/review/mod_security-2.5.12-2.el6.src.rpm
Greetings,
Volker
On 6 November 2015 at 21:08, Volker Fröhlich volker27@gmx.at wrote:
Am 06.11.2015 um 13:25 schrieb Harriman, Chad (SAA):
I have the repo for EPEL synced on my satellite server and the upgrade to 2.7 broke. I need to downgrade but I do not have the mod_security-2.5.12-2.el6.x86_64 package. How do I obtain a copy to downgrade? Chad Harriman Principal Systems Engineer U.S. Senate Sergeant At Arms /chad_harriman@saa.senate.gov/ (w) 202-224-1592 (c) 202-213-6413
epel-devel mailing list epel-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/epel-devel
By rebuilding the package from commit c50316f2698149cea63cd08510321495c6ce1a29 in the el6 branch of the mod_security git repo.
I did that for you. I can understand if you don't trust me, but it takes me a lot more time to explain it than to do it.
If you like to, you can inspect the src.rpm file I built from that commit and build it in mock yourself or do it on COPR.
http://www.geofrogger.net/review/mod_security-debuginfo-2.5.12-2.el6.x86_64.... http://www.geofrogger.net/review/mod_security-2.5.12-2.el6.x86_64.rpm http://www.geofrogger.net/review/mod_security-2.5.12-2.el6.src.rpm
Do bear in mind the list of CVEs already provided before rolling this out however...
epel-devel@lists.fedoraproject.org
-
Athmane Madjoudj -
Harriman, Chad (SAA) -
James Hogarth -
Ken Dreyer -
Volker Fröhlich