Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 193780

Summary: www-apache/mod_security-2.1.3 version bump
Product: Gentoo Linux Reporter: lou <whitehatcheck>
Component: New packagesAssignee: Apache Team - Bugzilla Reports <apache-bugs>
Status: RESOLVED FIXED    
Severity: enhancement CC: chtekk
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description lou 2007-09-25 18:36:53 UTC 
mod_security-2.1.3 is now available (9/12/2007). Can we have that in portage some time soon. It addresses a few problems that I might be experiencing with 2.1.2

Here is additional information on it:
Enhancements to Multipart Form Request Handling

The multipart form request parsing code was updated and variables were added to allow checking for various parsing issues (request body abnormalities). This allows for checking the format of multipart form data submitted by the client. If the parser notices an abnormality, then the MULTIPART_STRICT_ERROR variable will be set. Even more granularity can be checked by looking at other MULTIPART_* variables. See the doumentation on the MULTIPART_STRICT_ERROR variable for further information and a usage example.
Fixed Custom Error Documents

There was a regression in 2.1.2 that was causing custom error document requests which used an internal redirect to be blocked by ModSecurity if ModSecurity had previously blocked the request. In the 2.1.3 release, error documents via internal redirects are allowed and the ErrorDocument Apache directive can again be used to serve a custom error document for ModSecurity blocked requests.

Reproducible: Always
Comment 1 lou 2007-10-16 03:05:56 UTC 
Can we add mod_security-2.1.4 to portage? This was just released, but addresses a problem that I affects me. The problem is how mod_security handles subrequests. I was experience segfaults with 2.1.2 if users were using a proxy server and submitting a multipart/form-data form without providing a upload file (ie: modifying a entry).

Full details and patch were presented at Uno-Code.com
http://www.uno-code.com/?q=node/114

Here are the details of the changes in 2.1.4

1) ModSecurity no longer handles Apache httpd sub-requests.
Sub-requests have been an issue for some people when using third-party
modules as well as core modules for caching and compressing.  In 2.5.0 I
have removed sub-request support and chose to backport this in 2.1.4 to
eliminate these issues until 2.5 is ready.

2) A false positive was recently found in parsing the multipart boundary
header for multiple boundaries when using the Safari browser to upload
files.  This is fixed in this release.

Thanks!
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2007-10-21 12:35:29 UTC 
2.1.4_rc1 in cvs