Bug#842929: jessie-pu: package modsecurity-crs/2.2.9-1
On Thu, Nov 10, 2016 at 03:38:12PM +0000, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
>
> On Wed, 2016-11-02 at 12:51 +0100, Alberto Gonzalez Iniesta wrote:
> > I was asked to update modsecurity-crs in Jessie in order to fix #838009.
> > The fix is trivial [1] and was uploaded to unstable a while ago [2],
>
> The BTS's metadata disagrees on that.
>
> > but
> > I'm not sure if it deserves an upload to stable. What's your opinion on
> > it?
>
> If the description in the bug log is accurate, and enabling the
> configuration as shipped breaks Apache, then I think it's worth fixing.
> We'd need to see a debdiff of a proposed package built and tested on
> jessie before confirming however.
>
Please find attached the debdiff for the fixed package.
Thanks,
Alberto
--
Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
diff -Nru modsecurity-crs-2.2.9/debian/changelog modsecurity-crs-2.2.9/debian/changelog
--- modsecurity-crs-2.2.9/debian/changelog 2016-11-17 11:19:17.000000000 +0100
+++ modsecurity-crs-2.2.9/debian/changelog 2014-09-23 13:22:21.000000000 +0200
@@ -1,10 +1,3 @@
-modsecurity-crs (2.2.9-1+deb8u1) stable; urgency=medium
-
- * Fix typo in modsecurity_crs_16_session_hijacking.conf.
- (Closes: #838009)
-
- -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 17 Nov 2016 11:18:03 +0100
-
modsecurity-crs (2.2.9-1) unstable; urgency=medium
* New upstream version
diff -Nru modsecurity-crs-2.2.9/debian/patches/fix_838009.patch modsecurity-crs-2.2.9/debian/patches/fix_838009.patch
--- modsecurity-crs-2.2.9/debian/patches/fix_838009.patch 2016-11-17 11:13:04.000000000 +0100
+++ modsecurity-crs-2.2.9/debian/patches/fix_838009.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,13 +0,0 @@
-Index: modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
-===================================================================
---- modsecurity-crs.orig/optional_rules/modsecurity_crs_16_session_hijacking.conf
-+++ modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
-@@ -46,7 +46,7 @@ SecRule RESPONSE_HEADERS:/Set-Cookie2?/
-
- SecRule &SESSION:SESSIONID "@eq 1" "chain,phase:5,id:'981063',nolog,pass,t:none"
- SecRule REMOTE_ADDR "^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)" "chain,nolog,capture,t:none"
-- SecRule TX:1 ".*" "chain,t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}"
-+ SecRule TX:1 ".*" "t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}"
-
- SecRule &SESSION:SESSIONID "@eq 1" "chain,phase:5,id:'981064',nolog,pass,t:none"
- SecRule REQUEST_HEADERS:User-Agent ".*" "t:none,t:sha1,t:hexEncode,nolog,setvar:session.ua_hash=%{matched_var}"
diff -Nru modsecurity-crs-2.2.9/debian/patches/series modsecurity-crs-2.2.9/debian/patches/series
--- modsecurity-crs-2.2.9/debian/patches/series 2016-11-17 11:14:55.000000000 +0100
+++ modsecurity-crs-2.2.9/debian/patches/series 2013-07-12 11:24:40.000000000 +0200
@@ -3,4 +3,3 @@
GeoLiteCity_path.patch
lua_path.patch
perl_path.patch
-fix_838009.patch
Reply to: