6 changed files with 80 additions and 12 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/v3.3.4.tar.gz
+SOURCES/v3.3.5.tar.gz
--- a/.mod_security_crs.metadata
+++ b/.mod_security_crs.metadata
@ -1 +1 @@
-821796a48bbedd1a0d962614ef473625da85feae SOURCES/v3.3.4.tar.gz
+b552005471446a4a2454a6b6ee7e65f864219ce0 SOURCES/v3.3.5.tar.gz
--- a/SOURCES/mod_security_crs-early-blocking.patch
+++ b/SOURCES/mod_security_crs-early-blocking.patch
@ -1,5 +1,5 @@
 diff --git a/crs-setup.conf.example b/crs-setup.conf.example
-index b443e77..0fdd5cb 100644
+index e0b1d9c..cc2f97c 100644
 --- a/crs-setup.conf.example
 +++ b/crs-setup.conf.example
@@ -234,7 +234,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
@ -57,11 +57,11 @@ index b443e77..0fdd5cb 100644
 #
 # Some well-known applications may undertake actions that appear to be
 diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
-index 5044abd..06a1bb3 100644
+index 27fd54a..2095bf7 100644
 --- a/rules/REQUEST-901-INITIALIZATION.conf
 +++ b/rules/REQUEST-901-INITIALIZATION.conf
@@ -89,6 +89,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
-     ver:'OWASP_CRS/3.3.4',\
+     ver:'OWASP_CRS/3.3.5',\
     setvar:'tx.outbound_anomaly_score_threshold=4'"
 
 +# Default Blocking Early (rule 900120 in setup.conf)
@ -77,7 +77,7 @@ index 5044abd..06a1bb3 100644
 SecRule &TX:paranoia_level "@eq 0" \
     "id:901120,\
 diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
-index 050eb04..755315f 100644
+index 9ee4a8d..c5e4604 100644
 --- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf
 +++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
@@ -12,7 +12,66 @@
@ -171,7 +171,7 @@ index 050eb04..755315f 100644
 
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
 diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf
-index 13013de..bf9b03d 100644
+index 0b6f832..5c61674 100644
 --- a/rules/RESPONSE-950-DATA-LEAKAGES.conf
 +++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf
@@ -96,7 +96,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf
@ -184,7 +184,7 @@ index 13013de..bf9b03d 100644
     capture,\
     t:none,\
 diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
-index 24130eb..549c07c 100644
+index 689cc94..e30ce13 100644
 --- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
 +++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
@@ -22,7 +22,67 @@
@ -257,7 +257,7 @@ index 24130eb..549c07c 100644
 # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
 # So we add to it.
@@ -76,6 +136,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
-     ver:'OWASP_CRS/3.3.4',\
+     ver:'OWASP_CRS/3.3.5',\
     setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
 
 +SecRule TX:BLOCKING_EARLY "@eq 1" \
--- a/SOURCES/mod_security_crs-rule-913100-req-scanner-detection.patch
+++ b/SOURCES/mod_security_crs-rule-913100-req-scanner-detection.patch
@ -0,0 +1,29 @@
+diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf
+index 6e12d08..6be0b67 100644
+--- a/rules/REQUEST-913-SCANNER-DETECTION.conf
+++ b/rules/REQUEST-913-SCANNER-DETECTION.conf
+@@ -31,6 +31,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAf
+ # 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data)
+ # 913102 - web crawlers/bots (data file crawlers-user-agents.data)
+ #
+# Chained rule is doing whitelist for YUM package manager of CentOS / Fedore.
+ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
+     "id:913100,\
+     phase:2,\
+@@ -49,10 +50,12 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
+     tag:'PCI/6.5.10',\
+     ver:'OWASP_CRS/3.3.5',\
+     severity:'CRITICAL',\
+-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+-    setvar:'ip.reput_block_flag=1',\
+-    setvar:'ip.reput_block_reason=%{rule.msg}',\
+-    expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
+    chain"
+    SecRule MATCHED_VARS "!@rx ^urlgrabber/[0-9\.]+ yum/[0-9\.]+$" \
+        "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+        setvar:'ip.reput_block_flag=1',\
+        setvar:'ip.reput_block_reason=%{rule.msg}',\
+        expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
+ 
+ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \
+     "id:913110,\
--- a/SOURCES/mod_security_crs-rule-941310-dont-match-japanese-word.patch
+++ b/SOURCES/mod_security_crs-rule-941310-dont-match-japanese-word.patch
@ -0,0 +1,18 @@
+diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+index 3b2376b..504eb26 100644
+--- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+@@ -543,8 +543,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
+     ctl:auditLogParts=+E,\
+     ver:'OWASP_CRS/3.3.5',\
+     severity:'CRITICAL',\
+-    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    chain"
+        SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx [^\xe4]\xbc[^\x9a][^\xbe>]*[^\xe7][^\xa4][\xbe>]|<[^\xbe]*[^\xe7][^\xa4]\xbe" \
+        "t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
+        setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+ 
+ #
+ # https://nedbatchelder.com/blog/200704/xss_with_utf7.html
--- a/SPECS/mod_security_crs.spec
+++ b/SPECS/mod_security_crs.spec
@ -1,6 +1,6 @@
 Summary: ModSecurity Rules
 Name: mod_security_crs
-Version: 3.3.4
+Version: 3.3.5
 Release: 1%{?dist}
 License: ASL 2.0
 URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
@ -9,13 +9,19 @@ BuildArch: noarch
 Requires: mod_security >= 2.9.6
 Obsoletes: mod_security_crs-extras < 3.0.0
 Patch0: mod_security_crs-early-blocking.patch
+# https://issues.redhat.com/browse/RHEL-16358
+Patch1: mod_security_crs-rule-941310-dont-match-japanese-word.patch
+# https://issues.redhat.com/browse/RHEL-22733
+Patch2: mod_security_crs-rule-913100-req-scanner-detection.patch

 %description
 This package provides the base rules for mod_security.

 %prep
 %setup -q -n coreruleset-%{version}
-%patch0 -p1 -b.early_blocking
+%patch0 -p1 -b .early_blocking
+%patch1 -p1 -b .rule_941310
+%patch2 -p1 -b .rule_913100

 %build

@ -42,12 +48,27 @@ done

 %files
 %license LICENSE
-%doc CHANGES README.md
+%doc CHANGES.md README.md
 %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/activated_rules/*
 %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
 %{_datarootdir}/mod_modsecurity_crs

 %changelog
+* Mon May 20 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.5-1
+- Resolves: RHEL-32964 - new version 3.3.5
+
+* Fri Feb 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-3
+- Resolves: #RHEL-22733 - mod_security_crs - The rule id:913100 in the
+  REQUEST-913-SCANNER-DETECTION.conf blocks requests  with "User-agent:
+  urlgrabber/3.10 yum/3.4.3"
+
+* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-2
+- Resolves: RHEL-16358 - A form data, "会社"(Company in Japanese) is forbade
+  with REQUEST-941-APPLICATION-ATTACK-XSS.conf of mod_security_crs
+
+* Fri Apr 14 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 3.3.4-1
+- Rebuilt for MSVSphere 9.2 beta
+
 * Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-1
 - new version 3.3.4
 - Resolves: #2143210 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x