From 3284fc29e19d316b826c11cd68d300e260240029 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@fedoraproject.org>
Date: Oct 17 2008 12:55:39 +0000
Subject: - new upstream release fixing bz #463459


---

diff --git a/.cvsignore b/.cvsignore
index d4c7ff3..f6f5e27 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1,3 +1,4 @@
 prelude-lml-0.9.8.1.tar.gz
 prelude-lml-0.9.11.tar.gz
 prelude-lml-0.9.13.tar.gz
+prelude-lml-0.9.14.tar.gz
diff --git a/prelude-lml-0.9.12-pie.patch b/prelude-lml-0.9.12-pie.patch
index 360038f..fa98eea 100644
--- a/prelude-lml-0.9.12-pie.patch
+++ b/prelude-lml-0.9.12-pie.patch
@@ -1,7 +1,7 @@
-diff -ur prelude-lml-0.9.12.2.orig/configure prelude-lml-0.9.12.2/configure
---- prelude-lml-0.9.12.2.orig/configure	2008-04-24 14:08:17.000000000 -0400
-+++ prelude-lml-0.9.12.2/configure	2008-04-24 15:25:29.000000000 -0400
-@@ -33196,7 +33196,7 @@
+diff -ur prelude-lml-0.9.14.orig/configure prelude-lml-0.9.14/configure
+--- prelude-lml-0.9.14.orig/configure	2008-10-17 08:11:23.000000000 -0400
++++ prelude-lml-0.9.14/configure	2008-10-17 08:51:22.000000000 -0400
+@@ -37812,7 +37812,7 @@
      #AC_LANG_PUSH([C])
  
      save_LDFLAGS="$LDFLAGS"
@@ -10,10 +10,11 @@ diff -ur prelude-lml-0.9.12.2.orig/configure prelude-lml-0.9.12.2/configure
      cat >conftest.$ac_ext <<_ACEOF
  
        /* confdefs.h.  */
-diff -ur prelude-lml-0.9.12.2.orig/plugins/pcre/Makefile.in prelude-lml-0.9.12.2/plugins/pcre/Makefile.in
---- prelude-lml-0.9.12.2.orig/plugins/pcre/Makefile.in	2008-04-24 14:08:17.000000000 -0400
-+++ prelude-lml-0.9.12.2/plugins/pcre/Makefile.in	2008-04-24 15:23:24.000000000 -0400
-@@ -155,7 +155,7 @@
+Only in prelude-lml-0.9.14: configure.orig
+diff -ur prelude-lml-0.9.14.orig/plugins/pcre/Makefile.in prelude-lml-0.9.14/plugins/pcre/Makefile.in
+--- prelude-lml-0.9.14.orig/plugins/pcre/Makefile.in	2008-10-17 08:11:29.000000000 -0400
++++ prelude-lml-0.9.14/plugins/pcre/Makefile.in	2008-10-17 08:51:22.000000000 -0400
+@@ -173,7 +173,7 @@
  BITSIZEOF_WINT_T = @BITSIZEOF_WINT_T@
  CC = @CC@
  CCDEPMODE = @CCDEPMODE@
@@ -22,15 +23,16 @@ diff -ur prelude-lml-0.9.12.2.orig/plugins/pcre/Makefile.in prelude-lml-0.9.12.2
  CPP = @CPP@
  CPPFLAGS = @CPPFLAGS@
  CXX = @CXX@
-diff -ur prelude-lml-0.9.12.2.orig/src/Makefile.in prelude-lml-0.9.12.2/src/Makefile.in
---- prelude-lml-0.9.12.2.orig/src/Makefile.in	2008-04-24 14:08:17.000000000 -0400
-+++ prelude-lml-0.9.12.2/src/Makefile.in	2008-04-24 15:24:31.000000000 -0400
-@@ -489,7 +489,7 @@
+Only in prelude-lml-0.9.14/plugins/pcre: Makefile.in.orig
+diff -ur prelude-lml-0.9.14.orig/src/Makefile.in prelude-lml-0.9.14/src/Makefile.in
+--- prelude-lml-0.9.14.orig/src/Makefile.in	2008-10-17 08:11:30.000000000 -0400
++++ prelude-lml-0.9.14/src/Makefile.in	2008-10-17 08:52:44.000000000 -0400
+@@ -592,7 +592,7 @@
  target_vendor = @target_vendor@
  SUBDIRS = include
- AM_CPPFLAGS = -I$(srcdir)/include/ -I$(top_srcdir)/libmissing @LIBPRELUDE_CFLAGS@ @PCRE_CFLAGS@ @FAM_CFLAGS@
+ AM_CPPFLAGS = -I$(srcdir)/include/ -I$(top_srcdir)/libmissing -I$(top_builddir)/libmissing -I$(top_srcdir)/libev @LIBPRELUDE_CFLAGS@ @PCRE_CFLAGS@
 -AM_CFLAGS = @GLOBAL_CFLAGS@
 +AM_CFLAGS = @GLOBAL_CFLAGS@ -fPIE -DPIE
- prelude_lml_LDADD = @LIBPRELUDE_LIBS@ @PCRE_LIBS@ @FAM_LIBS@ $(top_builddir)/libmissing/libmissing.la
- prelude_lml_LDFLAGS = @LIBPRELUDE_LDFLAGS@ @FAM_LDFLAGS@ -export-dynamic \
+ prelude_lml_LDADD = @LIBPRELUDE_LIBS@ @PCRE_LIBS@ $(top_builddir)/libev/libev.la $(top_builddir)/libmissing/libmissing.la
+ prelude_lml_LDFLAGS = @LIBPRELUDE_LDFLAGS@ -export-dynamic \
          "-dlopen" $(top_builddir)/plugins/debug/debug.la \
diff --git a/prelude-lml-0.9.13-modsecurity.patch b/prelude-lml-0.9.13-modsecurity.patch
deleted file mode 100644
index d765423..0000000
--- a/prelude-lml-0.9.13-modsecurity.patch
+++ /dev/null
@@ -1,272 +0,0 @@
-diff -ur prelude-lml-0.9.13.orig/plugins/pcre/ruleset/modsecurity.rules prelude-lml-0.9.13/plugins/pcre/ruleset/modsecurity.rules
---- prelude-lml-0.9.13.orig/plugins/pcre/ruleset/modsecurity.rules	2008-10-11 14:30:01.000000000 -0400
-+++ prelude-lml-0.9.13/plugins/pcre/ruleset/modsecurity.rules	2008-10-11 14:33:08.000000000 -0400
-@@ -20,7 +20,7 @@
- # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
- #
- #####
--# The rules developed using mod_security-2.1.6. 
-+# The rules developed using mod_security-2.5.6 (tested with 2.1.7 and 2.5.6) 
- #####
- 
- # Here are some example log entries that should match against rules defined below:
-@@ -33,28 +33,120 @@
- # LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ match: 0. [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "pNLe4woiIjEAAF4fLq0AAAAH"]
- # LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "S2NY@woiIjEAAF4eLX8AAAAG"]
- 
--# 3160-3167
--regex=\[severity "(?:EMERGENCY|ALERT|CRITICAL|ERROR)"\]; \
-- id=3160; \
-+########################
-+
-+# Protocol violation
-+regex=\[id "(960911|950012|960912|960016|960011|960012|960013|950107|950801|950116|960014|960018|960901)"\]; \
-+ id=3167; \
-+ classification.text=HTTP Protocol violation; \
-+ assessment.impact.severity=medium; \
-+ additional_data(1).type=integer; \   
-+ additional_data(1).meaning=ModSec Rule ID; \
-+ additional_data(1).data=$1; \ 
-+ chained; silent;
-+
-+# Protocol anomaly
-+regex=\[id "(960019|960008|960015|960009|960904|960017|960913)"\]; \
-+ id=3168; \
-+ classification.text=HTTP Protocol anomaly; \
-+ assessment.impact.severity=low; \
-+ additional_data(1).type=integer; \   
-+ additional_data(1).meaning=ModSec Rule ID; \
-+ additional_data(1).data=$1; \
-+ chained; silent;
-+
-+# Request limits
-+regex=\[id "(960335)"\]; \
-+ id=3169; \
-+ classification.text=HTTP Request limit exceeded; \
-+ assessment.impact.severity=high; \
-+ additional_data(1).type=integer; \   
-+ additional_data(1).meaning=ModSec Rule ID; \
-+ additional_data(1).data=$1; \
-+ chained; silent;
-+
-+# HTTP policy
-+regex=\[id "(960032|960010|960034|960035|960038|960902|960903)"\]; \
-+ id=3170; \
-+ classification.text=HTTP policy violation; \
-+ assessment.impact.severity=high; \
-+ additional_data(1).type=integer; \   
-+ additional_data(1).meaning=ModSec Rule ID; \
-+ additional_data(1).data=$1; \
-+ chained; silent;
-+
-+# Bad robots
-+regex=\[id "(990002|990901|990902|990012|990011)"\]; \
-+ id=3171; \
-+ classification.text=Bad HTTP robot; \
-+ assessment.impact.severity=info; \
-+ additional_data(1).type=integer; \   
-+ additional_data(1).meaning=ModSec Rule ID; \
-+ additional_data(1).data=$1; \
-+ chained; silent;
-+
-+# Generic attacks
-+regex=\[id "(959009|950007|959007|950904|959904|950001|959001|950901|959901|950906|959906|950908|959908|950004|959004|950005|959005|950002|950006|959006|950907|959907|950008|959008|950010|959010|950011|959011|950013|959013|950018|959018|950019|959019|950910|950911)"\]; \
-+ id=3172; \
-+ classification.text=Generic HTTP attack; \
-+ assessment.impact.severity=high; \
-+ additional_data(1).type=integer; \   
-+ additional_data(1).meaning=ModSec Rule ID; \
-+ additional_data(1).data=$1; \
-+ chained; silent;
-+
-+# Trojans
-+regex=\[id "(950921|950922)"\]; \
-+ id=3173; \
-+ classification.text=HTTP trojan; \
-  assessment.impact.severity=high; \
-+ additional_data(1).type=integer; \   
-+ additional_data(1).meaning=ModSec Rule ID; \
-+ additional_data(1).data=$1; \
-+ chained; silent;
-+
-+# Outbound
-+regex=\[id "(970003|970004|970904|970007|970008|970009|970010|970012|970013|970014|970903|970015|970902|970016|970018|970901|970118|970021|970011)"\]; \
-+ id=3174; \
-+ classification.text=HTTP outbound policy violation; \
-+ assessment.impact.severity=high; \
-+ additional_data(1).type=integer; \   
-+ additional_data(1).meaning=ModSec Rule ID; \
-+ additional_data(1).data=$1; \
-+ chained; silent;
-+
-+#########################
-+
-+# 3160-3166
-+regex=\[file "([^"]+)"\]; \
-+ id=3160; \
-+ additional_data(>>).type=string; \
-+ additional_data(-1).meaning=ModSec Ruleset File; \
-+ additional_data(-1).data=$1; \
-  chained; silent; 
- 
--regex=\[severity "WARNING"\]; \
-+regex=\[line "(\d+)"\]; \
-  id=3161; \
-- assessment.impact.severity=medium; \
-+ additional_data(>>).type=integer; \
-+ additional_data(-1).meaning=ModSec Ruleset Line; \
-+ additional_data(-1).data=$1; \
-  chained; silent;
- 
--regex=\[severity "NOTICE"\]; \
-+regex=\[tag "(\S+)"\]; \
-  id=3162; \
-- assessment.impact.severity=low; \
-+ additional_data(>>).type=string; \
-+ additional_data(-1).meaning=ModSec Rule Tag; \
-+ additional_data(-1).data=$1; \
-  chained; silent; 
- 
--regex=\[severity "(?:INFO|DEBUG)"\]; \
-+regex=\[severity "(\S+)"\]; \
-  id=3163; \
-- assessment.impact.severity=info; \
-+ additional_data(>>).type=string; \
-+ additional_data(-1).meaning=ModSec Severity; \
-+ additional_data(-1).data=$1; \
-  chained; silent; 
- 
--regex=\[msg "([^"]+)"\]; \
-+regex=\[msg "([^"]+)"\]; optgoto=3167-3174; min-optgoto-match=1; \
-  id=3164; \
-  classification.reference(0).meaning=$1; \
-  classification.reference(0).origin=vendor-specific; \
-@@ -62,67 +154,89 @@
- 
- regex=\[hostname "(\S+)"\]; \
-  id=3165; \
-- target(0).node.address(1).address=$1; \
-- chained; silent;
--
--regex=\[id "(\d+)"\]; \
-- id=3166; \
-- additional_data(1).type=integer; \   
-- additional_data(1).meaning=ModSec Rule ID; \
-- additional_data(1).data=$1; \
-- classification.reference(0).name=$1; \
-+ target(0).node.address(0).address=$1; \
-  chained; silent;
- 
- regex=\[unique_id "(\S+)"\]; \
-- id=3167; \
-- additional_data(2).type=string; \
-- additional_data(2).meaning=Unique ID; \
-- additional_data(2).data=$1; \
-- chained; silent;
-+ id=3166; \
-+ additional_data(>>).type=string; \
-+ additional_data(-1).meaning=Unique ID; \
-+ additional_data(-1).data=$1; \
-+ chained; silent;
-+
-+#regex=\[id "(\d+)"\]; \
-+# id=3166; \
-+# additional_data(1).type=integer; \   
-+# additional_data(1).meaning=ModSec Rule ID; \
-+# additional_data(1).data=$1; \
-+# classification.reference(0).name=$1; \
-+# chained; silent;
-+#########################
- 
--# 3120-3121;
--regex=Match of "(.+)" against "(\S+)" required\.; optgoto=3160-3167; \
-+# 3120-3125
-+regex=Match of "(.+)" against "(\S+)" required\.; optgoto=3160-3166; \
-  id=3120; \
-  assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \
-  chained; silent; 
- 
--regex=Operator ([A-Z]{2}) match: (\d+)\.; optgoto=3160-3167; \
-+regex=Operator ([A-Z]{2}) match: (\d+)\.; optgoto=3160-3166; \
-  id=3121; \
-  assessment.impact.description=ModSecurity found operator "$1" match "$2".; \
-  chained; silent;
- 
--regex=Pattern match "(.+)" at (\S+)\.; optgoto=3160-3167; \
-+regex=Pattern match "(.+)" at (.+?)\.; optgoto=3160-3166; \
-  id=3122; \
-  assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \
-  chained; silent;  
- 
-+regex=Operator ([A-Z]{2}) matched (\d+) at (\S+)\.; optgoto=3160-3166; \
-+ id=3123; \
-+ assessment.impact.description=ModSecurity found operator "$1" match "$2".; \
-+ chained; silent;
-+
-+regex=Found (\d+) byte\(s\) in (\S+) outside range: (\S+)\.; optgoto=3160-3166; \
-+ id=3124; \
-+ assessment.impact.description=ModSecurity found $1 byte(s) in "$2" outside range $3.; \
-+ chained; silent;
-+
-+regex=Found (\d+) byte\(s\) outside range: (\S+)\.; optgoto=3160-3166; \
-+ id=3125; \
-+ assessment.impact.description=ModSecurity found $1 byte(s) outside range $3.; \
-+ chained; silent;
-+
- # 3130-3133; Access denied + ...
--regex=with code (\d+) \(phase \d\)\.; optgoto=3120-3122; \
-+regex=with code (\d+) \(phase \d\)\.; optgoto=3120-3125; \
-  id=3130; \
-  assessment.action(0).category = block-installed; \
-  assessment.action(0).description = Access was blocked with HTTP response code $1.; \
-  chained; silent;  
- 
--regex=using proxy to \(phase (\d+)\) (\S+)\.; optgoto=3120-3122; \
-+regex=using proxy to \(phase (\d+)\) (\S+)\.; optgoto=3120-3125; \
-  id=3131; \
-  assessment.action(0).category = block-installed; \
-  assessment.action(0).description = Access was denied using proxy to $2.; \
-  chained; silent; 
- 
--regex=with redirection to (\S+) using status (\d+) \(phase (\d+)\)\.; optgoto=3120-3122; \
-+regex=with redirection to (\S+) using status (\d+) \(phase (\d+)\)\.; optgoto=3120-3125; \
-  id=3132; \
-  assessment.action(0).category = block-installed; \
-  assessment.action(0).description = Access was redirected to $1.; \
-  chained; silent;
-  
--regex=with connection close \(phase (\d+)\).; optgoto=3120-3122; \
-+regex=with connection close \(phase (\d+)\).; optgoto=3120-3125; \
-  id=3133; \
-  assessment.action(0).category = block-installed; \
-  assessment.action(0).description = Connection was closed.; \
-  chained; silent;
- 
-+# Output filter
-+regex=Response body too large \(over limit of (\d+)(.+?)\)\.; optgoto=3160-3166; \
-+ id=3150; \
-+ assessment.impact.description=Response body too large (over limit of $1$2); \
-+ chained; silent;
-+
- # 3100-3102
--regex=Warning\.; optgoto=3120-3121; \
-+regex=Warning\.; optgoto=3120-3125; \
-  id=3101; \
-  classification.text=HTTP Warning.; \
-  assessment.impact.completion=succeeded; \
-@@ -134,7 +248,14 @@
-  assessment.impact.completion=failed; \
-  chained; silent;
- 
--regex=\[client ([\d\.]+)\] ModSecurity:.*\[uri "([^"]+)"\]; optgoto=3101-3102; \
-+regex=Output filter:; optgoto=3150; \
-+ id=3103; \
-+ classification.text=HTTP Output filer error; \
-+ assessment.impact.completion=failed; \
-+ assessment.impact.severity=high; \
-+ chained; silent;
-+
-+regex=\[client ([\d\.]+)\] ModSecurity:.*\[uri "([^"]+)"\]; optgoto=3101-3103; \
-  id=3100; \
-  analyzer(0).name=ModSecurity; \
-  analyzer(0).manufacturer=www.modsecurity.org; \
diff --git a/prelude-lml.spec b/prelude-lml.spec
index 13818e0..1bfbaaf 100644
--- a/prelude-lml.spec
+++ b/prelude-lml.spec
@@ -1,6 +1,6 @@
 Name:		prelude-lml           
-Version:	0.9.13
-Release:	2%{?dist}
+Version:	0.9.14
+Release:	1%{?dist}
 Summary:	The prelude log analyzer
 
 Group:		System Environment/Libraries
@@ -9,7 +9,6 @@ URL:		http://prelude-ids.org/
 Source0:	http://www.prelude-ids.org/download/releases/%{name}/%{name}-%{version}.tar.gz
 Source1:        prelude-lml.init
 Patch1:		prelude-lml-0.9.12-pie.patch
-Patch2:		prelude-lml-0.9.13-modsecurity.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:	gamin-devel, libprelude-devel, pcre-devel  
@@ -45,7 +44,6 @@ sensor.
 %prep
 %setup -q
 %patch1 -p1
-%patch2 -p1
 sed -i.debug -e '/nlist/s|\$rm|: $rm|' ltmain.sh
 
 
@@ -113,6 +111,9 @@ fi
 
 
 %changelog
+* Fri Oct 17 2008 Steve Grubb <sgrubb@redhat.com> 0.9.14-1
+- new upstream release fixing bz #463459
+
 * Sat Oct 11 2008 Steve Grubb <sgrubb@redhat.com> 0.9.13-2
 - improved mod_security rules
 
diff --git a/sources b/sources
index d83ff09..0906ff2 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-310649089740e93916af60840e405928  prelude-lml-0.9.13.tar.gz
+e95c1e4c6a8f4196d87121914a4683e6  prelude-lml-0.9.14.tar.gz