summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Orlitzky <mjo@gentoo.org>2017-05-07 21:43:42 -0400
committerMichael Orlitzky <mjo@gentoo.org>2017-05-07 21:43:59 -0400
commit15381ae65d3f18a94bc800fa5d049c83f533043e (patch)
tree7b9b83d52d8b25924ee16c66e5013a06e30c72fd /www-apache
parentdev-db/mysql: Drop security vulnerable versions for the 5.5 series (diff)
downloadgentoo-15381ae65d3f18a94bc800fa5d049c83f533043e.tar.gz
gentoo-15381ae65d3f18a94bc800fa5d049c83f533043e.tar.bz2
gentoo-15381ae65d3f18a94bc800fa5d049c83f533043e.zip
www-apache/mod_security: new version 2.9.1 to fix some bugs.
There are a few important changes in this version. First, there is a new USE flag "mlogc" for the audit log collector. USE=curl was too confusing. Oh, and it actually installs the log collector files now. Next, I've moved the SecDataDir under /var/lib to eliminate a QA warning. That's a better place for it anyway, because it doesn't hold cached data (we have no way to recreate the stuff if it disappears). I've dropped the code that enables/disables the GeoIP stuff in the configuration file. We don't need to sed our users' configurations based on USE flags: they'll set it to what they want, and we should leave it that way. The flag is still there to pull in the geoip libs. The configuration file is named 79_mod_security.conf now, for consistency. There are two completely new flags, USE=json and USE=fuzzyhash to enable new upstream features. Some missing dependencies were added, and the docs are being built with doxygen for now. The following users submitted code and/or suggestions that I've used. Thanks guys! * Chris Frederick * Graham E * Leho Kraav * Mario D. Santana Gentoo-Bug: 518828 Gentoo-Bug: 594720 Gentoo-Bug: 605496 Gentoo-Bug: 615294 Package-Manager: Portage-2.3.3, Repoman-2.3.1
Diffstat (limited to 'www-apache')
-rw-r--r--www-apache/mod_security/Manifest1
-rw-r--r--www-apache/mod_security/files/79_mod_security.conf11
-rw-r--r--www-apache/mod_security/metadata.xml27
-rw-r--r--www-apache/mod_security/mod_security-2.9.1.ebuild103
4 files changed, 134 insertions, 8 deletions
diff --git a/www-apache/mod_security/Manifest b/www-apache/mod_security/Manifest
index d2a730c64101..87fdeecacaa6 100644
--- a/www-apache/mod_security/Manifest
+++ b/www-apache/mod_security/Manifest
@@ -1 +1,2 @@
+DIST modsecurity-2.9.1.tar.gz 4261212 SHA256 958cc5a7a7430f93fac0fd6f8b9aa92fc1801efce0cda797d6029d44080a9b24 SHA512 374733cbfc26e53d95b78c8f268a4e465d838163e9893fc24e33a9d272b114f1b287147bab6d0289575074cbbd94f48983e23fa59832cbcb32950046cea59269 WHIRLPOOL 5f41bebf032f8a269412d104b7632a06af4d4c495658c9cd1ebf69b82c10ce1bbcb34b9dd159a7b00e57348714a5e93ad3db19701dda51479accd3a9dc79a9cb
DIST modsecurity-apache_2.7.7.tar.gz 1003835 SHA256 11e05cfa6b363c2844c6412a40ff16f0021e302152b38870fd1f2f44b204379b SHA512 859f72580b6acaae5db180f98ee32ad2cb0f3ef24321d0c2df20ddd9fcfbc6c09c98b672012dc4931a6fd14f3c21c38ed31ab8900940382fcb48b37f30005a7d WHIRLPOOL e70f09c6bf640733696e6c544b4e37702ab05b043bdf07266a081316620986e976d2dcf8c1552380e846132473718b3ae7f0cadd18953b08b22bef5de3a5b455
diff --git a/www-apache/mod_security/files/79_mod_security.conf b/www-apache/mod_security/files/79_mod_security.conf
new file mode 100644
index 000000000000..bd88e88a9771
--- /dev/null
+++ b/www-apache/mod_security/files/79_mod_security.conf
@@ -0,0 +1,11 @@
+<IfDefine SECURITY>
+ LoadModule security2_module modules/mod_security2.so
+ SecDataDir /var/lib/modsecurity
+
+ # Enable looking up geolocation data from MaxMind's GeoIP database
+ # SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat
+
+ # Define here your http:BL API key if any
+ # see http://www.projecthoneypot.org/httpbl_api.php
+ #SecHttpBlKey xxxxxxxx
+</IfDefine>
diff --git a/www-apache/mod_security/metadata.xml b/www-apache/mod_security/metadata.xml
index 0b434d6c669a..1a8e39a420e5 100644
--- a/www-apache/mod_security/metadata.xml
+++ b/www-apache/mod_security/metadata.xml
@@ -2,16 +2,14 @@
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<use>
- <flag name="geoip">
- Configure ModSecurity to query the GeoIP database from MaxMind,
- provided by <pkg>dev-libs/geoip</pkg>. This flag only controls
- the default configuration, as the GeoIP query code is part of
- ModSecurity's source code.
+ <flag name="fuzzyhash">
+ Support fuzzy hash computations (to detect malware, for example)
+ using the <pkg>app-crypt/ssdeep</pkg> package.
</flag>
- <flag name="curl">
- Build the ModSecurity Audit Log Collector (mlogc) that depends
- on <pkg>net-misc/curl</pkg>.
+ <flag name="geoip">
+ Pull in <pkg>dev-libs/geoip</pkg> for use by the SecGeoLookupDb
+ directive.
</flag>
<flag name="jit">
@@ -19,5 +17,18 @@
by <pkg>dev-libs/libpcre</pkg> with jit USE flag enabled. Might
not be available on hardened systems.
</flag>
+
+ <flag name="json">
+ Suppose JSON in the request body parser through
+ <pkg>dev-libs/yajl</pkg>.
+ </flag>
+
+ <flag name="mlogc">
+ Build and install the ModSecurity Audit Log Collector (mlogc).
+ </flag>
</use>
+
+ <upstream>
+ <remote-id type="github">SpiderLabs/ModSecurity</remote-id>
+ </upstream>
</pkgmetadata>
diff --git a/www-apache/mod_security/mod_security-2.9.1.ebuild b/www-apache/mod_security/mod_security-2.9.1.ebuild
new file mode 100644
index 000000000000..c444dd2ecf3c
--- /dev/null
+++ b/www-apache/mod_security/mod_security-2.9.1.ebuild
@@ -0,0 +1,103 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+inherit apache-module
+
+MY_PN=modsecurity
+MY_P=${MY_PN}-${PV}
+
+DESCRIPTION="Application firewall and intrusion detection for Apache"
+HOMEPAGE="http://www.modsecurity.org/"
+SRC_URI="http://www.modsecurity.org/tarball/${PV}/${MY_P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="doc fuzzyhash geoip jit json lua mlogc"
+
+COMMON_DEPEND="dev-libs/apr
+ dev-libs/apr-util[openssl]
+ dev-libs/libxml2
+ dev-libs/libpcre[jit?]
+ fuzzyhash? ( app-crypt/ssdeep )
+ json? ( dev-libs/yajl )
+ lua? ( dev-lang/lua:0 )
+ mlogc? ( net-misc/curl )
+ www-servers/apache[apache2_modules_unique_id]"
+DEPEND="${COMMON_DEPEND}
+ doc? ( app-doc/doxygen )"
+RDEPEND="${COMMON_DEPEND}
+ geoip? ( dev-libs/geoip )
+ mlogc? ( dev-lang/perl )"
+PDEPEND=">=www-apache/modsecurity-crs-2.2.6-r1"
+
+S="${WORKDIR}/${MY_P}"
+
+APACHE2_MOD_FILE="apache2/.libs/${PN}2.so"
+APACHE2_MOD_CONF="79_${PN}"
+APACHE2_MOD_DEFINE="SECURITY"
+
+# Tests require symbols only defined within the Apache binary.
+RESTRICT=test
+
+need_apache2
+
+src_configure() {
+ econf --enable-shared \
+ --disable-static \
+ --with-apxs="${APXS}" \
+ --enable-request-early \
+ --with-pic \
+ $(use_with fuzzyhash ssdeep) \
+ $(use_with json yajl) \
+ $(use_enable mlogc) \
+ $(use_with lua) \
+ $(use_enable lua lua-cache) \
+ $(use_enable jit pcre-jit)
+}
+
+src_compile() {
+ default
+
+ # Building the docs is broken at the moment, see e.g.
+ # https://github.com/SpiderLabs/ModSecurity/issues/1322
+ if use doc; then
+ doxygen doc/doxygen-apache.conf || die 'failed to build documentation'
+ fi
+}
+
+src_install() {
+ apache-module_src_install
+
+ dodoc CHANGES README.TXT modsecurity.conf-recommended
+
+ if use doc; then
+ dodoc -r doc/apache/html
+ fi
+
+ if use mlogc; then
+ insinto /etc/
+ newins mlogc/mlogc-default.conf mlogc.conf
+ dobin mlogc/mlogc
+ dobin mlogc/mlogc-batch-load.pl
+ newdoc mlogc/INSTALL INSTALL-mlogc
+ fi
+
+ # Use /var/lib instead of /var/cache. This stuff is "persistent,"
+ # and isn't a cached copy of something that we can recreate.
+ # Bug 605496.
+ keepdir /var/lib/modsecurity
+ fowners apache:apache /var/lib/modsecurity
+ fperms 0770 /var/lib/modsecurity
+}
+
+pkg_postinst() {
+ elog "The base configuration file has been renamed ${APACHE2_MOD_CONF}"
+ elog "so that you can put your own configuration in (for example)"
+ elog "90_modsecurity_local.conf."
+ elog ""
+ elog "That would be the correct place for site-global security rules."
+ elog "Note: 80_modsecurity_crs.conf is used by www-apache/modsecurity-crs"
+}