| 1 |
commit: 15381ae65d3f18a94bc800fa5d049c83f533043e |
| 2 |
Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Mon May 8 01:43:42 2017 +0000 |
| 4 |
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon May 8 01:43:59 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15381ae6 |
| 7 |
|
| 8 |
www-apache/mod_security: new version 2.9.1 to fix some bugs. |
| 9 |
|
| 10 |
There are a few important changes in this version. First, there is a |
| 11 |
new USE flag "mlogc" for the audit log collector. USE=curl was too |
| 12 |
confusing. Oh, and it actually installs the log collector files now. |
| 13 |
|
| 14 |
Next, I've moved the SecDataDir under /var/lib to eliminate a QA |
| 15 |
warning. That's a better place for it anyway, because it doesn't hold |
| 16 |
cached data (we have no way to recreate the stuff if it disappears). |
| 17 |
|
| 18 |
I've dropped the code that enables/disables the GeoIP stuff in the |
| 19 |
configuration file. We don't need to sed our users' configurations |
| 20 |
based on USE flags: they'll set it to what they want, and we should |
| 21 |
leave it that way. The flag is still there to pull in the geoip libs. |
| 22 |
The configuration file is named 79_mod_security.conf now, for consistency. |
| 23 |
|
| 24 |
There are two completely new flags, USE=json and USE=fuzzyhash to |
| 25 |
enable new upstream features. Some missing dependencies were added, |
| 26 |
and the docs are being built with doxygen for now. |
| 27 |
|
| 28 |
The following users submitted code and/or suggestions that I've |
| 29 |
used. Thanks guys! |
| 30 |
|
| 31 |
* Chris Frederick |
| 32 |
* Graham E |
| 33 |
* Leho Kraav |
| 34 |
* Mario D. Santana |
| 35 |
|
| 36 |
Gentoo-Bug: 518828 |
| 37 |
Gentoo-Bug: 594720 |
| 38 |
Gentoo-Bug: 605496 |
| 39 |
Gentoo-Bug: 615294 |
| 40 |
|
| 41 |
Package-Manager: Portage-2.3.3, Repoman-2.3.1 |
| 42 |
|
| 43 |
www-apache/mod_security/Manifest | 1 + |
| 44 |
www-apache/mod_security/files/79_mod_security.conf | 11 +++ |
| 45 |
www-apache/mod_security/metadata.xml | 27 ++++-- |
| 46 |
www-apache/mod_security/mod_security-2.9.1.ebuild | 103 +++++++++++++++++++++ |
| 47 |
4 files changed, 134 insertions(+), 8 deletions(-) |
| 48 |
|
| 49 |
diff --git a/www-apache/mod_security/Manifest b/www-apache/mod_security/Manifest |
| 50 |
index d2a730c6410..87fdeecacaa 100644 |
| 51 |
--- a/www-apache/mod_security/Manifest |
| 52 |
+++ b/www-apache/mod_security/Manifest |
| 53 |
@@ -1 +1,2 @@ |
| 54 |
+DIST modsecurity-2.9.1.tar.gz 4261212 SHA256 958cc5a7a7430f93fac0fd6f8b9aa92fc1801efce0cda797d6029d44080a9b24 SHA512 374733cbfc26e53d95b78c8f268a4e465d838163e9893fc24e33a9d272b114f1b287147bab6d0289575074cbbd94f48983e23fa59832cbcb32950046cea59269 WHIRLPOOL 5f41bebf032f8a269412d104b7632a06af4d4c495658c9cd1ebf69b82c10ce1bbcb34b9dd159a7b00e57348714a5e93ad3db19701dda51479accd3a9dc79a9cb |
| 55 |
DIST modsecurity-apache_2.7.7.tar.gz 1003835 SHA256 11e05cfa6b363c2844c6412a40ff16f0021e302152b38870fd1f2f44b204379b SHA512 859f72580b6acaae5db180f98ee32ad2cb0f3ef24321d0c2df20ddd9fcfbc6c09c98b672012dc4931a6fd14f3c21c38ed31ab8900940382fcb48b37f30005a7d WHIRLPOOL e70f09c6bf640733696e6c544b4e37702ab05b043bdf07266a081316620986e976d2dcf8c1552380e846132473718b3ae7f0cadd18953b08b22bef5de3a5b455 |
| 56 |
|
| 57 |
diff --git a/www-apache/mod_security/files/79_mod_security.conf b/www-apache/mod_security/files/79_mod_security.conf |
| 58 |
new file mode 100644 |
| 59 |
index 00000000000..bd88e88a977 |
| 60 |
--- /dev/null |
| 61 |
+++ b/www-apache/mod_security/files/79_mod_security.conf |
| 62 |
@@ -0,0 +1,11 @@ |
| 63 |
+<IfDefine SECURITY> |
| 64 |
+ LoadModule security2_module modules/mod_security2.so |
| 65 |
+ SecDataDir /var/lib/modsecurity |
| 66 |
+ |
| 67 |
+ # Enable looking up geolocation data from MaxMind's GeoIP database |
| 68 |
+ # SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat |
| 69 |
+ |
| 70 |
+ # Define here your http:BL API key if any |
| 71 |
+ # see http://www.projecthoneypot.org/httpbl_api.php |
| 72 |
+ #SecHttpBlKey xxxxxxxx |
| 73 |
+</IfDefine> |
| 74 |
|
| 75 |
diff --git a/www-apache/mod_security/metadata.xml b/www-apache/mod_security/metadata.xml |
| 76 |
index 0b434d6c669..1a8e39a420e 100644 |
| 77 |
--- a/www-apache/mod_security/metadata.xml |
| 78 |
+++ b/www-apache/mod_security/metadata.xml |
| 79 |
@@ -2,16 +2,14 @@ |
| 80 |
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> |
| 81 |
<pkgmetadata> |
| 82 |
<use> |
| 83 |
- <flag name="geoip"> |
| 84 |
- Configure ModSecurity to query the GeoIP database from MaxMind, |
| 85 |
- provided by <pkg>dev-libs/geoip</pkg>. This flag only controls |
| 86 |
- the default configuration, as the GeoIP query code is part of |
| 87 |
- ModSecurity's source code. |
| 88 |
+ <flag name="fuzzyhash"> |
| 89 |
+ Support fuzzy hash computations (to detect malware, for example) |
| 90 |
+ using the <pkg>app-crypt/ssdeep</pkg> package. |
| 91 |
</flag> |
| 92 |
|
| 93 |
- <flag name="curl"> |
| 94 |
- Build the ModSecurity Audit Log Collector (mlogc) that depends |
| 95 |
- on <pkg>net-misc/curl</pkg>. |
| 96 |
+ <flag name="geoip"> |
| 97 |
+ Pull in <pkg>dev-libs/geoip</pkg> for use by the SecGeoLookupDb |
| 98 |
+ directive. |
| 99 |
</flag> |
| 100 |
|
| 101 |
<flag name="jit"> |
| 102 |
@@ -19,5 +17,18 @@ |
| 103 |
by <pkg>dev-libs/libpcre</pkg> with jit USE flag enabled. Might |
| 104 |
not be available on hardened systems. |
| 105 |
</flag> |
| 106 |
+ |
| 107 |
+ <flag name="json"> |
| 108 |
+ Suppose JSON in the request body parser through |
| 109 |
+ <pkg>dev-libs/yajl</pkg>. |
| 110 |
+ </flag> |
| 111 |
+ |
| 112 |
+ <flag name="mlogc"> |
| 113 |
+ Build and install the ModSecurity Audit Log Collector (mlogc). |
| 114 |
+ </flag> |
| 115 |
</use> |
| 116 |
+ |
| 117 |
+ <upstream> |
| 118 |
+ <remote-id type="github">SpiderLabs/ModSecurity</remote-id> |
| 119 |
+ </upstream> |
| 120 |
</pkgmetadata> |
| 121 |
|
| 122 |
diff --git a/www-apache/mod_security/mod_security-2.9.1.ebuild b/www-apache/mod_security/mod_security-2.9.1.ebuild |
| 123 |
new file mode 100644 |
| 124 |
index 00000000000..c444dd2ecf3 |
| 125 |
--- /dev/null |
| 126 |
+++ b/www-apache/mod_security/mod_security-2.9.1.ebuild |
| 127 |
@@ -0,0 +1,103 @@ |
| 128 |
+# Copyright 1999-2017 Gentoo Foundation |
| 129 |
+# Distributed under the terms of the GNU General Public License v2 |
| 130 |
+ |
| 131 |
+EAPI=5 |
| 132 |
+ |
| 133 |
+inherit apache-module |
| 134 |
+ |
| 135 |
+MY_PN=modsecurity |
| 136 |
+MY_P=${MY_PN}-${PV} |
| 137 |
+ |
| 138 |
+DESCRIPTION="Application firewall and intrusion detection for Apache" |
| 139 |
+HOMEPAGE="http://www.modsecurity.org/" |
| 140 |
+SRC_URI="http://www.modsecurity.org/tarball/${PV}/${MY_P}.tar.gz" |
| 141 |
+ |
| 142 |
+LICENSE="Apache-2.0" |
| 143 |
+SLOT="0" |
| 144 |
+KEYWORDS="~amd64 ~x86" |
| 145 |
+IUSE="doc fuzzyhash geoip jit json lua mlogc" |
| 146 |
+ |
| 147 |
+COMMON_DEPEND="dev-libs/apr |
| 148 |
+ dev-libs/apr-util[openssl] |
| 149 |
+ dev-libs/libxml2 |
| 150 |
+ dev-libs/libpcre[jit?] |
| 151 |
+ fuzzyhash? ( app-crypt/ssdeep ) |
| 152 |
+ json? ( dev-libs/yajl ) |
| 153 |
+ lua? ( dev-lang/lua:0 ) |
| 154 |
+ mlogc? ( net-misc/curl ) |
| 155 |
+ www-servers/apache[apache2_modules_unique_id]" |
| 156 |
+DEPEND="${COMMON_DEPEND} |
| 157 |
+ doc? ( app-doc/doxygen )" |
| 158 |
+RDEPEND="${COMMON_DEPEND} |
| 159 |
+ geoip? ( dev-libs/geoip ) |
| 160 |
+ mlogc? ( dev-lang/perl )" |
| 161 |
+PDEPEND=">=www-apache/modsecurity-crs-2.2.6-r1" |
| 162 |
+ |
| 163 |
+S="${WORKDIR}/${MY_P}" |
| 164 |
+ |
| 165 |
+APACHE2_MOD_FILE="apache2/.libs/${PN}2.so" |
| 166 |
+APACHE2_MOD_CONF="79_${PN}" |
| 167 |
+APACHE2_MOD_DEFINE="SECURITY" |
| 168 |
+ |
| 169 |
+# Tests require symbols only defined within the Apache binary. |
| 170 |
+RESTRICT=test |
| 171 |
+ |
| 172 |
+need_apache2 |
| 173 |
+ |
| 174 |
+src_configure() { |
| 175 |
+ econf --enable-shared \ |
| 176 |
+ --disable-static \ |
| 177 |
+ --with-apxs="${APXS}" \ |
| 178 |
+ --enable-request-early \ |
| 179 |
+ --with-pic \ |
| 180 |
+ $(use_with fuzzyhash ssdeep) \ |
| 181 |
+ $(use_with json yajl) \ |
| 182 |
+ $(use_enable mlogc) \ |
| 183 |
+ $(use_with lua) \ |
| 184 |
+ $(use_enable lua lua-cache) \ |
| 185 |
+ $(use_enable jit pcre-jit) |
| 186 |
+} |
| 187 |
+ |
| 188 |
+src_compile() { |
| 189 |
+ default |
| 190 |
+ |
| 191 |
+ # Building the docs is broken at the moment, see e.g. |
| 192 |
+ # https://github.com/SpiderLabs/ModSecurity/issues/1322 |
| 193 |
+ if use doc; then |
| 194 |
+ doxygen doc/doxygen-apache.conf || die 'failed to build documentation' |
| 195 |
+ fi |
| 196 |
+} |
| 197 |
+ |
| 198 |
+src_install() { |
| 199 |
+ apache-module_src_install |
| 200 |
+ |
| 201 |
+ dodoc CHANGES README.TXT modsecurity.conf-recommended |
| 202 |
+ |
| 203 |
+ if use doc; then |
| 204 |
+ dodoc -r doc/apache/html |
| 205 |
+ fi |
| 206 |
+ |
| 207 |
+ if use mlogc; then |
| 208 |
+ insinto /etc/ |
| 209 |
+ newins mlogc/mlogc-default.conf mlogc.conf |
| 210 |
+ dobin mlogc/mlogc |
| 211 |
+ dobin mlogc/mlogc-batch-load.pl |
| 212 |
+ newdoc mlogc/INSTALL INSTALL-mlogc |
| 213 |
+ fi |
| 214 |
+ |
| 215 |
+ # Use /var/lib instead of /var/cache. This stuff is "persistent," |
| 216 |
+ # and isn't a cached copy of something that we can recreate. |
| 217 |
+ # Bug 605496. |
| 218 |
+ keepdir /var/lib/modsecurity |
| 219 |
+ fowners apache:apache /var/lib/modsecurity |
| 220 |
+ fperms 0770 /var/lib/modsecurity |
| 221 |
+} |
| 222 |
+ |
| 223 |
+pkg_postinst() { |
| 224 |
+ elog "The base configuration file has been renamed ${APACHE2_MOD_CONF}" |
| 225 |
+ elog "so that you can put your own configuration in (for example)" |
| 226 |
+ elog "90_modsecurity_local.conf." |
| 227 |
+ elog "" |
| 228 |
+ elog "That would be the correct place for site-global security rules." |
| 229 |
+ elog "Note: 80_modsecurity_crs.conf is used by www-apache/modsecurity-crs" |
| 230 |
+} |
Archives