1 |
commit: 15381ae65d3f18a94bc800fa5d049c83f533043e |
2 |
Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon May 8 01:43:42 2017 +0000 |
4 |
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon May 8 01:43:59 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15381ae6 |
7 |
|
8 |
www-apache/mod_security: new version 2.9.1 to fix some bugs. |
9 |
|
10 |
There are a few important changes in this version. First, there is a |
11 |
new USE flag "mlogc" for the audit log collector. USE=curl was too |
12 |
confusing. Oh, and it actually installs the log collector files now. |
13 |
|
14 |
Next, I've moved the SecDataDir under /var/lib to eliminate a QA |
15 |
warning. That's a better place for it anyway, because it doesn't hold |
16 |
cached data (we have no way to recreate the stuff if it disappears). |
17 |
|
18 |
I've dropped the code that enables/disables the GeoIP stuff in the |
19 |
configuration file. We don't need to sed our users' configurations |
20 |
based on USE flags: they'll set it to what they want, and we should |
21 |
leave it that way. The flag is still there to pull in the geoip libs. |
22 |
The configuration file is named 79_mod_security.conf now, for consistency. |
23 |
|
24 |
There are two completely new flags, USE=json and USE=fuzzyhash to |
25 |
enable new upstream features. Some missing dependencies were added, |
26 |
and the docs are being built with doxygen for now. |
27 |
|
28 |
The following users submitted code and/or suggestions that I've |
29 |
used. Thanks guys! |
30 |
|
31 |
* Chris Frederick |
32 |
* Graham E |
33 |
* Leho Kraav |
34 |
* Mario D. Santana |
35 |
|
36 |
Gentoo-Bug: 518828 |
37 |
Gentoo-Bug: 594720 |
38 |
Gentoo-Bug: 605496 |
39 |
Gentoo-Bug: 615294 |
40 |
|
41 |
Package-Manager: Portage-2.3.3, Repoman-2.3.1 |
42 |
|
43 |
www-apache/mod_security/Manifest | 1 + |
44 |
www-apache/mod_security/files/79_mod_security.conf | 11 +++ |
45 |
www-apache/mod_security/metadata.xml | 27 ++++-- |
46 |
www-apache/mod_security/mod_security-2.9.1.ebuild | 103 +++++++++++++++++++++ |
47 |
4 files changed, 134 insertions(+), 8 deletions(-) |
48 |
|
49 |
diff --git a/www-apache/mod_security/Manifest b/www-apache/mod_security/Manifest |
50 |
index d2a730c6410..87fdeecacaa 100644 |
51 |
--- a/www-apache/mod_security/Manifest |
52 |
+++ b/www-apache/mod_security/Manifest |
53 |
@@ -1 +1,2 @@ |
54 |
+DIST modsecurity-2.9.1.tar.gz 4261212 SHA256 958cc5a7a7430f93fac0fd6f8b9aa92fc1801efce0cda797d6029d44080a9b24 SHA512 374733cbfc26e53d95b78c8f268a4e465d838163e9893fc24e33a9d272b114f1b287147bab6d0289575074cbbd94f48983e23fa59832cbcb32950046cea59269 WHIRLPOOL 5f41bebf032f8a269412d104b7632a06af4d4c495658c9cd1ebf69b82c10ce1bbcb34b9dd159a7b00e57348714a5e93ad3db19701dda51479accd3a9dc79a9cb |
55 |
DIST modsecurity-apache_2.7.7.tar.gz 1003835 SHA256 11e05cfa6b363c2844c6412a40ff16f0021e302152b38870fd1f2f44b204379b SHA512 859f72580b6acaae5db180f98ee32ad2cb0f3ef24321d0c2df20ddd9fcfbc6c09c98b672012dc4931a6fd14f3c21c38ed31ab8900940382fcb48b37f30005a7d WHIRLPOOL e70f09c6bf640733696e6c544b4e37702ab05b043bdf07266a081316620986e976d2dcf8c1552380e846132473718b3ae7f0cadd18953b08b22bef5de3a5b455 |
56 |
|
57 |
diff --git a/www-apache/mod_security/files/79_mod_security.conf b/www-apache/mod_security/files/79_mod_security.conf |
58 |
new file mode 100644 |
59 |
index 00000000000..bd88e88a977 |
60 |
--- /dev/null |
61 |
+++ b/www-apache/mod_security/files/79_mod_security.conf |
62 |
@@ -0,0 +1,11 @@ |
63 |
+<IfDefine SECURITY> |
64 |
+ LoadModule security2_module modules/mod_security2.so |
65 |
+ SecDataDir /var/lib/modsecurity |
66 |
+ |
67 |
+ # Enable looking up geolocation data from MaxMind's GeoIP database |
68 |
+ # SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat |
69 |
+ |
70 |
+ # Define here your http:BL API key if any |
71 |
+ # see http://www.projecthoneypot.org/httpbl_api.php |
72 |
+ #SecHttpBlKey xxxxxxxx |
73 |
+</IfDefine> |
74 |
|
75 |
diff --git a/www-apache/mod_security/metadata.xml b/www-apache/mod_security/metadata.xml |
76 |
index 0b434d6c669..1a8e39a420e 100644 |
77 |
--- a/www-apache/mod_security/metadata.xml |
78 |
+++ b/www-apache/mod_security/metadata.xml |
79 |
@@ -2,16 +2,14 @@ |
80 |
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> |
81 |
<pkgmetadata> |
82 |
<use> |
83 |
- <flag name="geoip"> |
84 |
- Configure ModSecurity to query the GeoIP database from MaxMind, |
85 |
- provided by <pkg>dev-libs/geoip</pkg>. This flag only controls |
86 |
- the default configuration, as the GeoIP query code is part of |
87 |
- ModSecurity's source code. |
88 |
+ <flag name="fuzzyhash"> |
89 |
+ Support fuzzy hash computations (to detect malware, for example) |
90 |
+ using the <pkg>app-crypt/ssdeep</pkg> package. |
91 |
</flag> |
92 |
|
93 |
- <flag name="curl"> |
94 |
- Build the ModSecurity Audit Log Collector (mlogc) that depends |
95 |
- on <pkg>net-misc/curl</pkg>. |
96 |
+ <flag name="geoip"> |
97 |
+ Pull in <pkg>dev-libs/geoip</pkg> for use by the SecGeoLookupDb |
98 |
+ directive. |
99 |
</flag> |
100 |
|
101 |
<flag name="jit"> |
102 |
@@ -19,5 +17,18 @@ |
103 |
by <pkg>dev-libs/libpcre</pkg> with jit USE flag enabled. Might |
104 |
not be available on hardened systems. |
105 |
</flag> |
106 |
+ |
107 |
+ <flag name="json"> |
108 |
+ Suppose JSON in the request body parser through |
109 |
+ <pkg>dev-libs/yajl</pkg>. |
110 |
+ </flag> |
111 |
+ |
112 |
+ <flag name="mlogc"> |
113 |
+ Build and install the ModSecurity Audit Log Collector (mlogc). |
114 |
+ </flag> |
115 |
</use> |
116 |
+ |
117 |
+ <upstream> |
118 |
+ <remote-id type="github">SpiderLabs/ModSecurity</remote-id> |
119 |
+ </upstream> |
120 |
</pkgmetadata> |
121 |
|
122 |
diff --git a/www-apache/mod_security/mod_security-2.9.1.ebuild b/www-apache/mod_security/mod_security-2.9.1.ebuild |
123 |
new file mode 100644 |
124 |
index 00000000000..c444dd2ecf3 |
125 |
--- /dev/null |
126 |
+++ b/www-apache/mod_security/mod_security-2.9.1.ebuild |
127 |
@@ -0,0 +1,103 @@ |
128 |
+# Copyright 1999-2017 Gentoo Foundation |
129 |
+# Distributed under the terms of the GNU General Public License v2 |
130 |
+ |
131 |
+EAPI=5 |
132 |
+ |
133 |
+inherit apache-module |
134 |
+ |
135 |
+MY_PN=modsecurity |
136 |
+MY_P=${MY_PN}-${PV} |
137 |
+ |
138 |
+DESCRIPTION="Application firewall and intrusion detection for Apache" |
139 |
+HOMEPAGE="http://www.modsecurity.org/" |
140 |
+SRC_URI="http://www.modsecurity.org/tarball/${PV}/${MY_P}.tar.gz" |
141 |
+ |
142 |
+LICENSE="Apache-2.0" |
143 |
+SLOT="0" |
144 |
+KEYWORDS="~amd64 ~x86" |
145 |
+IUSE="doc fuzzyhash geoip jit json lua mlogc" |
146 |
+ |
147 |
+COMMON_DEPEND="dev-libs/apr |
148 |
+ dev-libs/apr-util[openssl] |
149 |
+ dev-libs/libxml2 |
150 |
+ dev-libs/libpcre[jit?] |
151 |
+ fuzzyhash? ( app-crypt/ssdeep ) |
152 |
+ json? ( dev-libs/yajl ) |
153 |
+ lua? ( dev-lang/lua:0 ) |
154 |
+ mlogc? ( net-misc/curl ) |
155 |
+ www-servers/apache[apache2_modules_unique_id]" |
156 |
+DEPEND="${COMMON_DEPEND} |
157 |
+ doc? ( app-doc/doxygen )" |
158 |
+RDEPEND="${COMMON_DEPEND} |
159 |
+ geoip? ( dev-libs/geoip ) |
160 |
+ mlogc? ( dev-lang/perl )" |
161 |
+PDEPEND=">=www-apache/modsecurity-crs-2.2.6-r1" |
162 |
+ |
163 |
+S="${WORKDIR}/${MY_P}" |
164 |
+ |
165 |
+APACHE2_MOD_FILE="apache2/.libs/${PN}2.so" |
166 |
+APACHE2_MOD_CONF="79_${PN}" |
167 |
+APACHE2_MOD_DEFINE="SECURITY" |
168 |
+ |
169 |
+# Tests require symbols only defined within the Apache binary. |
170 |
+RESTRICT=test |
171 |
+ |
172 |
+need_apache2 |
173 |
+ |
174 |
+src_configure() { |
175 |
+ econf --enable-shared \ |
176 |
+ --disable-static \ |
177 |
+ --with-apxs="${APXS}" \ |
178 |
+ --enable-request-early \ |
179 |
+ --with-pic \ |
180 |
+ $(use_with fuzzyhash ssdeep) \ |
181 |
+ $(use_with json yajl) \ |
182 |
+ $(use_enable mlogc) \ |
183 |
+ $(use_with lua) \ |
184 |
+ $(use_enable lua lua-cache) \ |
185 |
+ $(use_enable jit pcre-jit) |
186 |
+} |
187 |
+ |
188 |
+src_compile() { |
189 |
+ default |
190 |
+ |
191 |
+ # Building the docs is broken at the moment, see e.g. |
192 |
+ # https://github.com/SpiderLabs/ModSecurity/issues/1322 |
193 |
+ if use doc; then |
194 |
+ doxygen doc/doxygen-apache.conf || die 'failed to build documentation' |
195 |
+ fi |
196 |
+} |
197 |
+ |
198 |
+src_install() { |
199 |
+ apache-module_src_install |
200 |
+ |
201 |
+ dodoc CHANGES README.TXT modsecurity.conf-recommended |
202 |
+ |
203 |
+ if use doc; then |
204 |
+ dodoc -r doc/apache/html |
205 |
+ fi |
206 |
+ |
207 |
+ if use mlogc; then |
208 |
+ insinto /etc/ |
209 |
+ newins mlogc/mlogc-default.conf mlogc.conf |
210 |
+ dobin mlogc/mlogc |
211 |
+ dobin mlogc/mlogc-batch-load.pl |
212 |
+ newdoc mlogc/INSTALL INSTALL-mlogc |
213 |
+ fi |
214 |
+ |
215 |
+ # Use /var/lib instead of /var/cache. This stuff is "persistent," |
216 |
+ # and isn't a cached copy of something that we can recreate. |
217 |
+ # Bug 605496. |
218 |
+ keepdir /var/lib/modsecurity |
219 |
+ fowners apache:apache /var/lib/modsecurity |
220 |
+ fperms 0770 /var/lib/modsecurity |
221 |
+} |
222 |
+ |
223 |
+pkg_postinst() { |
224 |
+ elog "The base configuration file has been renamed ${APACHE2_MOD_CONF}" |
225 |
+ elog "so that you can put your own configuration in (for example)" |
226 |
+ elog "90_modsecurity_local.conf." |
227 |
+ elog "" |
228 |
+ elog "That would be the correct place for site-global security rules." |
229 |
+ elog "Note: 80_modsecurity_crs.conf is used by www-apache/modsecurity-crs" |
230 |
+} |