- Update to 2.7.3 due a vulnerability that affect all versions 2.x. [1]

- Update MASTER_SITES.
- Convert to optionsNG.
- Trim header.

More info:
https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES

Reported by:    olli hauer <ohauer@gmx.de> [1]
Approved by:    portmgr (bdrewery)
Security:       2070c79a-8e1e-11e2-b34d-000c2957946c
This commit is contained in:
Marcelo Araujo 2013-04-16 10:58:15 +00:00
parent 97b3d5bb0c
commit d9e4c9a9ce
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=315811
3 changed files with 53 additions and 28 deletions

View file

@ -51,6 +51,39 @@ Note: Please add new entries to the beginning of this file.
--> -->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="2070c79a-8e1e-11e2-b34d-000c2957946c">
<topic>ModSecurity -- XML External Entity Processing Vulnerability</topic>
<affects>
<package>
<name>mod_security</name>
<range><gt>2.*</gt><lt>2.7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Positive Technologies has reported a vulnerability in ModSecurity,
which can be exploited by malicious people to disclose potentially
sensitive information or cause a DoS (Denial Of Serice).</p>
<p>The vulnerability is caused due to an error when parsing external
XML entities and can be exploited to e.g. disclose local files or
cause excessive memory and CPU consumption.</p>
<blockquote cite="https://secunia.com/advisories/52847/">
<p>.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1915</cvename>
<url>https://secunia.com/advisories/52847/</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1915</url>
<url>https://bugs.gentoo.org/show_bug.cgi?id=464188</url>
</references>
<dates>
<discovery>2013-04-02</discovery>
<entry>2013-04-16</entry>
</dates>
</vuln>
<vuln vid="a2ff483f-a5c6-11e2-9601-000d601460a4"> <vuln vid="a2ff483f-a5c6-11e2-9601-000d601460a4">
<topic>sieve-connect -- TLS hostname verification was not occurring</topic> <topic>sieve-connect -- TLS hostname verification was not occurring</topic>
<affects> <affects>

View file

@ -1,15 +1,9 @@
# New ports collection makefile for: mod_security
# Date created: 4 June 2003
# Whom: Marcelo Araujo <araujo@FreeBSD.org>
#
# $FreeBSD$ # $FreeBSD$
#
PORTNAME= mod_security PORTNAME= mod_security
PORTVERSION= 2.6.6 PORTVERSION= 2.7.3
PORTREVISION= 1
CATEGORIES= www security CATEGORIES= www security
MASTER_SITES= SF/mod-security/modsecurity-apache/${PORTVERSION} MASTER_SITES= http://www.modsecurity.org/tarball/${PORTVERSION}/
PKGNAMEPREFIX= ${APACHE_PKGNAMEPREFIX} PKGNAMEPREFIX= ${APACHE_PKGNAMEPREFIX}
DISTNAME= ${PORTNAME:S/_//:S/2//}-apache_${PORTVERSION} DISTNAME= ${PORTNAME:S/_//:S/2//}-apache_${PORTVERSION}
@ -19,7 +13,7 @@ COMMENT= An intrusion detection and prevention engine
LICENSE= AL2 LICENSE= AL2
MAKE_JOBS_SAFE= yes MAKE_JOBS_SAFE= yes
LIB_DEPENDS+= pcre.3:${PORTSDIR}/devel/pcre \ LIB_DEPENDS+= pcre:${PORTSDIR}/devel/pcre \
apr-1:${PORTSDIR}/devel/apr1 apr-1:${PORTSDIR}/devel/apr1
USE_APACHE= 22+ USE_APACHE= 22+
@ -39,36 +33,34 @@ PLIST_FILES= etc/modsecurity.conf-example \
${APACHEMODDIR}/mod_security2.so \ ${APACHEMODDIR}/mod_security2.so \
bin/rules-updater.pl \ bin/rules-updater.pl \
lib/mod_security2.so lib/mod_security2.so
OPTIONS= LUA "Embedded Lua language support" off \
MLOGC "Build ModSecurity Log Collector" off OPTIONS_DEFINE= LUA MLOGC
MLOGC_DESC= Build ModSecurity Log Collector
.include <bsd.port.pre.mk> .include <bsd.port.pre.mk>
.if defined(WITH_MLOGC) .if ${PORT_OPTIONS:MMLOGC}
PLIST_FILES+= bin/mlogc
.endif
.if defined(WITH_LUA)
USE_LUA= 5.1+
CONFIGURE_ARGS+= --with-lua=${LOCALBASE}
LIB_DEPENDS+= lua-5.1.1:${PORTSDIR}/lang/lua
.else
CONFIGURE_ARGS+= --without-lua
.endif
.if defined(WITH_MLOGC)
LIB_DEPENDS+= curl:${PORTSDIR}/ftp/curl LIB_DEPENDS+= curl:${PORTSDIR}/ftp/curl
CONFIGURE_ARGS+= --with-curl=${LOCALBASE} --disable-errors CONFIGURE_ARGS+= --with-curl=${LOCALBASE} --disable-errors
PLIST_FILES+= bin/mlogc bin/mlogc-batch-load.pl
.else .else
CONFIGURE_ARGS+= --disable-mlogc CONFIGURE_ARGS+= --disable-mlogc
.endif .endif
.if ${PORT_OPTIONS:MLUA}
USE_LUA= 5.1+
CONFIGURE_ARGS+= --with-lua=${LOCALBASE}
LIB_DEPENDS+= lua-5.1.5:${PORTSDIR}/lang/lua
.else
CONFIGURE_ARGS+= --without-lua
.endif
REINPLACE_ARGS= -i "" REINPLACE_ARGS= -i ""
AP_EXTRAS+= -DWITH_LIBXML2 AP_EXTRAS+= -DWITH_LIBXML2
CONFIGURE_ARGS+= --with-apxs=${APXS} --with-pcre=${LOCALBASE} CONFIGURE_ARGS+= --with-apxs=${APXS} --with-pcre=${LOCALBASE}
post-build: post-build:
.if defined(WITH_MLOGC) .if ${PORT_OPTIONS:MMLOGC}
# XXX there is "mlogc-static" target in the Makefile, too # XXX there is "mlogc-static" target in the Makefile, too
cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} mlogc cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} mlogc
.endif .endif
@ -79,7 +71,7 @@ post-install:
@${MKDIR} ${DOCSDIR} @${MKDIR} ${DOCSDIR}
@(cd ${WRKSRC} && ${COPYTREE_SHARE} "doc" ${DOCSDIR}/) @(cd ${WRKSRC} && ${COPYTREE_SHARE} "doc" ${DOCSDIR}/)
.endif .endif
.if defined(WITH_MLOGC) .if ${PORT_OPTIONS:MMLOGC}
${INSTALL_PROGRAM} ${WRKSRC}/mlogc/mlogc ${PREFIX}/bin/ ${INSTALL_PROGRAM} ${WRKSRC}/mlogc/mlogc ${PREFIX}/bin/
.endif .endif

View file

@ -1,2 +1,2 @@
SHA256 (modsecurity-apache_2.6.6.tar.gz) = a0cb075d5898230d17da5805eb102d1bbba07fe0748dcc32920990c4711b7708 SHA256 (modsecurity-apache_2.7.3.tar.gz) = fa5b0a2fabe9cd6c7b35ae09a433a60da183b2cabcf26479ec40fc4a419693e4
SIZE (modsecurity-apache_2.6.6.tar.gz) = 781984 SIZE (modsecurity-apache_2.7.3.tar.gz) = 981947