svn commit: r315811 - in head: security/vuxml www/mod_security
Marcelo Araujo
araujo at FreeBSD.org
Tue Apr 16 10:58:17 UTC 2013
Author: araujo
Date: Tue Apr 16 10:58:15 2013
New Revision: 315811
URL: http://svnweb.freebsd.org/changeset/ports/315811
Log:
- Update to 2.7.3 due a vulnerability that affect all versions 2.x. [1]
- Update MASTER_SITES.
- Convert to optionsNG.
- Trim header.
More info:
https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
Reported by: olli hauer <ohauer at gmx.de> [1]
Approved by: portmgr (bdrewery)
Security: 2070c79a-8e1e-11e2-b34d-000c2957946c
Modified:
head/security/vuxml/vuln.xml
head/www/mod_security/Makefile
head/www/mod_security/distinfo (contents, props changed)
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Mon Apr 15 23:28:12 2013 (r315810)
+++ head/security/vuxml/vuln.xml Tue Apr 16 10:58:15 2013 (r315811)
@@ -51,6 +51,39 @@ Note: Please add new entries to the beg
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="2070c79a-8e1e-11e2-b34d-000c2957946c">
+ <topic>ModSecurity -- XML External Entity Processing Vulnerability</topic>
+ <affects>
+ <package>
+ <name>mod_security</name>
+ <range><gt>2.*</gt><lt>2.7.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Positive Technologies has reported a vulnerability in ModSecurity,
+ which can be exploited by malicious people to disclose potentially
+ sensitive information or cause a DoS (Denial Of Serice).</p>
+ <p>The vulnerability is caused due to an error when parsing external
+ XML entities and can be exploited to e.g. disclose local files or
+ cause excessive memory and CPU consumption.</p>
+ <blockquote cite="https://secunia.com/advisories/52847/">
+ <p>.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2013-1915</cvename>
+ <url>https://secunia.com/advisories/52847/</url>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1915</url>
+ <url>https://bugs.gentoo.org/show_bug.cgi?id=464188</url>
+ </references>
+ <dates>
+ <discovery>2013-04-02</discovery>
+ <entry>2013-04-16</entry>
+ </dates>
+ </vuln>
+
<vuln vid="a2ff483f-a5c6-11e2-9601-000d601460a4">
<topic>sieve-connect -- TLS hostname verification was not occurring</topic>
<affects>
Modified: head/www/mod_security/Makefile
==============================================================================
--- head/www/mod_security/Makefile Mon Apr 15 23:28:12 2013 (r315810)
+++ head/www/mod_security/Makefile Tue Apr 16 10:58:15 2013 (r315811)
@@ -1,15 +1,9 @@
-# New ports collection makefile for: mod_security
-# Date created: 4 June 2003
-# Whom: Marcelo Araujo <araujo at FreeBSD.org>
-#
# $FreeBSD$
-#
PORTNAME= mod_security
-PORTVERSION= 2.6.6
-PORTREVISION= 1
+PORTVERSION= 2.7.3
CATEGORIES= www security
-MASTER_SITES= SF/mod-security/modsecurity-apache/${PORTVERSION}
+MASTER_SITES= http://www.modsecurity.org/tarball/${PORTVERSION}/
PKGNAMEPREFIX= ${APACHE_PKGNAMEPREFIX}
DISTNAME= ${PORTNAME:S/_//:S/2//}-apache_${PORTVERSION}
@@ -19,7 +13,7 @@ COMMENT= An intrusion detection and prev
LICENSE= AL2
MAKE_JOBS_SAFE= yes
-LIB_DEPENDS+= pcre.3:${PORTSDIR}/devel/pcre \
+LIB_DEPENDS+= pcre:${PORTSDIR}/devel/pcre \
apr-1:${PORTSDIR}/devel/apr1
USE_APACHE= 22+
@@ -39,36 +33,34 @@ PLIST_FILES= etc/modsecurity.conf-exampl
${APACHEMODDIR}/mod_security2.so \
bin/rules-updater.pl \
lib/mod_security2.so
-OPTIONS= LUA "Embedded Lua language support" off \
- MLOGC "Build ModSecurity Log Collector" off
+
+OPTIONS_DEFINE= LUA MLOGC
+MLOGC_DESC= Build ModSecurity Log Collector
.include <bsd.port.pre.mk>
-.if defined(WITH_MLOGC)
-PLIST_FILES+= bin/mlogc
+.if ${PORT_OPTIONS:MMLOGC}
+LIB_DEPENDS+= curl:${PORTSDIR}/ftp/curl
+CONFIGURE_ARGS+= --with-curl=${LOCALBASE} --disable-errors
+PLIST_FILES+= bin/mlogc bin/mlogc-batch-load.pl
+.else
+CONFIGURE_ARGS+= --disable-mlogc
.endif
-.if defined(WITH_LUA)
+.if ${PORT_OPTIONS:MLUA}
USE_LUA= 5.1+
CONFIGURE_ARGS+= --with-lua=${LOCALBASE}
-LIB_DEPENDS+= lua-5.1.1:${PORTSDIR}/lang/lua
+LIB_DEPENDS+= lua-5.1.5:${PORTSDIR}/lang/lua
.else
CONFIGURE_ARGS+= --without-lua
.endif
-.if defined(WITH_MLOGC)
-LIB_DEPENDS+= curl:${PORTSDIR}/ftp/curl
-CONFIGURE_ARGS+= --with-curl=${LOCALBASE} --disable-errors
-.else
-CONFIGURE_ARGS+= --disable-mlogc
-.endif
-
REINPLACE_ARGS= -i ""
AP_EXTRAS+= -DWITH_LIBXML2
CONFIGURE_ARGS+= --with-apxs=${APXS} --with-pcre=${LOCALBASE}
post-build:
-.if defined(WITH_MLOGC)
+.if ${PORT_OPTIONS:MMLOGC}
# XXX there is "mlogc-static" target in the Makefile, too
cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} mlogc
.endif
@@ -79,7 +71,7 @@ post-install:
@${MKDIR} ${DOCSDIR}
@(cd ${WRKSRC} && ${COPYTREE_SHARE} "doc" ${DOCSDIR}/)
.endif
-.if defined(WITH_MLOGC)
+.if ${PORT_OPTIONS:MMLOGC}
${INSTALL_PROGRAM} ${WRKSRC}/mlogc/mlogc ${PREFIX}/bin/
.endif
Modified: head/www/mod_security/distinfo
==============================================================================
--- head/www/mod_security/distinfo Mon Apr 15 23:28:12 2013 (r315810)
+++ head/www/mod_security/distinfo Tue Apr 16 10:58:15 2013 (r315811)
@@ -1,2 +1,2 @@
-SHA256 (modsecurity-apache_2.6.6.tar.gz) = a0cb075d5898230d17da5805eb102d1bbba07fe0748dcc32920990c4711b7708
-SIZE (modsecurity-apache_2.6.6.tar.gz) = 781984
+SHA256 (modsecurity-apache_2.7.3.tar.gz) = fa5b0a2fabe9cd6c7b35ae09a433a60da183b2cabcf26479ec40fc4a419693e4
+SIZE (modsecurity-apache_2.7.3.tar.gz) = 981947
More information about the svn-ports-head
mailing list