svn commit: r315811 - in head: security/vuxml www/mod_security

Marcelo Araujo araujo at FreeBSD.org
Tue Apr 16 10:58:17 UTC 2013


Author: araujo
Date: Tue Apr 16 10:58:15 2013
New Revision: 315811
URL: http://svnweb.freebsd.org/changeset/ports/315811

Log:
  - Update to 2.7.3 due a vulnerability that affect all versions 2.x. [1]
  - Update MASTER_SITES.
  - Convert to optionsNG.
  - Trim header.
  
  More info:
  https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
  
  Reported by:    olli hauer <ohauer at gmx.de> [1]
  Approved by:    portmgr (bdrewery)
  Security:       2070c79a-8e1e-11e2-b34d-000c2957946c

Modified:
  head/security/vuxml/vuln.xml
  head/www/mod_security/Makefile
  head/www/mod_security/distinfo   (contents, props changed)

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Mon Apr 15 23:28:12 2013	(r315810)
+++ head/security/vuxml/vuln.xml	Tue Apr 16 10:58:15 2013	(r315811)
@@ -51,6 +51,39 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="2070c79a-8e1e-11e2-b34d-000c2957946c">
+    <topic>ModSecurity -- XML External Entity Processing Vulnerability</topic>
+    <affects>
+      <package>
+	<name>mod_security</name>
+	<range><gt>2.*</gt><lt>2.7.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Positive Technologies has reported a vulnerability in ModSecurity,
+	  which can be exploited by malicious people to disclose potentially
+	  sensitive information or cause a DoS (Denial Of Serice).</p>
+	<p>The vulnerability is caused due to an error when parsing external
+	  XML entities and can be exploited to e.g. disclose local files or
+	  cause excessive memory and CPU consumption.</p>
+	<blockquote cite="https://secunia.com/advisories/52847/">
+	  <p>.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-1915</cvename>
+      <url>https://secunia.com/advisories/52847/</url>
+      <url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1915</url>
+      <url>https://bugs.gentoo.org/show_bug.cgi?id=464188</url>
+    </references>
+    <dates>
+      <discovery>2013-04-02</discovery>
+      <entry>2013-04-16</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="a2ff483f-a5c6-11e2-9601-000d601460a4">
     <topic>sieve-connect -- TLS hostname verification was not occurring</topic>
     <affects>

Modified: head/www/mod_security/Makefile
==============================================================================
--- head/www/mod_security/Makefile	Mon Apr 15 23:28:12 2013	(r315810)
+++ head/www/mod_security/Makefile	Tue Apr 16 10:58:15 2013	(r315811)
@@ -1,15 +1,9 @@
-# New ports collection makefile for:	mod_security
-# Date created:				4 June 2003
-# Whom:					Marcelo Araujo <araujo at FreeBSD.org>
-#
 # $FreeBSD$
-#
 
 PORTNAME=	mod_security
-PORTVERSION=	2.6.6
-PORTREVISION=	1
+PORTVERSION=	2.7.3
 CATEGORIES=	www security
-MASTER_SITES=	SF/mod-security/modsecurity-apache/${PORTVERSION}
+MASTER_SITES=	http://www.modsecurity.org/tarball/${PORTVERSION}/
 PKGNAMEPREFIX=	${APACHE_PKGNAMEPREFIX}
 DISTNAME=	${PORTNAME:S/_//:S/2//}-apache_${PORTVERSION}
 
@@ -19,7 +13,7 @@ COMMENT=	An intrusion detection and prev
 LICENSE=	AL2
 MAKE_JOBS_SAFE=	yes
 
-LIB_DEPENDS+=	pcre.3:${PORTSDIR}/devel/pcre \
+LIB_DEPENDS+=	pcre:${PORTSDIR}/devel/pcre \
 		apr-1:${PORTSDIR}/devel/apr1
 
 USE_APACHE=	22+
@@ -39,36 +33,34 @@ PLIST_FILES=	etc/modsecurity.conf-exampl
 		${APACHEMODDIR}/mod_security2.so \
 		bin/rules-updater.pl \
 		lib/mod_security2.so
-OPTIONS=	LUA "Embedded Lua language support" off \
-		MLOGC "Build ModSecurity Log Collector" off
+
+OPTIONS_DEFINE=	LUA MLOGC
+MLOGC_DESC=	Build ModSecurity Log Collector
 
 .include <bsd.port.pre.mk>
 
-.if defined(WITH_MLOGC)
-PLIST_FILES+=	bin/mlogc
+.if ${PORT_OPTIONS:MMLOGC}
+LIB_DEPENDS+=	curl:${PORTSDIR}/ftp/curl
+CONFIGURE_ARGS+=	--with-curl=${LOCALBASE} --disable-errors
+PLIST_FILES+=	bin/mlogc bin/mlogc-batch-load.pl
+.else
+CONFIGURE_ARGS+=	--disable-mlogc
 .endif
 
-.if defined(WITH_LUA)
+.if ${PORT_OPTIONS:MLUA}
 USE_LUA=	5.1+
 CONFIGURE_ARGS+=	--with-lua=${LOCALBASE}
-LIB_DEPENDS+=	lua-5.1.1:${PORTSDIR}/lang/lua
+LIB_DEPENDS+=	lua-5.1.5:${PORTSDIR}/lang/lua
 .else
 CONFIGURE_ARGS+=	--without-lua
 .endif
 
-.if defined(WITH_MLOGC)
-LIB_DEPENDS+=	curl:${PORTSDIR}/ftp/curl
-CONFIGURE_ARGS+=	--with-curl=${LOCALBASE} --disable-errors
-.else
-CONFIGURE_ARGS+=	--disable-mlogc
-.endif
-
 REINPLACE_ARGS=	-i ""
 AP_EXTRAS+=	-DWITH_LIBXML2
 CONFIGURE_ARGS+=	--with-apxs=${APXS} --with-pcre=${LOCALBASE}
 
 post-build:
-.if defined(WITH_MLOGC)
+.if ${PORT_OPTIONS:MMLOGC}
 	# XXX there is "mlogc-static" target in the Makefile, too
 	cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} mlogc
 .endif
@@ -79,7 +71,7 @@ post-install:
 	@${MKDIR} ${DOCSDIR}
 	@(cd ${WRKSRC} && ${COPYTREE_SHARE} "doc" ${DOCSDIR}/)
 .endif
-.if defined(WITH_MLOGC)
+.if ${PORT_OPTIONS:MMLOGC}
 	${INSTALL_PROGRAM} ${WRKSRC}/mlogc/mlogc ${PREFIX}/bin/
 .endif
 

Modified: head/www/mod_security/distinfo
==============================================================================
--- head/www/mod_security/distinfo	Mon Apr 15 23:28:12 2013	(r315810)
+++ head/www/mod_security/distinfo	Tue Apr 16 10:58:15 2013	(r315811)
@@ -1,2 +1,2 @@
-SHA256 (modsecurity-apache_2.6.6.tar.gz) = a0cb075d5898230d17da5805eb102d1bbba07fe0748dcc32920990c4711b7708
-SIZE (modsecurity-apache_2.6.6.tar.gz) = 781984
+SHA256 (modsecurity-apache_2.7.3.tar.gz) = fa5b0a2fabe9cd6c7b35ae09a433a60da183b2cabcf26479ec40fc4a419693e4
+SIZE (modsecurity-apache_2.7.3.tar.gz) = 981947


More information about the svn-ports-head mailing list