Date: Tue, 16 Apr 2013 10:58:16 +0000 (UTC) From: Marcelo Araujo <araujo@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r315811 - in head: security/vuxml www/mod_security Message-ID: <201304161058.r3GAwGHK012869@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: araujo Date: Tue Apr 16 10:58:15 2013 New Revision: 315811 URL: http://svnweb.freebsd.org/changeset/ports/315811 Log: - Update to 2.7.3 due a vulnerability that affect all versions 2.x. [1] - Update MASTER_SITES. - Convert to optionsNG. - Trim header. More info: https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES Reported by: olli hauer <ohauer@gmx.de> [1] Approved by: portmgr (bdrewery) Security: 2070c79a-8e1e-11e2-b34d-000c2957946c Modified: head/security/vuxml/vuln.xml head/www/mod_security/Makefile head/www/mod_security/distinfo (contents, props changed) Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Apr 15 23:28:12 2013 (r315810) +++ head/security/vuxml/vuln.xml Tue Apr 16 10:58:15 2013 (r315811) @@ -51,6 +51,39 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="2070c79a-8e1e-11e2-b34d-000c2957946c"> + <topic>ModSecurity -- XML External Entity Processing Vulnerability</topic> + <affects> + <package> + <name>mod_security</name> + <range><gt>2.*</gt><lt>2.7.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Positive Technologies has reported a vulnerability in ModSecurity, + which can be exploited by malicious people to disclose potentially + sensitive information or cause a DoS (Denial Of Serice).</p> + <p>The vulnerability is caused due to an error when parsing external + XML entities and can be exploited to e.g. disclose local files or + cause excessive memory and CPU consumption.</p> + <blockquote cite="https://secunia.com/advisories/52847/"> + <p>.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2013-1915</cvename> + <url>https://secunia.com/advisories/52847/</url> + <url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1915</url> + <url>https://bugs.gentoo.org/show_bug.cgi?id=464188</url> + </references> + <dates> + <discovery>2013-04-02</discovery> + <entry>2013-04-16</entry> + </dates> + </vuln> + <vuln vid="a2ff483f-a5c6-11e2-9601-000d601460a4"> <topic>sieve-connect -- TLS hostname verification was not occurring</topic> <affects> Modified: head/www/mod_security/Makefile ============================================================================== --- head/www/mod_security/Makefile Mon Apr 15 23:28:12 2013 (r315810) +++ head/www/mod_security/Makefile Tue Apr 16 10:58:15 2013 (r315811) @@ -1,15 +1,9 @@ -# New ports collection makefile for: mod_security -# Date created: 4 June 2003 -# Whom: Marcelo Araujo <araujo@FreeBSD.org> -# # $FreeBSD$ -# PORTNAME= mod_security -PORTVERSION= 2.6.6 -PORTREVISION= 1 +PORTVERSION= 2.7.3 CATEGORIES= www security -MASTER_SITES= SF/mod-security/modsecurity-apache/${PORTVERSION} +MASTER_SITES= http://www.modsecurity.org/tarball/${PORTVERSION}/ PKGNAMEPREFIX= ${APACHE_PKGNAMEPREFIX} DISTNAME= ${PORTNAME:S/_//:S/2//}-apache_${PORTVERSION} @@ -19,7 +13,7 @@ COMMENT= An intrusion detection and prev LICENSE= AL2 MAKE_JOBS_SAFE= yes -LIB_DEPENDS+= pcre.3:${PORTSDIR}/devel/pcre \ +LIB_DEPENDS+= pcre:${PORTSDIR}/devel/pcre \ apr-1:${PORTSDIR}/devel/apr1 USE_APACHE= 22+ @@ -39,36 +33,34 @@ PLIST_FILES= etc/modsecurity.conf-exampl ${APACHEMODDIR}/mod_security2.so \ bin/rules-updater.pl \ lib/mod_security2.so -OPTIONS= LUA "Embedded Lua language support" off \ - MLOGC "Build ModSecurity Log Collector" off + +OPTIONS_DEFINE= LUA MLOGC +MLOGC_DESC= Build ModSecurity Log Collector .include <bsd.port.pre.mk> -.if defined(WITH_MLOGC) -PLIST_FILES+= bin/mlogc +.if ${PORT_OPTIONS:MMLOGC} +LIB_DEPENDS+= curl:${PORTSDIR}/ftp/curl +CONFIGURE_ARGS+= --with-curl=${LOCALBASE} --disable-errors +PLIST_FILES+= bin/mlogc bin/mlogc-batch-load.pl +.else +CONFIGURE_ARGS+= --disable-mlogc .endif -.if defined(WITH_LUA) +.if ${PORT_OPTIONS:MLUA} USE_LUA= 5.1+ CONFIGURE_ARGS+= --with-lua=${LOCALBASE} -LIB_DEPENDS+= lua-5.1.1:${PORTSDIR}/lang/lua +LIB_DEPENDS+= lua-5.1.5:${PORTSDIR}/lang/lua .else CONFIGURE_ARGS+= --without-lua .endif -.if defined(WITH_MLOGC) -LIB_DEPENDS+= curl:${PORTSDIR}/ftp/curl -CONFIGURE_ARGS+= --with-curl=${LOCALBASE} --disable-errors -.else -CONFIGURE_ARGS+= --disable-mlogc -.endif - REINPLACE_ARGS= -i "" AP_EXTRAS+= -DWITH_LIBXML2 CONFIGURE_ARGS+= --with-apxs=${APXS} --with-pcre=${LOCALBASE} post-build: -.if defined(WITH_MLOGC) +.if ${PORT_OPTIONS:MMLOGC} # XXX there is "mlogc-static" target in the Makefile, too cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} mlogc .endif @@ -79,7 +71,7 @@ post-install: @${MKDIR} ${DOCSDIR} @(cd ${WRKSRC} && ${COPYTREE_SHARE} "doc" ${DOCSDIR}/) .endif -.if defined(WITH_MLOGC) +.if ${PORT_OPTIONS:MMLOGC} ${INSTALL_PROGRAM} ${WRKSRC}/mlogc/mlogc ${PREFIX}/bin/ .endif Modified: head/www/mod_security/distinfo ============================================================================== --- head/www/mod_security/distinfo Mon Apr 15 23:28:12 2013 (r315810) +++ head/www/mod_security/distinfo Tue Apr 16 10:58:15 2013 (r315811) @@ -1,2 +1,2 @@ -SHA256 (modsecurity-apache_2.6.6.tar.gz) = a0cb075d5898230d17da5805eb102d1bbba07fe0748dcc32920990c4711b7708 -SIZE (modsecurity-apache_2.6.6.tar.gz) = 781984 +SHA256 (modsecurity-apache_2.7.3.tar.gz) = fa5b0a2fabe9cd6c7b35ae09a433a60da183b2cabcf26479ec40fc4a419693e4 +SIZE (modsecurity-apache_2.7.3.tar.gz) = 981947
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201304161058.r3GAwGHK012869>