Bug 139778 - mod_security would be nice
Summary: mod_security would be nice
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: distribution
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Bill Nottingham
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-11-17 23:43 UTC by Dan Hollis
Modified: 2014-03-17 02:50 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2005-03-21 14:54:52 UTC


Attachments (Terms of Use)

Description Dan Hollis 2004-11-17 23:43:49 UTC
Description of problem:
mod_security would be nice to have.

Since Fedora has shifted to a very security-conscious distro (eg
SElinux), bundling mod_security makes sense.

Version-Release number of selected component (if applicable):
N/A

How reproducible:
Always

Steps to Reproduce:
1. Install FC3
2. No mod_security module available.
3. Cry :-(

Actual results:
N/A

Expected results:
N/A

Additional info:
http://www.modsecurity.org/

Comment 1 Joe Orton 2005-03-21 14:54:52 UTC
I think this is probably more appropriate for Extras.  Perhaps you could package
the module and propose it?

Comment 2 Dan Hollis 2005-03-23 20:24:28 UTC
with the focus of fedora on security (selinux etc) it seems to me this is more
appropriate for the core distribution rather than extras. since mod_security
targets exactly that -- apache security.

Comment 3 Bill Nottingham 2005-03-23 20:49:17 UTC
Deferring to the opinion of the apache guys; if they feel it's more suitable for
Extras, that's good enough for me.

Comment 4 Joe Orton 2005-03-23 21:43:18 UTC
I don't think the parallel with SELinux is really appropriate: SELinux is an
architectural refinement to the security model.

My rationale is simply that inclusion of mod_security in Fedora Core would make
a clear editorial statement that we think the module is a Good Thing and You All
Should Use It; but I'm not really convinced of that.

It's very important to understand the risk trade-off involved with this module:
it adds a chunk of code and complexity, which notably does lots of parsing work.

cc'ing Mark in case he has additional comments.

Comment 5 Mark J. Cox 2005-03-23 21:51:12 UTC
Tough to call -- mod_security has added one remotely exploitable hole so far,
whereas Apache itself hasn't had any (2.* on Linux).  However mod_security would
(and does) catch a lot of the exploits written to take advantage of the flaws in
third party badly-written PHP scripts.  My opinion would be to put this into
Extras for now.

Comment 6 Dan Hollis 2005-03-23 22:33:50 UTC
openssh has had its share of remotely exploitable vulnerabilities as well,
though i would say overall its prevented more attacks than its caused :-)

there are a _lot_ of apache attacks going around these days, i'd hope to see
mod_security more widely used. if it goes in extras, meh. better than nothing i
guess.

as for endorsements, does that mean everything in core carries an explicit
endorsement?

Comment 7 Mark J. Cox 2005-03-23 23:27:15 UTC
(Just for clarification: There are lots of exploits in the wild for various
third party web applications, but these are not attacks against the Apache Web
server itself)

Comment 8 Dan Hollis 2005-03-25 22:12:42 UTC
will someone sponsor this then?

Comment 9 Dan Hollis 2005-06-20 09:28:10 UTC
no sponsors for extras? :(

Comment 10 Joe Orton 2005-06-20 09:42:07 UTC
Sorry yes, I'd sponsor this.

Comment 11 Dan Hollis 2005-09-12 21:53:12 UTC
can the resolution be changed to something other than WONTFIX? because obviously
that's _not_ the case, if this package is planned to go into extras.

Comment 12 Bill Nottingham 2005-09-12 21:56:49 UTC
It's WONTFIX in the context for Fedora Core, which is where this bug was filed.

Comment 13 Dan Hollis 2005-09-12 22:07:39 UTC
can it be moved to extras and re-opened? or do i have to enter this bug all over
again?

Comment 14 Bill Nottingham 2005-09-12 22:24:16 UTC
You don't need the bug moved over - just follow the procedure at:

http://fedoraproject.org/wiki/Extras/Contributors


Note You need to log in before you can comment on or make changes to this bug.