Bug 139778 - mod_security would be nice
mod_security would be nice
Product: Fedora
Classification: Fedora
Component: distribution (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Bill Nottingham
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2004-11-17 18:43 EST by Dan Hollis
Modified: 2014-03-16 22:50 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-03-21 09:54:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dan Hollis 2004-11-17 18:43:49 EST
Description of problem:
mod_security would be nice to have.

Since Fedora has shifted to a very security-conscious distro (eg
SElinux), bundling mod_security makes sense.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install FC3
2. No mod_security module available.
3. Cry :-(

Actual results:

Expected results:

Additional info:
Comment 1 Joe Orton 2005-03-21 09:54:52 EST
I think this is probably more appropriate for Extras.  Perhaps you could package
the module and propose it?
Comment 2 Dan Hollis 2005-03-23 15:24:28 EST
with the focus of fedora on security (selinux etc) it seems to me this is more
appropriate for the core distribution rather than extras. since mod_security
targets exactly that -- apache security.
Comment 3 Bill Nottingham 2005-03-23 15:49:17 EST
Deferring to the opinion of the apache guys; if they feel it's more suitable for
Extras, that's good enough for me.
Comment 4 Joe Orton 2005-03-23 16:43:18 EST
I don't think the parallel with SELinux is really appropriate: SELinux is an
architectural refinement to the security model.

My rationale is simply that inclusion of mod_security in Fedora Core would make
a clear editorial statement that we think the module is a Good Thing and You All
Should Use It; but I'm not really convinced of that.

It's very important to understand the risk trade-off involved with this module:
it adds a chunk of code and complexity, which notably does lots of parsing work.

cc'ing Mark in case he has additional comments.
Comment 5 Mark J. Cox 2005-03-23 16:51:12 EST
Tough to call -- mod_security has added one remotely exploitable hole so far,
whereas Apache itself hasn't had any (2.* on Linux).  However mod_security would
(and does) catch a lot of the exploits written to take advantage of the flaws in
third party badly-written PHP scripts.  My opinion would be to put this into
Extras for now.
Comment 6 Dan Hollis 2005-03-23 17:33:50 EST
openssh has had its share of remotely exploitable vulnerabilities as well,
though i would say overall its prevented more attacks than its caused :-)

there are a _lot_ of apache attacks going around these days, i'd hope to see
mod_security more widely used. if it goes in extras, meh. better than nothing i

as for endorsements, does that mean everything in core carries an explicit
Comment 7 Mark J. Cox 2005-03-23 18:27:15 EST
(Just for clarification: There are lots of exploits in the wild for various
third party web applications, but these are not attacks against the Apache Web
server itself)
Comment 8 Dan Hollis 2005-03-25 17:12:42 EST
will someone sponsor this then?
Comment 9 Dan Hollis 2005-06-20 05:28:10 EDT
no sponsors for extras? :(
Comment 10 Joe Orton 2005-06-20 05:42:07 EDT
Sorry yes, I'd sponsor this.
Comment 11 Dan Hollis 2005-09-12 17:53:12 EDT
can the resolution be changed to something other than WONTFIX? because obviously
that's _not_ the case, if this package is planned to go into extras.
Comment 12 Bill Nottingham 2005-09-12 17:56:49 EDT
It's WONTFIX in the context for Fedora Core, which is where this bug was filed.
Comment 13 Dan Hollis 2005-09-12 18:07:39 EDT
can it be moved to extras and re-opened? or do i have to enter this bug all over
Comment 14 Bill Nottingham 2005-09-12 18:24:16 EDT
You don't need the bug moved over - just follow the procedure at:


Note You need to log in before you can comment on or make changes to this bug.