Red Hat Bugzilla – Bug 139778
mod_security would be nice
Last modified: 2014-03-16 22:50:36 EDT
Description of problem: mod_security would be nice to have. Since Fedora has shifted to a very security-conscious distro (eg SElinux), bundling mod_security makes sense. Version-Release number of selected component (if applicable): N/A How reproducible: Always Steps to Reproduce: 1. Install FC3 2. No mod_security module available. 3. Cry :-( Actual results: N/A Expected results: N/A Additional info: http://www.modsecurity.org/
I think this is probably more appropriate for Extras. Perhaps you could package the module and propose it?
with the focus of fedora on security (selinux etc) it seems to me this is more appropriate for the core distribution rather than extras. since mod_security targets exactly that -- apache security.
Deferring to the opinion of the apache guys; if they feel it's more suitable for Extras, that's good enough for me.
I don't think the parallel with SELinux is really appropriate: SELinux is an architectural refinement to the security model. My rationale is simply that inclusion of mod_security in Fedora Core would make a clear editorial statement that we think the module is a Good Thing and You All Should Use It; but I'm not really convinced of that. It's very important to understand the risk trade-off involved with this module: it adds a chunk of code and complexity, which notably does lots of parsing work. cc'ing Mark in case he has additional comments.
Tough to call -- mod_security has added one remotely exploitable hole so far, whereas Apache itself hasn't had any (2.* on Linux). However mod_security would (and does) catch a lot of the exploits written to take advantage of the flaws in third party badly-written PHP scripts. My opinion would be to put this into Extras for now.
openssh has had its share of remotely exploitable vulnerabilities as well, though i would say overall its prevented more attacks than its caused :-) there are a _lot_ of apache attacks going around these days, i'd hope to see mod_security more widely used. if it goes in extras, meh. better than nothing i guess. as for endorsements, does that mean everything in core carries an explicit endorsement?
(Just for clarification: There are lots of exploits in the wild for various third party web applications, but these are not attacks against the Apache Web server itself)
will someone sponsor this then?
no sponsors for extras? :(
Sorry yes, I'd sponsor this.
can the resolution be changed to something other than WONTFIX? because obviously that's _not_ the case, if this package is planned to go into extras.
It's WONTFIX in the context for Fedora Core, which is where this bug was filed.
can it be moved to extras and re-opened? or do i have to enter this bug all over again?
You don't need the bug moved over - just follow the procedure at: http://fedoraproject.org/wiki/Extras/Contributors