Red Hat Bugzilla – Bug 139778
mod_security would be nice
Last modified: 2014-03-16 22:50:36 EDT
Description of problem:
mod_security would be nice to have.
Since Fedora has shifted to a very security-conscious distro (eg
SElinux), bundling mod_security makes sense.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install FC3
2. No mod_security module available.
3. Cry :-(
I think this is probably more appropriate for Extras. Perhaps you could package
the module and propose it?
with the focus of fedora on security (selinux etc) it seems to me this is more
appropriate for the core distribution rather than extras. since mod_security
targets exactly that -- apache security.
Deferring to the opinion of the apache guys; if they feel it's more suitable for
Extras, that's good enough for me.
I don't think the parallel with SELinux is really appropriate: SELinux is an
architectural refinement to the security model.
My rationale is simply that inclusion of mod_security in Fedora Core would make
a clear editorial statement that we think the module is a Good Thing and You All
Should Use It; but I'm not really convinced of that.
It's very important to understand the risk trade-off involved with this module:
it adds a chunk of code and complexity, which notably does lots of parsing work.
cc'ing Mark in case he has additional comments.
Tough to call -- mod_security has added one remotely exploitable hole so far,
whereas Apache itself hasn't had any (2.* on Linux). However mod_security would
(and does) catch a lot of the exploits written to take advantage of the flaws in
third party badly-written PHP scripts. My opinion would be to put this into
Extras for now.
openssh has had its share of remotely exploitable vulnerabilities as well,
though i would say overall its prevented more attacks than its caused :-)
there are a _lot_ of apache attacks going around these days, i'd hope to see
mod_security more widely used. if it goes in extras, meh. better than nothing i
as for endorsements, does that mean everything in core carries an explicit
(Just for clarification: There are lots of exploits in the wild for various
third party web applications, but these are not attacks against the Apache Web
will someone sponsor this then?
no sponsors for extras? :(
Sorry yes, I'd sponsor this.
can the resolution be changed to something other than WONTFIX? because obviously
that's _not_ the case, if this package is planned to go into extras.
It's WONTFIX in the context for Fedora Core, which is where this bug was filed.
can it be moved to extras and re-opened? or do i have to enter this bug all over
You don't need the bug moved over - just follow the procedure at: