Debian Bug report logs - #487431
ITP: libapache-mod-security -- Tighten web applications security for Apache

version graph

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Alberto Gonzalez Iniesta <agi@inittab.org>

Date: Sat, 21 Jun 2008 19:24:01 UTC

Owned by: Alberto Gonzalez Iniesta <agi@inittab.org>

Severity: wishlist

Fixed in version libapache-mod-security/2.5.6-1

Done: Alberto Gonzalez Iniesta <agi@inittab.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, debian-legal@lists.debian.org, <wnpp@debian.org>:
Bug#487431; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Alberto Gonzalez Iniesta <agi@inittab.org>:
New Bug report received and forwarded. Copy sent to debian-devel@lists.debian.org, debian-legal@lists.debian.org, <wnpp@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alberto Gonzalez Iniesta <agi@inittab.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: debian-legal@lists.debian.org, Ivan Ristic <ivan.ristic@gmail.com>
Subject: ITP: libapache-mod-security2 -- Tighten web applications security for Apache
Date: Sat, 21 Jun 2008 21:21:51 +0200
Package: wnpp
Severity: wishlist
Owner: Alberto Gonzalez Iniesta <agi@inittab.org>

* Package name    : libapache-mod-security2
  Version         : 2.5.x
  Upstream Author : Breach Security, Inc. (http://www.breach.com/)
* URL             : http://www.modsecurity.org/
* License         : GPLv2
  Programming Lang: C
  Description     : Tighten web applications security for Apache

 Mod_security is an Apache 1.x/2.x module whose purpose is to tighten the Web
 application security. Effectively, it is an intrusion detection and prevention
 system for the web server.
 .
 At the moment its main features are:
 * Audit log; store full request details in a separate file, including POST
   payloads.
 * Request filtering; incoming requests can be analysed and offensive requests
   can be rejected (or simply logged, if that is what you want). This feature
   can be used to prevent many types of attacks (e.g. XSS attacks, SQL
   injection, ...) and even allow you to run insecure applications on your
   servers (if you have no other choice, of course).


**********************
** To: debian-legal **
**********************

I'm Cc'ing debian-legal because this package was removed from Debian [1]
due to GPLv2 and Apache licences not being compatible [2][3].
After some threads in upstream's mailing list, great interest from users
and some work from upstream [4], they (upstream) wrote a exception (draft)
in order to get ModSecurity back to Debian [5]. 

So upstream is basically waiting the green light from -legal on this
draft so the new release already includes it.

I'm sending this ITP because I understand this exception should solve
the problem and got positive feedback from other DDs. So please, if you
see something wrong with this talk now or STFU forever :)

Please Cc: me and Ivan since we're not subscribed.

Thanks,

Alberto


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=313615
[2] http://www.gnu.org/philosophy/license-list.html#GPLIncompatibleLicenses
[3] http://www.thinkingstone.com/about/legal/licensing-clarifications.html
[4] http://lists.debian.org/debian-legal/2008/01/msg00172.html
[5] http://blog.modsecurity.org/2008/06/modsecurity-lic.html


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.25.6 (PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

-- 
Alberto Gonzalez Iniesta       | They that give up essential liberty
agi@(agi.as|debian.org)        | to obtain a little temporary safety
Encrypted mail preferred       | deserve neither liberty nor safety.
                                               -- Benjamin Franklin
Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#487431; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Gunnar Wolf <gwolf@gwolf.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #10 received at submit@bugs.debian.org (full text, mbox):

From: Gunnar Wolf <gwolf@gwolf.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>, Ivan Ristic <ivan.ristic@gmail.com>
Subject: Re: Bug#487431: ITP: libapache-mod-security2 -- Tighten web applications security for Apache
Date: Mon, 23 Jun 2008 10:56:13 -0500
Alberto Gonzalez Iniesta dijo [Sat, Jun 21, 2008 at 09:21:51PM +0200]:
>  Mod_security is an Apache 1.x/2.x module whose purpose is to tighten the Web
>  application security. Effectively, it is an intrusion detection and prevention
>  system for the web server.

Umh... As we are no longer distributing Apache 1.x, I'd suggest you to
drop the version specification from the long description. even more,
drop it from the name - It just uglifies the namespace ;-) (BTW, maybe
we could, post-lenny just to avoid breakage, s/apache2/apache/ all of
the related packages?)

Greetings,

-- 
Gunnar Wolf - gwolf@gwolf.org - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#487431; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Alberto Gonzalez Iniesta <agi@inittab.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #15 received at 487431@bugs.debian.org (full text, mbox):

From: Alberto Gonzalez Iniesta <agi@inittab.org>
To: Gunnar Wolf <gwolf@gwolf.org>, 487431@bugs.debian.org
Subject: Re: Bug#487431: ITP: libapache-mod-security2 -- Tighten web applications security for Apache
Date: Tue, 24 Jun 2008 15:22:08 +0200
On Mon, Jun 23, 2008 at 10:56:13AM -0500, Gunnar Wolf wrote:
> Alberto Gonzalez Iniesta dijo [Sat, Jun 21, 2008 at 09:21:51PM +0200]:
> >  Mod_security is an Apache 1.x/2.x module whose purpose is to tighten the Web
> >  application security. Effectively, it is an intrusion detection and prevention
> >  system for the web server.
> 
> Umh... As we are no longer distributing Apache 1.x, I'd suggest you to
> drop the version specification from the long description. even more,
> drop it from the name - It just uglifies the namespace ;-) (BTW, maybe
> we could, post-lenny just to avoid breakage, s/apache2/apache/ all of
> the related packages?)

Hi Gunnar,

Yes, that was my idea. Dropping the 1.x/2.x versioning and just
mentioning 'Apache module'.

Cheers,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3




Tags added: pending Request was from Anibal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Tue, 18 Nov 2008 19:06:07 GMT) Full text and rfc822 format available.

Changed Bug title to `ITP: libapache-mod-security -- Tighten web applications security for Apache' from `ITP: libapache-mod-security2 -- Tighten web applications security for Apache'. Request was from Raphael Geissert <atomo64@gmail.com> to control@bugs.debian.org. (Tue, 09 Dec 2008 03:03:29 GMT) Full text and rfc822 format available.

Reply sent to Alberto Gonzalez Iniesta <agi@inittab.org>:
You have taken responsibility. (Sun, 28 Dec 2008 17:09:03 GMT) Full text and rfc822 format available.

Notification sent to Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug acknowledged by developer. (Sun, 28 Dec 2008 17:09:03 GMT) Full text and rfc822 format available.

Message #24 received at 487431-close@bugs.debian.org (full text, mbox):

From: Alberto Gonzalez Iniesta <agi@inittab.org>
To: 487431-close@bugs.debian.org
Subject: Bug#487431: fixed in libapache-mod-security 2.5.6-1
Date: Sun, 28 Dec 2008 16:41:19 +0000
Source: libapache-mod-security
Source-Version: 2.5.6-1

We believe that the bug you reported is fixed in the latest version of
libapache-mod-security, which is due to be installed in the Debian FTP archive:

libapache-mod-security_2.5.6-1.diff.gz
  to pool/main/liba/libapache-mod-security/libapache-mod-security_2.5.6-1.diff.gz
libapache-mod-security_2.5.6-1.dsc
  to pool/main/liba/libapache-mod-security/libapache-mod-security_2.5.6-1.dsc
libapache-mod-security_2.5.6-1_i386.deb
  to pool/main/liba/libapache-mod-security/libapache-mod-security_2.5.6-1_i386.deb
libapache-mod-security_2.5.6.orig.tar.gz
  to pool/main/liba/libapache-mod-security/libapache-mod-security_2.5.6.orig.tar.gz
mod-security-common_2.5.6-1_all.deb
  to pool/main/liba/libapache-mod-security/mod-security-common_2.5.6-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 487431@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated libapache-mod-security package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 08 Aug 2008 13:31:56 +0200
Source: libapache-mod-security
Binary: libapache-mod-security mod-security-common
Architecture: source all i386
Version: 2.5.6-1
Distribution: unstable
Urgency: low
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description: 
 libapache-mod-security - Tighten web applications security for Apache
 mod-security-common - Tighten web applications security - common files
Closes: 487431
Changes: 
 libapache-mod-security (2.5.6-1) unstable; urgency=low
 .
   * The 'Back to the archive!' Release (Closes: #487431)
   * Drop '2' from package name, now libapache-mod-security
   * New upstream release
     - Includes a new licensing exception that allows binary
       distribution with licenses not compatible with GPLv2,
       such as Apache's. See MODSECURITY_LICENSING_EXCEPTION
   * Removed debian/bug and debian/rules entry to install bug
     handling when out of the archive.
   * Bumped Standards-Version to 3.8.0.0
Checksums-Sha1: 
 e2478e70bcc4e5731587cf171d60fbf7aab28775 1192 libapache-mod-security_2.5.6-1.dsc
 5fb2b5ff3933d4bf766f2e46242bb991603e7081 1079094 libapache-mod-security_2.5.6.orig.tar.gz
 4b04294f678e321e3125e10539f5f41f8e567d9c 14047 libapache-mod-security_2.5.6-1.diff.gz
 a3f4fe8fa380ed8fd5beb9fd1c23a25bc5d6248e 697694 mod-security-common_2.5.6-1_all.deb
 8b940c7e4cd75ef402e186954c7c515577776694 104688 libapache-mod-security_2.5.6-1_i386.deb
Checksums-Sha256: 
 0c7bc293620347a0e88ba58d81814260f827e66008270d5f284552c3fd85c430 1192 libapache-mod-security_2.5.6-1.dsc
 9f38176cdb69e610238e5aa5401b0fc72972fc72af5d9203ada98f962833bdca 1079094 libapache-mod-security_2.5.6.orig.tar.gz
 2dfcf9b02076cde712d78a974c5d551e1598e0b25b4e9aa3b46d25fa2deab809 14047 libapache-mod-security_2.5.6-1.diff.gz
 19d3ebdb291f773ce65216e329308c766c5b7a197c63c2f677050a97f6db48e9 697694 mod-security-common_2.5.6-1_all.deb
 9d2f74fea696955808bed08bb89de68872c84fb2188d9163381f63d32f6db5f0 104688 libapache-mod-security_2.5.6-1_i386.deb
Files: 
 a019e9e9d1c7fb8d85ef1c79b62800a3 1192 web optional libapache-mod-security_2.5.6-1.dsc
 eb9e80a232269378752aa5b81f3e99f8 1079094 web optional libapache-mod-security_2.5.6.orig.tar.gz
 39d211bf234c342e328232946be87b07 14047 web optional libapache-mod-security_2.5.6-1.diff.gz
 5d7052ecf7c268e6b7d23ac6fce24d06 697694 web optional mod-security-common_2.5.6-1_all.deb
 936f42672cf21f1ebff5865423b9c5eb 104688 web optional libapache-mod-security_2.5.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkki7ksACgkQxRSvjkukAcNJ9QCg9yMd/GqeUk7TFB9CesgMp8TU
0aYAoJD815W77xLwvUeIMpllW8AxIq8V
=EK4j
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 26 Jan 2009 07:28:57 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:07:32 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.