Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
096589bd59f3f8e827754d43ad01dcdc406cc27f
rpi-buildroot/package/modsecurity2/modsecurity2.mk
Titouan Christophe 06c3e6444a package/modsecurity2: security bump to v2.9.12 
See the release notes:
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.11
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.12

This fixes the following vulnerabilities:
- CVE-2025-52891:
    ModSecurity is an open source, cross platform web application firewall
    (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before
    2.9.11, an empty XML tag can cause a segmentation fault. If
    SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is
    application/xml, and at least one XML tag is empty (eg <foo></foo>),
    then a segmentation fault occurs. This issue has been patched in
    version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to
    Off.
    https://www.cve.org/CVERecord?id=CVE-2025-52891

- CVE-2025-54571:
    ModSecurity is an open source, cross platform web application firewall
    (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below,
    an attacker can override the HTTP response’s Content-Type, which could
    lead to several issues depending on the HTTP scenario. For example, we
    have demonstrated the potential for XSS and arbitrary script source
    code disclosure in the latest version of mod_security2. This issue is
    fixed in version 2.9.12.
    https://www.cve.org/CVERecord?id=CVE-2025-54571

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 684462bbe8)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
2025-10-30 08:55:51 +01:00

29 lines
977 B
Makefile
Raw Blame History

################################################################################
#
# modsecurity2
#
################################################################################
MODSECURITY2_VERSION = 2.9.12
MODSECURITY2_SOURCE = modsecurity-v$(MODSECURITY2_VERSION).tar.gz
MODSECURITY2_SITE = https://github.com/owasp-modsecurity/ModSecurity/releases/download/v$(MODSECURITY2_VERSION)
MODSECURITY2_LICENSE = Apache-2.0
MODSECURITY2_LICENSE_FILES = LICENSE
MODSECURITY2_CPE_ID_VENDOR = owasp
MODSECURITY2_CPE_ID_PRODUCT = modsecurity
MODSECURITY2_INSTALL_STAGING = YES
MODSECURITY2_DEPENDENCIES = host-pkgconf apache libxml2 pcre2
MODSECURITY2_CONF_OPTS = \
--with-pcre2=$(STAGING_DIR)/usr/bin/pcre2-config \
--with-apr=$(STAGING_DIR)/usr/bin/apr-1-config \
--with-apu=$(STAGING_DIR)/usr/bin/apu-1-config \
--with-apxs=$(STAGING_DIR)/usr/bin/apxs \
--without-curl \
--without-lua \
--without-pcre \
--without-yajl \
--without-ssdeep
$(eval $(autotools-package))
Reference in New Issue View Git Blame Copy Permalink