Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b57939e61959923180c40aeda7700ee62ef95113
rpi-buildroot/package/modsecurity2/modsecurity2.hash
Thomas Perale 288d63bfcd package/modsecurity2: security bump to v2.9.10 
Fixes the following security issues:

- CVE 2025-47947: Versions up to and including 2.9.8 are vulnerable to
  denial of service in one special case (in stable released versions):
  when the payload's content type is application/json, and there is at
  least one rule which does a sanitiseMatchedBytes action. A patch is
  available at pull request 3389 and expected to be part of version
  2.9.9. No known workarounds are available.

For more information, see:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-47947
  - https://github.com/owasp-modsecurity/ModSecurity/pull/3389

- CVE-2025-48866: Versions prior to 2.9.10 contain a denial of service
  vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The
  `sanitiseArg` (and `sanitizeArg` - this is the same action but an
  alias) is vulnerable to adding an excessive number of arguments,
  thereby leading to denial of service. Version 2.9.10 fixes the issue.
  As a workaround, avoid using rules that contain the `sanitiseArg` (or
  `sanitizeArg`) action.

For more information, see:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-48866
  - 3a54ccea62

For more details on the version bump, see:
  - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.8
  - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.9
  - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.10

Also this patch change the _SOURCE variable that now include a 'v'
prefixing the version.

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: update hash source url in hash file comment]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3d593a8144)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
2025-07-10 11:14:32 +02:00

6 lines
319 B
Plaintext
Raw Blame History

# From https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.10/modsecurity-v2.9.10.tar.gz.sha256
sha256 081cda52975494139922fa4b54f474fed8a6db4b7f586cb0d3aeec635f7a4d53 modsecurity-v2.9.10.tar.gz
# Locally computed
sha256 2c564f5a67e49e74c80e5a7dcacd1904e7408f1fd6a95218b38c04f012d94cb9 LICENSE
Reference in New Issue View Git Blame Copy Permalink