288d63bfcd
Fixes the following security issues: - CVE 2025-47947: Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is application/json, and there is at least one rule which does a sanitiseMatchedBytes action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available. For more information, see: - https://nvd.nist.gov/vuln/detail/CVE-2025-47947 - https://github.com/owasp-modsecurity/ModSecurity/pull/3389 - CVE-2025-48866: Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action. For more information, see: - https://nvd.nist.gov/vuln/detail/CVE-2025-48866 -3a54ccea62For more details on the version bump, see: - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.8 - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.9 - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.10 Also this patch change the _SOURCE variable that now include a 'v' prefixing the version. Signed-off-by: Thomas Perale <thomas.perale@mind.be> [Julien: update hash source url in hash file comment] Signed-off-by: Julien Olivain <ju.o@free.fr> (cherry picked from commit3d593a8144) Signed-off-by: Thomas Perale <thomas.perale@mind.be>
29 lines
981 B
Makefile
29 lines
981 B
Makefile
################################################################################
|
|
#
|
|
# modsecurity2
|
|
#
|
|
################################################################################
|
|
|
|
MODSECURITY2_VERSION = 2.9.10
|
|
MODSECURITY2_SOURCE = modsecurity-v$(MODSECURITY2_VERSION).tar.gz
|
|
MODSECURITY2_SITE = https://github.com/owasp-modsecurity/ModSecurity/releases/download/v$(MODSECURITY2_VERSION)
|
|
MODSECURITY2_LICENSE = Apache-2.0
|
|
MODSECURITY2_LICENSE_FILES = LICENSE
|
|
MODSECURITY2_CPE_ID_VENDOR = trustwave
|
|
MODSECURITY2_CPE_ID_PRODUCT = modsecurity
|
|
MODSECURITY2_INSTALL_STAGING = YES
|
|
MODSECURITY2_DEPENDENCIES = host-pkgconf apache libxml2 pcre2
|
|
|
|
MODSECURITY2_CONF_OPTS = \
|
|
--with-pcre2=$(STAGING_DIR)/usr/bin/pcre2-config \
|
|
--with-apr=$(STAGING_DIR)/usr/bin/apr-1-config \
|
|
--with-apu=$(STAGING_DIR)/usr/bin/apu-1-config \
|
|
--with-apxs=$(STAGING_DIR)/usr/bin/apxs \
|
|
--without-curl \
|
|
--without-lua \
|
|
--without-pcre \
|
|
--without-yajl \
|
|
--without-ssdeep
|
|
|
|
$(eval $(autotools-package))
|