@@ -1,3 +1,5 @@
+# From https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.5/modsecurity-2.9.5.tar.gz.sha256
+sha256 e2bfc8cd8b8de1e21f054d310543373ea5d89adbd96784e832be0da3e4dc149e modsecurity-2.9.5.tar.gz
+
# Locally computed
-sha256 686695c650449a338757711254ea78c67dedb1d258e03e5c8686f869388fff8c modsecurity2-2.9.4.tar.gz
sha256 2c564f5a67e49e74c80e5a7dcacd1904e7408f1fd6a95218b38c04f012d94cb9 LICENSE
@@ -4,15 +4,15 @@
#
################################################################################
-MODSECURITY2_VERSION = 2.9.4
-MODSECURITY2_SITE = $(call github,SpiderLabs,ModSecurity,v$(MODSECURITY2_VERSION))
+MODSECURITY2_VERSION = 2.9.5
+MODSECURITY2_SOURCE = modsecurity-$(MODSECURITY2_VERSION).tar.gz
+MODSECURITY2_SITE = https://github.com/SpiderLabs/ModSecurity/releases/download/v$(MODSECURITY2_VERSION)
MODSECURITY2_LICENSE = Apache-2.0
MODSECURITY2_LICENSE_FILES = LICENSE
MODSECURITY2_CPE_ID_VENDOR = trustwave
MODSECURITY2_CPE_ID_PRODUCT = modsecurity
MODSECURITY2_INSTALL_STAGING = YES
MODSECURITY2_DEPENDENCIES = apache libxml2 pcre
-MODSECURITY2_AUTORECONF = YES
MODSECURITY2_CONF_OPTS = \
--with-pcre=$(STAGING_DIR)/usr/bin/pcre-config \
- Fix CVE-2021-42717: ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4. - Use official tarball and so drop autoreconf Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/modsecurity2/modsecurity2.hash | 4 +++- package/modsecurity2/modsecurity2.mk | 6 +++--- 2 files changed, 6 insertions(+), 4 deletions(-)