[2/2] package/modsecurity2: security bump to version 2.9.5

Message ID	20211217212145.99516-1-fontaine.fabrice@gmail.com
State	Accepted
Headers	show Return-Path: <buildroot-bounces@buildroot.org> From: Fabrice Fontaine <fontaine.fabrice@gmail.com> To: buildroot@buildroot.org Date: Fri, 17 Dec 2021 22:21:45 +0100 Message-Id: <20211217212145.99516-1-fontaine.fabrice@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 2/2] package/modsecurity2: security bump to version 2.9.5 Precedence: list Cc: =?utf-8?q?Herv=C3=A9_Codina?= <herve.codina@bootlin.com>, Fabrice Fontaine <fontaine.fabrice@gmail.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" <buildroot-bounces@buildroot.org>
Series	[1/2] package/modsecurity2: add CPE variables \| expand [1/2] package/modsecurity2: add CPE variables [2/2] package/modsecurity2: security bump to version 2.9.5

Message ID

20211217212145.99516-1-fontaine.fabrice@gmail.com

State

Accepted

Headers

From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@buildroot.org
Date: Fri, 17 Dec 2021 22:21:45 +0100
Message-Id: <20211217212145.99516-1-fontaine.fabrice@gmail.com>
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 2/2] package/modsecurity2: security bump to
 version 2.9.5
Precedence: list
Cc: =?utf-8?q?Herv=C3=A9_Codina?= <herve.codina@bootlin.com>,
 Fabrice Fontaine <fontaine.fabrice@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@buildroot.org
Sender: "buildroot" <buildroot-bounces@buildroot.org>

Series

[1/2] package/modsecurity2: add CPE variables | expand

Commit Message

Fabrice Fontaine Dec. 17, 2021, 9:21 p.m. UTC

- Fix CVE-2021-42717: ModSecurity 3.x through 3.0.5 mishandles
  excessively nested JSON objects. Crafted JSON objects with nesting
  tens-of-thousands deep could result in the web server being unable to
  service legitimate requests. Even a moderately large (e.g., 300KB)
  HTTP request can occupy one of the limited NGINX worker processes for
  minutes and consume almost all of the available CPU on the machine.
  Modsecurity 2 is similarly vulnerable: the affected versions include
  2.8.0 through 2.9.4.
- Use official tarball and so drop autoreconf

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/modsecurity2/modsecurity2.hash | 4 +++-
 package/modsecurity2/modsecurity2.mk   | 6 +++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/package/modsecurity2/modsecurity2.hash b/package/modsecurity2/modsecurity2.hash
index 1501b5642e..a19f4823a8 100644
--- a/package/modsecurity2/modsecurity2.hash
+++ b/package/modsecurity2/modsecurity2.hash
@@ -1,3 +1,5 @@ 
+# From https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.5/modsecurity-2.9.5.tar.gz.sha256
+sha256  e2bfc8cd8b8de1e21f054d310543373ea5d89adbd96784e832be0da3e4dc149e  modsecurity-2.9.5.tar.gz
+
 # Locally computed
-sha256  686695c650449a338757711254ea78c67dedb1d258e03e5c8686f869388fff8c  modsecurity2-2.9.4.tar.gz
 sha256  2c564f5a67e49e74c80e5a7dcacd1904e7408f1fd6a95218b38c04f012d94cb9  LICENSE
diff --git a/package/modsecurity2/modsecurity2.mk b/package/modsecurity2/modsecurity2.mk
index 5d91818ade..a1ad8fe5bc 100644
--- a/package/modsecurity2/modsecurity2.mk
+++ b/package/modsecurity2/modsecurity2.mk
@@ -4,15 +4,15 @@ 
 #
 ################################################################################
 
-MODSECURITY2_VERSION = 2.9.4
-MODSECURITY2_SITE = $(call github,SpiderLabs,ModSecurity,v$(MODSECURITY2_VERSION))
+MODSECURITY2_VERSION = 2.9.5
+MODSECURITY2_SOURCE = modsecurity-$(MODSECURITY2_VERSION).tar.gz
+MODSECURITY2_SITE = https://github.com/SpiderLabs/ModSecurity/releases/download/v$(MODSECURITY2_VERSION)
 MODSECURITY2_LICENSE = Apache-2.0
 MODSECURITY2_LICENSE_FILES = LICENSE
 MODSECURITY2_CPE_ID_VENDOR = trustwave
 MODSECURITY2_CPE_ID_PRODUCT = modsecurity
 MODSECURITY2_INSTALL_STAGING = YES
 MODSECURITY2_DEPENDENCIES = apache libxml2 pcre
-MODSECURITY2_AUTORECONF = YES
 
 MODSECURITY2_CONF_OPTS = \
 	--with-pcre=$(STAGING_DIR)/usr/bin/pcre-config \

[2/2] package/modsecurity2: security bump to version 2.9.5

Commit Message

Patch