| Message ID | 20230205140002.154492-1-fontaine.fabrice@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/modsecurity2: security bump to version 2.9.7 | expand |
Fabrice, All, On 2023-02-05 15:00 +0100, Fabrice Fontaine spake thusly: > - Fix CVE-2023-24021: Incorrect handling of '\0' bytes in file uploads > in ModSecurity before 2.9.7 may allow for Web Application Firewall > bypasses and buffer overflows on the Web Application Firewall when > executing rules that read the FILES_TMP_CONTENT collection. > - host-pkgconf is mandatory and used to find libxml2 since > https://github.com/SpiderLabs/ModSecurity/commit/baa38ddbaf55a87afecad7a1e1760c69a2689787 > - pcre2 is supported since: > https://github.com/SpiderLabs/ModSecurity/commit/8fc0b519b7a6c023259753a21f33bf3649a25b14 > > https://github.com/SpiderLabs/ModSecurity/blob/v2.9.7/CHANGES > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/modsecurity2/Config.in | 2 +- > package/modsecurity2/modsecurity2.hash | 4 ++-- > package/modsecurity2/modsecurity2.mk | 7 +++---- > 3 files changed, 6 insertions(+), 7 deletions(-) > > diff --git a/package/modsecurity2/Config.in b/package/modsecurity2/Config.in > index 2870386a99..fb1bfc960e 100644 > --- a/package/modsecurity2/Config.in > +++ b/package/modsecurity2/Config.in > @@ -2,7 +2,7 @@ config BR2_PACKAGE_MODSECURITY2 > bool "modsecurity2" > depends on BR2_PACKAGE_APACHE > select BR2_PACKAGE_LIBXML2 > - select BR2_PACKAGE_PCRE > + select BR2_PACKAGE_PCRE2 > help > ModSecurity is an open source, cross-platform web application > firewall (WAF) module. Known as the "Swiss Army Knife" of > diff --git a/package/modsecurity2/modsecurity2.hash b/package/modsecurity2/modsecurity2.hash > index a19f4823a8..2c77ffd830 100644 > --- a/package/modsecurity2/modsecurity2.hash > +++ b/package/modsecurity2/modsecurity2.hash > @@ -1,5 +1,5 @@ > -# From https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.5/modsecurity-2.9.5.tar.gz.sha256 > -sha256 e2bfc8cd8b8de1e21f054d310543373ea5d89adbd96784e832be0da3e4dc149e modsecurity-2.9.5.tar.gz > +# From https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz.sha256 > +sha256 2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839 modsecurity-2.9.7.tar.gz > > # Locally computed > sha256 2c564f5a67e49e74c80e5a7dcacd1904e7408f1fd6a95218b38c04f012d94cb9 LICENSE > diff --git a/package/modsecurity2/modsecurity2.mk b/package/modsecurity2/modsecurity2.mk > index a1ad8fe5bc..c251291e64 100644 > --- a/package/modsecurity2/modsecurity2.mk > +++ b/package/modsecurity2/modsecurity2.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -MODSECURITY2_VERSION = 2.9.5 > +MODSECURITY2_VERSION = 2.9.7 > MODSECURITY2_SOURCE = modsecurity-$(MODSECURITY2_VERSION).tar.gz > MODSECURITY2_SITE = https://github.com/SpiderLabs/ModSecurity/releases/download/v$(MODSECURITY2_VERSION) > MODSECURITY2_LICENSE = Apache-2.0 > @@ -12,11 +12,10 @@ MODSECURITY2_LICENSE_FILES = LICENSE > MODSECURITY2_CPE_ID_VENDOR = trustwave > MODSECURITY2_CPE_ID_PRODUCT = modsecurity > MODSECURITY2_INSTALL_STAGING = YES > -MODSECURITY2_DEPENDENCIES = apache libxml2 pcre > +MODSECURITY2_DEPENDENCIES = host-pkgconf apache libxml2 pcre2 > > MODSECURITY2_CONF_OPTS = \ > - --with-pcre=$(STAGING_DIR)/usr/bin/pcre-config \ > - --with-libxml=$(STAGING_DIR)/usr \ > + --with-pcre2=$(STAGING_DIR)/usr/bin/pcre2-config \ > --with-apr=$(STAGING_DIR)/usr/bin/apr-1-config \ > --with-apu=$(STAGING_DIR)/usr/bin/apu-1-config \ > --with-apxs=$(STAGING_DIR)/usr/bin/apxs \ > -- > 2.39.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > - Fix CVE-2023-24021: Incorrect handling of '\0' bytes in file uploads > in ModSecurity before 2.9.7 may allow for Web Application Firewall > bypasses and buffer overflows on the Web Application Firewall when > executing rules that read the FILES_TMP_CONTENT collection. > - host-pkgconf is mandatory and used to find libxml2 since > https://github.com/SpiderLabs/ModSecurity/commit/baa38ddbaf55a87afecad7a1e1760c69a2689787 > - pcre2 is supported since: > https://github.com/SpiderLabs/ModSecurity/commit/8fc0b519b7a6c023259753a21f33bf3649a25b14 > https://github.com/SpiderLabs/ModSecurity/blob/v2.9.7/CHANGES > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2022.11.x and 2022.02.x, thanks.
diff --git a/package/modsecurity2/Config.in b/package/modsecurity2/Config.in index 2870386a99..fb1bfc960e 100644 --- a/package/modsecurity2/Config.in +++ b/package/modsecurity2/Config.in @@ -2,7 +2,7 @@ config BR2_PACKAGE_MODSECURITY2 bool "modsecurity2" depends on BR2_PACKAGE_APACHE select BR2_PACKAGE_LIBXML2 - select BR2_PACKAGE_PCRE + select BR2_PACKAGE_PCRE2 help ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of diff --git a/package/modsecurity2/modsecurity2.hash b/package/modsecurity2/modsecurity2.hash index a19f4823a8..2c77ffd830 100644 --- a/package/modsecurity2/modsecurity2.hash +++ b/package/modsecurity2/modsecurity2.hash @@ -1,5 +1,5 @@ -# From https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.5/modsecurity-2.9.5.tar.gz.sha256 -sha256 e2bfc8cd8b8de1e21f054d310543373ea5d89adbd96784e832be0da3e4dc149e modsecurity-2.9.5.tar.gz +# From https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz.sha256 +sha256 2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839 modsecurity-2.9.7.tar.gz # Locally computed sha256 2c564f5a67e49e74c80e5a7dcacd1904e7408f1fd6a95218b38c04f012d94cb9 LICENSE diff --git a/package/modsecurity2/modsecurity2.mk b/package/modsecurity2/modsecurity2.mk index a1ad8fe5bc..c251291e64 100644 --- a/package/modsecurity2/modsecurity2.mk +++ b/package/modsecurity2/modsecurity2.mk @@ -4,7 +4,7 @@ # ################################################################################ -MODSECURITY2_VERSION = 2.9.5 +MODSECURITY2_VERSION = 2.9.7 MODSECURITY2_SOURCE = modsecurity-$(MODSECURITY2_VERSION).tar.gz MODSECURITY2_SITE = https://github.com/SpiderLabs/ModSecurity/releases/download/v$(MODSECURITY2_VERSION) MODSECURITY2_LICENSE = Apache-2.0 @@ -12,11 +12,10 @@ MODSECURITY2_LICENSE_FILES = LICENSE MODSECURITY2_CPE_ID_VENDOR = trustwave MODSECURITY2_CPE_ID_PRODUCT = modsecurity MODSECURITY2_INSTALL_STAGING = YES -MODSECURITY2_DEPENDENCIES = apache libxml2 pcre +MODSECURITY2_DEPENDENCIES = host-pkgconf apache libxml2 pcre2 MODSECURITY2_CONF_OPTS = \ - --with-pcre=$(STAGING_DIR)/usr/bin/pcre-config \ - --with-libxml=$(STAGING_DIR)/usr \ + --with-pcre2=$(STAGING_DIR)/usr/bin/pcre2-config \ --with-apr=$(STAGING_DIR)/usr/bin/apr-1-config \ --with-apu=$(STAGING_DIR)/usr/bin/apu-1-config \ --with-apxs=$(STAGING_DIR)/usr/bin/apxs \
- Fix CVE-2023-24021: Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer overflows on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection. - host-pkgconf is mandatory and used to find libxml2 since https://github.com/SpiderLabs/ModSecurity/commit/baa38ddbaf55a87afecad7a1e1760c69a2689787 - pcre2 is supported since: https://github.com/SpiderLabs/ModSecurity/commit/8fc0b519b7a6c023259753a21f33bf3649a25b14 https://github.com/SpiderLabs/ModSecurity/blob/v2.9.7/CHANGES Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/modsecurity2/Config.in | 2 +- package/modsecurity2/modsecurity2.hash | 4 ++-- package/modsecurity2/modsecurity2.mk | 7 +++---- 3 files changed, 6 insertions(+), 7 deletions(-)