diff mbox series

[1/1] package/libmodsecurity: security bump to version 3.0.10

Message ID 20230823145300.1499071-1-frank.vanbever@mind.be
State Accepted
Headers show
Series [1/1] package/libmodsecurity: security bump to version 3.0.10 | expand

Commit Message

Frank Vanbever Aug. 23, 2023, 2:53 p.m. UTC 
- Fixes CVE-2023-38285 [1]
- Adapted 0001-configure.ac-drop-usage-of-git-at-configure-time.patch due to
  upstream moving to autoconf portable shell constructs.
- Added missing Upstream comments

Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>

[1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/

Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
---
 .checkpackageignore                           |  2 --
 ...-drop-usage-of-git-at-configure-time.patch | 19 +++++++++++--------
 .../0002-modsecurity.pc.in-add-lstdc.patch    |  7 +++++--
 package/libmodsecurity/libmodsecurity.hash    |  4 ++--
 package/libmodsecurity/libmodsecurity.mk      |  2 +-
 5 files changed, 19 insertions(+), 15 deletions(-)

Comments

Thomas Petazzoni Aug. 24, 2023, 6:56 p.m. UTC | #1 
Hello Frank,

On Wed, 23 Aug 2023 16:53:00 +0200
Frank Vanbever via buildroot <buildroot@buildroot.org> wrote:

> - Fixes CVE-2023-38285 [1]
> - Adapted 0001-configure.ac-drop-usage-of-git-at-configure-time.patch due to
>   upstream moving to autoconf portable shell constructs.
> - Added missing Upstream comments

I've applied to master, but after dropping this part. Indeed, I think
adding "Upstream: N/A" to "resolve" the checkpackage warning is really
not useful. What's useful is to submit the patches upstream :-)

Thanks!

Thomas
Peter Korsgaard Sept. 13, 2023, 3:57 p.m. UTC | #2 
>>>>> "Frank" == Frank Vanbever via buildroot <buildroot@buildroot.org> writes:

 > - Fixes CVE-2023-38285 [1]
 > - Adapted 0001-configure.ac-drop-usage-of-git-at-configure-time.patch due to
 >   upstream moving to autoconf portable shell constructs.
 > - Added missing Upstream comments

 > Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>

 > [1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/

 > Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>

Committed to 2023.02.x and 2023.05.x, thanks.
diff mbox series

Patch

diff --git a/.checkpackageignore b/.checkpackageignore
index e5c06b1e0a..4903088d46 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -729,8 +729,6 @@  package/libmad/0001-mips-h-constraint-removal.patch Sob Upstream
 package/libmad/0002-configure-ac-automake-foreign.patch Upstream
 package/libmanette/0001-Meson-Un-hardcode-building-a-shared-library.patch Upstream
 package/libmng/0001-jpeg-9a.patch Upstream
-package/libmodsecurity/0001-configure.ac-drop-usage-of-git-at-configure-time.patch Upstream
-package/libmodsecurity/0002-modsecurity.pc.in-add-lstdc.patch Upstream
 package/libmpd/0001-Fix-build-on-archlinux-missing-include.patch Upstream
 package/libmpeg2/0001-altivec.patch Upstream
 package/libmpeg2/0002-armv4l.patch Upstream
diff --git a/package/libmodsecurity/0001-configure.ac-drop-usage-of-git-at-configure-time.patch b/package/libmodsecurity/0001-configure.ac-drop-usage-of-git-at-configure-time.patch
index 14767fb28e..d3be6cb36e 100644
--- a/package/libmodsecurity/0001-configure.ac-drop-usage-of-git-at-configure-time.patch
+++ b/package/libmodsecurity/0001-configure.ac-drop-usage-of-git-at-configure-time.patch
@@ -1,4 +1,4 @@ 
-From a2116312068b6b2c5732dfebde19b751cc81d4f3 Mon Sep 17 00:00:00 2001
+From d242b011a8f0d84781bbf7667a44a12646903ca4 Mon Sep 17 00:00:00 2001
 From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 Date: Sun, 1 Aug 2021 23:21:35 +0200
 Subject: [PATCH] configure.ac: drop usage of git at configure time
@@ -7,13 +7,16 @@  The usage of git is only to print some messages at configure time,
 which is not very useful, and causes a significant number of warning
 when regenerating the configure script.
 
+Upstream: N/A
+
 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
 ---
  configure.ac | 23 -----------------------
  1 file changed, 23 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 20163e1e..14e5892a 100644
+index 66d6f4f2..746b1fb4 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -3,7 +3,6 @@
@@ -46,7 +49,7 @@  index 20163e1e..14e5892a 100644
  
  
  # Check for yajl
-@@ -217,10 +208,6 @@ AC_SUBST([MSC_VERSION_WITH_PATCHLEVEL])
+@@ -224,10 +215,6 @@ AC_SUBST([MSC_VERSION_WITH_PATCHLEVEL])
  MSC_VERSION=msc_version
  AC_SUBST([MSC_VERSION])
  
@@ -55,9 +58,9 @@  index 20163e1e..14e5892a 100644
 -
 -
  AC_ARG_ENABLE(debug-logs,
-     [AC_HELP_STRING([--disable-debug-logs],[Turn off the SecDebugLog feature])],
+     [AS_HELP_STRING([--disable-debug-logs],[Turn off the SecDebugLog feature])],
  
-@@ -412,16 +399,6 @@ AC_OUTPUT
+@@ -419,16 +406,6 @@ AC_OUTPUT
  
  
  # Print a fancy summary
@@ -66,14 +69,14 @@  index 20163e1e..14e5892a 100644
 -echo "ModSecurity - ${MSC_GIT_VERSION} for $PLATFORM"
 -echo " "
 -echo " Mandatory dependencies"
--echo -n "   + libInjection                                  ...."
+-AS_ECHO_N("   + libInjection                                  ....")
 -echo LIBINJECTION_VERSION
--echo -n "   + SecLang tests                                 ...."
+-AS_ECHO_N("   + SecLang tests                                 ....")
 -echo SECLANG_TEST_VERSION
 -
  echo " "
  echo " Optional dependencies"
  
 -- 
-2.31.1
+2.39.2
 
diff --git a/package/libmodsecurity/0002-modsecurity.pc.in-add-lstdc.patch b/package/libmodsecurity/0002-modsecurity.pc.in-add-lstdc.patch
index 6511e6f1e0..723df338d6 100644
--- a/package/libmodsecurity/0002-modsecurity.pc.in-add-lstdc.patch
+++ b/package/libmodsecurity/0002-modsecurity.pc.in-add-lstdc.patch
@@ -1,4 +1,4 @@ 
-From 1a84881b280eb08852d5495c57e44351a40d3f91 Mon Sep 17 00:00:00 2001
+From 4129643d657b5d0cce83f9ec4ca27289fd69ec43 Mon Sep 17 00:00:00 2001
 From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 Date: Mon, 26 Jul 2021 00:24:57 +0200
 Subject: [PATCH] modsecurity.pc.in: add -lstdc++
@@ -12,7 +12,10 @@  transaction.cc:(.text+0x40): undefined reference to `std::__cxx11::basic_string<
 Fixes:
  - http://autobuild.buildroot.org/results/e5a9eb8448980f1c5cafe97180b7d1f48ddf02ca
 
+Upstream: N/A
+
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
 ---
  modsecurity.pc.in | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
@@ -28,5 +31,5 @@  index 96cdf5ca..7c895ddc 100644
 -Libs.private: @CURL_LDADD@ @GEOIP_LDADD@ @MAXMIND_LDADD@ @GLOBAL_LDADD@ @LIBXML2_LDADD@ @LMDB_LDADD@ @LUA_LDADD@ @PCRE_LDADD@ @SSDEEP_LDADD@ @YAJL_LDADD@
 +Libs.private: @CURL_LDADD@ @GEOIP_LDADD@ @MAXMIND_LDADD@ @GLOBAL_LDADD@ @LIBXML2_LDADD@ @LMDB_LDADD@ @LUA_LDADD@ @PCRE_LDADD@ @SSDEEP_LDADD@ @YAJL_LDADD@ -lstdc++
 -- 
-2.30.2
+2.39.2
 
diff --git a/package/libmodsecurity/libmodsecurity.hash b/package/libmodsecurity/libmodsecurity.hash
index c79ae1cf45..7bcf99e167 100644
--- a/package/libmodsecurity/libmodsecurity.hash
+++ b/package/libmodsecurity/libmodsecurity.hash
@@ -1,4 +1,4 @@ 
-# From https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.9/modsecurity-v3.0.9.tar.gz.sha256
-sha256  a5111ecd23e332a1d7c9652dbdb18517a96b21573315cb887a8e86761b95d3d8  modsecurity-v3.0.9.tar.gz
+# From https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.10/modsecurity-v3.0.10.tar.gz.sha256
+sha256  d5d459f7c2e57a69a405f3222d8e285de419a594b0ea8829058709962227ead0  modsecurity-v3.0.10.tar.gz
 # Localy calculated
 sha256  c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4  LICENSE
diff --git a/package/libmodsecurity/libmodsecurity.mk b/package/libmodsecurity/libmodsecurity.mk
index 335f3a41e5..257f0a56df 100644
--- a/package/libmodsecurity/libmodsecurity.mk
+++ b/package/libmodsecurity/libmodsecurity.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-LIBMODSECURITY_VERSION = 3.0.9
+LIBMODSECURITY_VERSION = 3.0.10
 LIBMODSECURITY_SOURCE = modsecurity-v$(LIBMODSECURITY_VERSION).tar.gz
 LIBMODSECURITY_SITE = https://github.com/SpiderLabs/ModSecurity/releases/download/v$(LIBMODSECURITY_VERSION)
 LIBMODSECURITY_INSTALL_STAGING = YES