From: Julien Olivain via buildroot <buildroot@buildroot.org>
To: Thomas Perale <thomas.perale@mind.be>
Cc: buildroot@buildroot.org, "Hervé Codina" <herve.codina@bootlin.com>
Subject: Re: [Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.10
Date: Mon, 30 Jun 2025 21:55:02 +0200 [thread overview]
Message-ID: <03bf5021322d2d422473d1934736b17b@free.fr> (raw)
In-Reply-To: <20250630072423.1126928-1-thomas.perale@mind.be>
On 30/06/2025 09:24, Thomas Perale via buildroot wrote:
> Fixes the following security issues:
>
> - CVE 2025-47947: Versions up to and including 2.9.8 are vulnerable to
> denial of service in one special case (in stable released versions):
> when the payload's content type is application/json, and there is at
> least one rule which does a sanitiseMatchedBytes action. A patch is
> available at pull request 3389 and expected to be part of version
> 2.9.9. No known workarounds are available.
>
> For more information, see:
> - https://nvd.nist.gov/vuln/detail/CVE-2025-47947
> - https://github.com/owasp-modsecurity/ModSecurity/pull/3389
>
> - CVE-2025-48866: Versions prior to 2.9.10 contain a denial of service
> vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The
> `sanitiseArg` (and `sanitizeArg` - this is the same action but an
> alias) is vulnerable to adding an excessive number of arguments,
> thereby leading to denial of service. Version 2.9.10 fixes the issue.
> As a workaround, avoid using rules that contain the `sanitiseArg` (or
> `sanitizeArg`) action.
>
> For more information, see:
> - https://nvd.nist.gov/vuln/detail/CVE-2025-48866
> -
> https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e
>
> For more details on the version bump, see:
> -
> https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.8
> -
> https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.9
> -
> https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.10
>
> Also this patch change the _SOURCE variable that now include a 'v'
> prefixing the version.
>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Applied to master, thanks.
For info, I also updated the hash source url in hash file comment. See:
https://gitlab.com/buildroot.org/buildroot/-/commit/3d593a8144ad8890dae4ab6fd235eef700d3c144
Best regards,
Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2025-06-30 19:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-30 7:24 [Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.10 Thomas Perale via buildroot
2025-06-30 19:55 ` Julien Olivain via buildroot [this message]
2025-07-03 10:33 ` Herve Codina via buildroot
2025-07-03 14:38 ` Thomas Perale via buildroot
2025-07-03 15:26 ` Herve Codina via buildroot
2025-07-11 10:44 ` Thomas Perale via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=03bf5021322d2d422473d1934736b17b@free.fr \
--to=buildroot@buildroot.org \
--cc=herve.codina@bootlin.com \
--cc=ju.o@free.fr \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox