From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id DE98CC636CD for ; Sun, 5 Feb 2023 14:27:52 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 840BD40135; Sun, 5 Feb 2023 14:27:52 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 840BD40135 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z9nokYX_TGa5; Sun, 5 Feb 2023 14:27:51 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp2.osuosl.org (Postfix) with ESMTP id BB7EB4012F; Sun, 5 Feb 2023 14:27:50 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org BB7EB4012F Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 0D5A11BF475 for ; Sun, 5 Feb 2023 14:27:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id E7B1C4176C for ; Sun, 5 Feb 2023 14:27:48 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org E7B1C4176C X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FpphlqqUMxVA for ; Sun, 5 Feb 2023 14:27:47 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 63C124176A Received: from smtp3-g21.free.fr (smtp3-g21.free.fr [IPv6:2a01:e0c:1:1599::12]) by smtp4.osuosl.org (Postfix) with ESMTPS id 63C124176A for ; Sun, 5 Feb 2023 14:27:47 +0000 (UTC) Received: from ymorin.is-a-geek.org (unknown [92.184.112.201]) (Authenticated sender: yann.morin.1998@free.fr) by smtp3-g21.free.fr (Postfix) with ESMTPSA id D99C713F88E; Sun, 5 Feb 2023 15:27:41 +0100 (CET) Received: by ymorin.is-a-geek.org (sSMTP sendmail emulation); Sun, 05 Feb 2023 15:27:40 +0100 Date: Sun, 5 Feb 2023 15:27:40 +0100 From: "Yann E. MORIN" To: Fabrice Fontaine Message-ID: <20230205142740.GK2960@scaer> References: <20230205140002.154492-1-fontaine.fabrice@gmail.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20230205140002.154492-1-fontaine.fabrice@gmail.com> User-Agent: Mutt/1.5.22 (2013-10-16) X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=free.fr; s=smtp-20201208; t=1675607265; bh=fRjszyA5cYC6XQ/NRWzbA4QDcyFEqd9axzec52ND65s=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=osNoVHJHWsA7IZu8xiL9q0PXbJhxdDd8/KOfGFIq1CDSQOoGbAuPEDfSkWT77/G4L X3EKe+Llp1me9HEH2/mOVlbuy7OYMGRSEPKTuj13XEKmYd9+EwBj7amBroILsFY3j2 TC3FRtghfHQZHjoUVoRdpTcy5trYElasp3rfgX6H7CYltSGsTUwIG3a/w7a2L6NmGe SQONxAkdfgANDWCnPP3WMOZ7EDAxWScDw6QtBgucUFHrOYqrL5CPpew9UnzfIvichP BKRmnQZBWE3ODrkmAUfPudqgmU0jAJRFMtKwUd0eD/VBfGwSyQBCpu3JcDukACAxbH 3zuZBcuiztnCw== X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=free.fr header.i=@free.fr header.a=rsa-sha256 header.s=smtp-20201208 header.b=osNoVHJH Subject: Re: [Buildroot] [PATCH 1/1] package/modsecurity2: security bump to version 2.9.7 X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?B?SGVydsOp?= Codina , buildroot@buildroot.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" Fabrice, All, On 2023-02-05 15:00 +0100, Fabrice Fontaine spake thusly: > - Fix CVE-2023-24021: Incorrect handling of '\0' bytes in file uploads > in ModSecurity before 2.9.7 may allow for Web Application Firewall > bypasses and buffer overflows on the Web Application Firewall when > executing rules that read the FILES_TMP_CONTENT collection. > - host-pkgconf is mandatory and used to find libxml2 since > https://github.com/SpiderLabs/ModSecurity/commit/baa38ddbaf55a87afecad7a1e1760c69a2689787 > - pcre2 is supported since: > https://github.com/SpiderLabs/ModSecurity/commit/8fc0b519b7a6c023259753a21f33bf3649a25b14 > > https://github.com/SpiderLabs/ModSecurity/blob/v2.9.7/CHANGES > > Signed-off-by: Fabrice Fontaine Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/modsecurity2/Config.in | 2 +- > package/modsecurity2/modsecurity2.hash | 4 ++-- > package/modsecurity2/modsecurity2.mk | 7 +++---- > 3 files changed, 6 insertions(+), 7 deletions(-) > > diff --git a/package/modsecurity2/Config.in b/package/modsecurity2/Config.in > index 2870386a99..fb1bfc960e 100644 > --- a/package/modsecurity2/Config.in > +++ b/package/modsecurity2/Config.in > @@ -2,7 +2,7 @@ config BR2_PACKAGE_MODSECURITY2 > bool "modsecurity2" > depends on BR2_PACKAGE_APACHE > select BR2_PACKAGE_LIBXML2 > - select BR2_PACKAGE_PCRE > + select BR2_PACKAGE_PCRE2 > help > ModSecurity is an open source, cross-platform web application > firewall (WAF) module. Known as the "Swiss Army Knife" of > diff --git a/package/modsecurity2/modsecurity2.hash b/package/modsecurity2/modsecurity2.hash > index a19f4823a8..2c77ffd830 100644 > --- a/package/modsecurity2/modsecurity2.hash > +++ b/package/modsecurity2/modsecurity2.hash > @@ -1,5 +1,5 @@ > -# From https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.5/modsecurity-2.9.5.tar.gz.sha256 > -sha256 e2bfc8cd8b8de1e21f054d310543373ea5d89adbd96784e832be0da3e4dc149e modsecurity-2.9.5.tar.gz > +# From https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz.sha256 > +sha256 2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839 modsecurity-2.9.7.tar.gz > > # Locally computed > sha256 2c564f5a67e49e74c80e5a7dcacd1904e7408f1fd6a95218b38c04f012d94cb9 LICENSE > diff --git a/package/modsecurity2/modsecurity2.mk b/package/modsecurity2/modsecurity2.mk > index a1ad8fe5bc..c251291e64 100644 > --- a/package/modsecurity2/modsecurity2.mk > +++ b/package/modsecurity2/modsecurity2.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -MODSECURITY2_VERSION = 2.9.5 > +MODSECURITY2_VERSION = 2.9.7 > MODSECURITY2_SOURCE = modsecurity-$(MODSECURITY2_VERSION).tar.gz > MODSECURITY2_SITE = https://github.com/SpiderLabs/ModSecurity/releases/download/v$(MODSECURITY2_VERSION) > MODSECURITY2_LICENSE = Apache-2.0 > @@ -12,11 +12,10 @@ MODSECURITY2_LICENSE_FILES = LICENSE > MODSECURITY2_CPE_ID_VENDOR = trustwave > MODSECURITY2_CPE_ID_PRODUCT = modsecurity > MODSECURITY2_INSTALL_STAGING = YES > -MODSECURITY2_DEPENDENCIES = apache libxml2 pcre > +MODSECURITY2_DEPENDENCIES = host-pkgconf apache libxml2 pcre2 > > MODSECURITY2_CONF_OPTS = \ > - --with-pcre=$(STAGING_DIR)/usr/bin/pcre-config \ > - --with-libxml=$(STAGING_DIR)/usr \ > + --with-pcre2=$(STAGING_DIR)/usr/bin/pcre2-config \ > --with-apr=$(STAGING_DIR)/usr/bin/apr-1-config \ > --with-apu=$(STAGING_DIR)/usr/bin/apu-1-config \ > --with-apxs=$(STAGING_DIR)/usr/bin/apxs \ > -- > 2.39.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot