Re: [Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.10

From: Herve Codina via buildroot <buildroot@buildroot.org>
To: Thomas Perale <thomas.perale@mind.be>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.10
Date: Thu, 3 Jul 2025 12:33:59 +0200	[thread overview]
Message-ID: <20250703123359.5bca4a98@bootlin.com> (raw)
In-Reply-To: <20250630072423.1126928-1-thomas.perale@mind.be>

On Mon, 30 Jun 2025 09:24:23 +0200
Thomas Perale <thomas.perale@mind.be> wrote:

> Fixes the following security issues:
> 
> - CVE 2025-47947: Versions up to and including 2.9.8 are vulnerable to
>   denial of service in one special case (in stable released versions):
>   when the payload's content type is application/json, and there is at
>   least one rule which does a sanitiseMatchedBytes action. A patch is
>   available at pull request 3389 and expected to be part of version
>   2.9.9. No known workarounds are available.
> 
> For more information, see:
>   - https://nvd.nist.gov/vuln/detail/CVE-2025-47947
>   - https://github.com/owasp-modsecurity/ModSecurity/pull/3389
> 
> - CVE-2025-48866: Versions prior to 2.9.10 contain a denial of service
>   vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The
>   `sanitiseArg` (and `sanitizeArg` - this is the same action but an
>   alias) is vulnerable to adding an excessive number of arguments,
>   thereby leading to denial of service. Version 2.9.10 fixes the issue.
>   As a workaround, avoid using rules that contain the `sanitiseArg` (or
>   `sanitizeArg`) action.
> 
> For more information, see:
>   - https://nvd.nist.gov/vuln/detail/CVE-2025-48866
>   - https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e
> 
> For more details on the version bump, see:
>   - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.8
>   - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.9
>   - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.10
> 
> Also this patch change the _SOURCE variable that now include a 'v'
> prefixing the version.
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> ---
>  package/modsecurity2/modsecurity2.hash | 2 +-
>  package/modsecurity2/modsecurity2.mk   | 4 ++--
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/modsecurity2/modsecurity2.hash b/package/modsecurity2/modsecurity2.hash
> index fbb7fabb3a..cd8a96aa00 100644
> --- a/package/modsecurity2/modsecurity2.hash
> +++ b/package/modsecurity2/modsecurity2.hash
> @@ -1,5 +1,5 @@
>  # From https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz.sha256

Can you update this comment with the following:
  From https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.10/modsecurity-v2.9.10.tar.gz.sha256

For information, I have downloaded this .sha256 file and have checked the
sha value against the sha256 provided below. They match perfectly.

> -sha256  2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839  modsecurity-2.9.7.tar.gz
> +sha256  081cda52975494139922fa4b54f474fed8a6db4b7f586cb0d3aeec635f7a4d53  modsecurity-v2.9.10.tar.gz

Best regards,
Hervé
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot