* [Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.10
@ 2025-06-30 7:24 Thomas Perale via buildroot
2025-06-30 19:55 ` Julien Olivain via buildroot
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Thomas Perale via buildroot @ 2025-06-30 7:24 UTC (permalink / raw)
To: buildroot; +Cc: Hervé Codina
Fixes the following security issues:
- CVE 2025-47947: Versions up to and including 2.9.8 are vulnerable to
denial of service in one special case (in stable released versions):
when the payload's content type is application/json, and there is at
least one rule which does a sanitiseMatchedBytes action. A patch is
available at pull request 3389 and expected to be part of version
2.9.9. No known workarounds are available.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-47947
- https://github.com/owasp-modsecurity/ModSecurity/pull/3389
- CVE-2025-48866: Versions prior to 2.9.10 contain a denial of service
vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The
`sanitiseArg` (and `sanitizeArg` - this is the same action but an
alias) is vulnerable to adding an excessive number of arguments,
thereby leading to denial of service. Version 2.9.10 fixes the issue.
As a workaround, avoid using rules that contain the `sanitiseArg` (or
`sanitizeArg`) action.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-48866
- https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e
For more details on the version bump, see:
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.8
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.9
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.10
Also this patch change the _SOURCE variable that now include a 'v'
prefixing the version.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
package/modsecurity2/modsecurity2.hash | 2 +-
package/modsecurity2/modsecurity2.mk | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/modsecurity2/modsecurity2.hash b/package/modsecurity2/modsecurity2.hash
index fbb7fabb3a..cd8a96aa00 100644
--- a/package/modsecurity2/modsecurity2.hash
+++ b/package/modsecurity2/modsecurity2.hash
@@ -1,5 +1,5 @@
# From https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz.sha256
-sha256 2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839 modsecurity-2.9.7.tar.gz
+sha256 081cda52975494139922fa4b54f474fed8a6db4b7f586cb0d3aeec635f7a4d53 modsecurity-v2.9.10.tar.gz
# Locally computed
sha256 2c564f5a67e49e74c80e5a7dcacd1904e7408f1fd6a95218b38c04f012d94cb9 LICENSE
diff --git a/package/modsecurity2/modsecurity2.mk b/package/modsecurity2/modsecurity2.mk
index 36d6e1a847..b644fe7407 100644
--- a/package/modsecurity2/modsecurity2.mk
+++ b/package/modsecurity2/modsecurity2.mk
@@ -4,8 +4,8 @@
#
################################################################################
-MODSECURITY2_VERSION = 2.9.7
-MODSECURITY2_SOURCE = modsecurity-$(MODSECURITY2_VERSION).tar.gz
+MODSECURITY2_VERSION = 2.9.10
+MODSECURITY2_SOURCE = modsecurity-v$(MODSECURITY2_VERSION).tar.gz
MODSECURITY2_SITE = https://github.com/owasp-modsecurity/ModSecurity/releases/download/v$(MODSECURITY2_VERSION)
MODSECURITY2_LICENSE = Apache-2.0
MODSECURITY2_LICENSE_FILES = LICENSE
--
2.50.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.10
2025-06-30 7:24 [Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.10 Thomas Perale via buildroot
@ 2025-06-30 19:55 ` Julien Olivain via buildroot
2025-07-03 10:33 ` Herve Codina via buildroot
2025-07-11 10:44 ` Thomas Perale via buildroot
2 siblings, 0 replies; 6+ messages in thread
From: Julien Olivain via buildroot @ 2025-06-30 19:55 UTC (permalink / raw)
To: Thomas Perale; +Cc: buildroot, Hervé Codina
On 30/06/2025 09:24, Thomas Perale via buildroot wrote:
> Fixes the following security issues:
>
> - CVE 2025-47947: Versions up to and including 2.9.8 are vulnerable to
> denial of service in one special case (in stable released versions):
> when the payload's content type is application/json, and there is at
> least one rule which does a sanitiseMatchedBytes action. A patch is
> available at pull request 3389 and expected to be part of version
> 2.9.9. No known workarounds are available.
>
> For more information, see:
> - https://nvd.nist.gov/vuln/detail/CVE-2025-47947
> - https://github.com/owasp-modsecurity/ModSecurity/pull/3389
>
> - CVE-2025-48866: Versions prior to 2.9.10 contain a denial of service
> vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The
> `sanitiseArg` (and `sanitizeArg` - this is the same action but an
> alias) is vulnerable to adding an excessive number of arguments,
> thereby leading to denial of service. Version 2.9.10 fixes the issue.
> As a workaround, avoid using rules that contain the `sanitiseArg` (or
> `sanitizeArg`) action.
>
> For more information, see:
> - https://nvd.nist.gov/vuln/detail/CVE-2025-48866
> -
> https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e
>
> For more details on the version bump, see:
> -
> https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.8
> -
> https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.9
> -
> https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.10
>
> Also this patch change the _SOURCE variable that now include a 'v'
> prefixing the version.
>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Applied to master, thanks.
For info, I also updated the hash source url in hash file comment. See:
https://gitlab.com/buildroot.org/buildroot/-/commit/3d593a8144ad8890dae4ab6fd235eef700d3c144
Best regards,
Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.10
2025-06-30 7:24 [Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.10 Thomas Perale via buildroot
2025-06-30 19:55 ` Julien Olivain via buildroot
@ 2025-07-03 10:33 ` Herve Codina via buildroot
2025-07-03 14:38 ` Thomas Perale via buildroot
2025-07-11 10:44 ` Thomas Perale via buildroot
2 siblings, 1 reply; 6+ messages in thread
From: Herve Codina via buildroot @ 2025-07-03 10:33 UTC (permalink / raw)
To: Thomas Perale; +Cc: buildroot
On Mon, 30 Jun 2025 09:24:23 +0200
Thomas Perale <thomas.perale@mind.be> wrote:
> Fixes the following security issues:
>
> - CVE 2025-47947: Versions up to and including 2.9.8 are vulnerable to
> denial of service in one special case (in stable released versions):
> when the payload's content type is application/json, and there is at
> least one rule which does a sanitiseMatchedBytes action. A patch is
> available at pull request 3389 and expected to be part of version
> 2.9.9. No known workarounds are available.
>
> For more information, see:
> - https://nvd.nist.gov/vuln/detail/CVE-2025-47947
> - https://github.com/owasp-modsecurity/ModSecurity/pull/3389
>
> - CVE-2025-48866: Versions prior to 2.9.10 contain a denial of service
> vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The
> `sanitiseArg` (and `sanitizeArg` - this is the same action but an
> alias) is vulnerable to adding an excessive number of arguments,
> thereby leading to denial of service. Version 2.9.10 fixes the issue.
> As a workaround, avoid using rules that contain the `sanitiseArg` (or
> `sanitizeArg`) action.
>
> For more information, see:
> - https://nvd.nist.gov/vuln/detail/CVE-2025-48866
> - https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e
>
> For more details on the version bump, see:
> - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.8
> - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.9
> - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.10
>
> Also this patch change the _SOURCE variable that now include a 'v'
> prefixing the version.
>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> ---
> package/modsecurity2/modsecurity2.hash | 2 +-
> package/modsecurity2/modsecurity2.mk | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/modsecurity2/modsecurity2.hash b/package/modsecurity2/modsecurity2.hash
> index fbb7fabb3a..cd8a96aa00 100644
> --- a/package/modsecurity2/modsecurity2.hash
> +++ b/package/modsecurity2/modsecurity2.hash
> @@ -1,5 +1,5 @@
> # From https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz.sha256
Can you update this comment with the following:
From https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.10/modsecurity-v2.9.10.tar.gz.sha256
For information, I have downloaded this .sha256 file and have checked the
sha value against the sha256 provided below. They match perfectly.
> -sha256 2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839 modsecurity-2.9.7.tar.gz
> +sha256 081cda52975494139922fa4b54f474fed8a6db4b7f586cb0d3aeec635f7a4d53 modsecurity-v2.9.10.tar.gz
Best regards,
Hervé
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.10
2025-07-03 10:33 ` Herve Codina via buildroot
@ 2025-07-03 14:38 ` Thomas Perale via buildroot
2025-07-03 15:26 ` Herve Codina via buildroot
0 siblings, 1 reply; 6+ messages in thread
From: Thomas Perale via buildroot @ 2025-07-03 14:38 UTC (permalink / raw)
To: Herve Codina; +Cc: buildroot
Hi Hervé,
Julien already took care of fixing my mistake when commiting (see
https://gitlab.com/buildroot.org/buildroot/-/commit/3d593a8144ad8890dae4ab6fd235eef700d3c144).
Thanks for giving a look.
Regards,
Thomas
On 7/3/25 12:33 PM, Herve Codina wrote:
> On Mon, 30 Jun 2025 09:24:23 +0200
> Thomas Perale <thomas.perale@mind.be> wrote:
>
>> Fixes the following security issues:
>>
>> - CVE 2025-47947: Versions up to and including 2.9.8 are vulnerable to
>> denial of service in one special case (in stable released versions):
>> when the payload's content type is application/json, and there is at
>> least one rule which does a sanitiseMatchedBytes action. A patch is
>> available at pull request 3389 and expected to be part of version
>> 2.9.9. No known workarounds are available.
>>
>> For more information, see:
>> - https://nvd.nist.gov/vuln/detail/CVE-2025-47947
>> - https://github.com/owasp-modsecurity/ModSecurity/pull/3389
>>
>> - CVE-2025-48866: Versions prior to 2.9.10 contain a denial of service
>> vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The
>> `sanitiseArg` (and `sanitizeArg` - this is the same action but an
>> alias) is vulnerable to adding an excessive number of arguments,
>> thereby leading to denial of service. Version 2.9.10 fixes the issue.
>> As a workaround, avoid using rules that contain the `sanitiseArg` (or
>> `sanitizeArg`) action.
>>
>> For more information, see:
>> - https://nvd.nist.gov/vuln/detail/CVE-2025-48866
>> - https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e
>>
>> For more details on the version bump, see:
>> - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.8
>> - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.9
>> - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.10
>>
>> Also this patch change the _SOURCE variable that now include a 'v'
>> prefixing the version.
>>
>> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
>> ---
>> package/modsecurity2/modsecurity2.hash | 2 +-
>> package/modsecurity2/modsecurity2.mk | 4 ++--
>> 2 files changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/package/modsecurity2/modsecurity2.hash b/package/modsecurity2/modsecurity2.hash
>> index fbb7fabb3a..cd8a96aa00 100644
>> --- a/package/modsecurity2/modsecurity2.hash
>> +++ b/package/modsecurity2/modsecurity2.hash
>> @@ -1,5 +1,5 @@
>> # From https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz.sha256
> Can you update this comment with the following:
> From https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.10/modsecurity-v2.9.10.tar.gz.sha256
>
> For information, I have downloaded this .sha256 file and have checked the
> sha value against the sha256 provided below. They match perfectly.
>
>> -sha256 2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839 modsecurity-2.9.7.tar.gz
>> +sha256 081cda52975494139922fa4b54f474fed8a6db4b7f586cb0d3aeec635f7a4d53 modsecurity-v2.9.10.tar.gz
> Best regards,
> Hervé
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.10
2025-06-30 7:24 [Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.10 Thomas Perale via buildroot
2025-06-30 19:55 ` Julien Olivain via buildroot
2025-07-03 10:33 ` Herve Codina via buildroot
@ 2025-07-11 10:44 ` Thomas Perale via buildroot
2 siblings, 0 replies; 6+ messages in thread
From: Thomas Perale via buildroot @ 2025-07-11 10:44 UTC (permalink / raw)
To: Thomas Perale; +Cc: buildroot
In reply of:
> Fixes the following security issues:
>
> - CVE 2025-47947: Versions up to and including 2.9.8 are vulnerable to
> denial of service in one special case (in stable released versions):
> when the payload's content type is application/json, and there is at
> least one rule which does a sanitiseMatchedBytes action. A patch is
> available at pull request 3389 and expected to be part of version
> 2.9.9. No known workarounds are available.
>
> For more information, see:
> - https://nvd.nist.gov/vuln/detail/CVE-2025-47947
> - https://github.com/owasp-modsecurity/ModSecurity/pull/3389
>
> - CVE-2025-48866: Versions prior to 2.9.10 contain a denial of service
> vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The
> `sanitiseArg` (and `sanitizeArg` - this is the same action but an
> alias) is vulnerable to adding an excessive number of arguments,
> thereby leading to denial of service. Version 2.9.10 fixes the issue.
> As a workaround, avoid using rules that contain the `sanitiseArg` (or
> `sanitizeArg`) action.
>
> For more information, see:
> - https://nvd.nist.gov/vuln/detail/CVE-2025-48866
> - https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e
>
> For more details on the version bump, see:
> - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.8
> - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.9
> - https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.10
>
> Also this patch change the _SOURCE variable that now include a 'v'
> prefixing the version.
>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Applied to 2025.02.x & 2025.05.x. Thanks
> ---
> package/modsecurity2/modsecurity2.hash | 2 +-
> package/modsecurity2/modsecurity2.mk | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/modsecurity2/modsecurity2.hash b/package/modsecurity2/modsecurity2.hash
> index fbb7fabb3a..cd8a96aa00 100644
> --- a/package/modsecurity2/modsecurity2.hash
> +++ b/package/modsecurity2/modsecurity2.hash
> @@ -1,5 +1,5 @@
> # From https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz.sha256
> -sha256 2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839 modsecurity-2.9.7.tar.gz
> +sha256 081cda52975494139922fa4b54f474fed8a6db4b7f586cb0d3aeec635f7a4d53 modsecurity-v2.9.10.tar.gz
>
> # Locally computed
> sha256 2c564f5a67e49e74c80e5a7dcacd1904e7408f1fd6a95218b38c04f012d94cb9 LICENSE
> diff --git a/package/modsecurity2/modsecurity2.mk b/package/modsecurity2/modsecurity2.mk
> index 36d6e1a847..b644fe7407 100644
> --- a/package/modsecurity2/modsecurity2.mk
> +++ b/package/modsecurity2/modsecurity2.mk
> @@ -4,8 +4,8 @@
> #
> ################################################################################
>
> -MODSECURITY2_VERSION = 2.9.7
> -MODSECURITY2_SOURCE = modsecurity-$(MODSECURITY2_VERSION).tar.gz
> +MODSECURITY2_VERSION = 2.9.10
> +MODSECURITY2_SOURCE = modsecurity-v$(MODSECURITY2_VERSION).tar.gz
> MODSECURITY2_SITE = https://github.com/owasp-modsecurity/ModSecurity/releases/download/v$(MODSECURITY2_VERSION)
> MODSECURITY2_LICENSE = Apache-2.0
> MODSECURITY2_LICENSE_FILES = LICENSE
> --
> 2.50.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-07-11 10:44 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-30 7:24 [Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.10 Thomas Perale via buildroot
2025-06-30 19:55 ` Julien Olivain via buildroot
2025-07-03 10:33 ` Herve Codina via buildroot
2025-07-03 14:38 ` Thomas Perale via buildroot
2025-07-03 15:26 ` Herve Codina via buildroot
2025-07-11 10:44 ` Thomas Perale via buildroot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox