Re: [Buildroot] [PATCH 2023.02.x] package/libmodsecurity: backport security fix for CVE-2023-28882

From: Frank Vanbever via buildroot <buildroot@buildroot.org>
To: Frank Vanbever via buildroot <buildroot@buildroot.org>,
	Peter Korsgaard <peter@korsgaard.com>
Subject: Re: [Buildroot] [PATCH 2023.02.x] package/libmodsecurity: backport security fix for CVE-2023-28882
Date: Wed, 30 Aug 2023 09:29:33 +0200	[thread overview]
Message-ID: <5966703.lOV4Wx5bFT@wintermute> (raw)
In-Reply-To: <87il917em8.fsf@48ers.dk>

Hi Peter,

I believe your assessment is right, at this point it would be best to backport 
the bump to 3.0.10 on master to the stable branches and get rid of multiple 
CVEs at the same time. Do I resubmit that patch or do you take it directly 
from master?

Best regards,
Frank

On zaterdag 26 augustus 2023 22:06:23 CEST Peter Korsgaard wrote:
> >>>>> "Frank" == Frank Vanbever via buildroot <buildroot@buildroot.org> 
writes:
>  > Fixes the following issue:
>  > - CVE-2023-28882: Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9
>  > allows > 
>  >   a denial of service (worker crash and unresponsiveness) because some
>  >   inputs
>  >   cause a segfault in the Transaction class for some configurations.
>  >   
>  >   https://security-tracker.debian.org/tracker/CVE-2023-28882
>  > 
>  > Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
> 
> Sorry for the slow response.
> 
> We are using 3.0.8 on 2023.02.x. Is the delta between 3.0.8 and 3.0.9 so
> big that it makes sense to add this patch rather than just bumping to
> 3.0.9 - Especially given that 3.0.10 contained another security fix?
> 
> Looking at the 3.0.9 release notes, it seems to be almost entirely
> fixes:
> 
> https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.9

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot