Re: [Buildroot] [PATCH 2023.02.x] package/libmodsecurity: backport security fix for CVE-2023-28882

From: Peter Korsgaard <peter@korsgaard.com>
To: Frank Vanbever via buildroot <buildroot@buildroot.org>
Cc: Frank Vanbever <frank.vanbever@mind.be>
Subject: Re: [Buildroot] [PATCH 2023.02.x] package/libmodsecurity: backport security fix for CVE-2023-28882
Date: Sat, 26 Aug 2023 22:06:23 +0200	[thread overview]
Message-ID: <87il917em8.fsf@48ers.dk> (raw)
In-Reply-To: <20230713161139.182388-1-frank.vanbever@mind.be> (Frank Vanbever via buildroot's message of "Thu, 13 Jul 2023 18:11:39 +0200")

>>>>> "Frank" == Frank Vanbever via buildroot <buildroot@buildroot.org> writes:

 > Fixes the following issue:
 > - CVE-2023-28882: Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows
 >   a denial of service (worker crash and unresponsiveness) because some inputs
 >   cause a segfault in the Transaction class for some configurations.

 >   https://security-tracker.debian.org/tracker/CVE-2023-28882

 > Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>

Sorry for the slow response.

We are using 3.0.8 on 2023.02.x. Is the delta between 3.0.8 and 3.0.9 so
big that it makes sense to add this patch rather than just bumping to
3.0.9 - Especially given that 3.0.10 contained another security fix?

Looking at the 3.0.9 release notes, it seems to be almost entirely
fixes:

https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.9

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot