[Buildroot] [PATCH 1/1] package/modsecurity2: security bump to version 2.9.7

* [Buildroot] [PATCH 1/1] package/modsecurity2: security bump to version 2.9.7
@ 2023-02-05 14:00 Fabrice Fontaine
  2023-02-05 14:27 ` Yann E. MORIN
  2023-02-21 20:34 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2023-02-05 14:00 UTC (permalink / raw)
  To: buildroot; +Cc: Hervé Codina, Fabrice Fontaine

- Fix CVE-2023-24021: Incorrect handling of '\0' bytes in file uploads
  in ModSecurity before 2.9.7 may allow for Web Application Firewall
  bypasses and buffer overflows on the Web Application Firewall when
  executing rules that read the FILES_TMP_CONTENT collection.
- host-pkgconf is mandatory and used to find libxml2 since
  https://github.com/SpiderLabs/ModSecurity/commit/baa38ddbaf55a87afecad7a1e1760c69a2689787
- pcre2 is supported since:
  https://github.com/SpiderLabs/ModSecurity/commit/8fc0b519b7a6c023259753a21f33bf3649a25b14

https://github.com/SpiderLabs/ModSecurity/blob/v2.9.7/CHANGES

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/modsecurity2/Config.in         | 2 +-
 package/modsecurity2/modsecurity2.hash | 4 ++--
 package/modsecurity2/modsecurity2.mk   | 7 +++----
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/package/modsecurity2/Config.in b/package/modsecurity2/Config.in
index 2870386a99..fb1bfc960e 100644
--- a/package/modsecurity2/Config.in
+++ b/package/modsecurity2/Config.in
@@ -2,7 +2,7 @@ config BR2_PACKAGE_MODSECURITY2
 	bool "modsecurity2"
 	depends on BR2_PACKAGE_APACHE
 	select BR2_PACKAGE_LIBXML2
-	select BR2_PACKAGE_PCRE
+	select BR2_PACKAGE_PCRE2
 	help
 	  ModSecurity is an open source, cross-platform web application
 	  firewall (WAF) module. Known as the "Swiss Army Knife" of
diff --git a/package/modsecurity2/modsecurity2.hash b/package/modsecurity2/modsecurity2.hash
index a19f4823a8..2c77ffd830 100644
--- a/package/modsecurity2/modsecurity2.hash
+++ b/package/modsecurity2/modsecurity2.hash
@@ -1,5 +1,5 @@
-# From https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.5/modsecurity-2.9.5.tar.gz.sha256
-sha256  e2bfc8cd8b8de1e21f054d310543373ea5d89adbd96784e832be0da3e4dc149e  modsecurity-2.9.5.tar.gz
+# From https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz.sha256
+sha256  2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839  modsecurity-2.9.7.tar.gz
 
 # Locally computed
 sha256  2c564f5a67e49e74c80e5a7dcacd1904e7408f1fd6a95218b38c04f012d94cb9  LICENSE
diff --git a/package/modsecurity2/modsecurity2.mk b/package/modsecurity2/modsecurity2.mk
index a1ad8fe5bc..c251291e64 100644
--- a/package/modsecurity2/modsecurity2.mk
+++ b/package/modsecurity2/modsecurity2.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-MODSECURITY2_VERSION = 2.9.5
+MODSECURITY2_VERSION = 2.9.7
 MODSECURITY2_SOURCE = modsecurity-$(MODSECURITY2_VERSION).tar.gz
 MODSECURITY2_SITE = https://github.com/SpiderLabs/ModSecurity/releases/download/v$(MODSECURITY2_VERSION)
 MODSECURITY2_LICENSE = Apache-2.0
@@ -12,11 +12,10 @@ MODSECURITY2_LICENSE_FILES = LICENSE
 MODSECURITY2_CPE_ID_VENDOR = trustwave
 MODSECURITY2_CPE_ID_PRODUCT = modsecurity
 MODSECURITY2_INSTALL_STAGING = YES
-MODSECURITY2_DEPENDENCIES = apache libxml2 pcre
+MODSECURITY2_DEPENDENCIES = host-pkgconf apache libxml2 pcre2
 
 MODSECURITY2_CONF_OPTS = \
-	--with-pcre=$(STAGING_DIR)/usr/bin/pcre-config \
-	--with-libxml=$(STAGING_DIR)/usr \
+	--with-pcre2=$(STAGING_DIR)/usr/bin/pcre2-config \
 	--with-apr=$(STAGING_DIR)/usr/bin/apr-1-config \
 	--with-apu=$(STAGING_DIR)/usr/bin/apu-1-config \
 	--with-apxs=$(STAGING_DIR)/usr/bin/apxs \
-- 
2.39.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread