From 458617f635a3ccb20023baf018d7fd9079ddb41c Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Fri, 17 Dec 2021 22:21:45 +0100 Subject: [PATCH] package/modsecurity2: security bump to version 2.9.5 - Fix CVE-2021-42717: ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4. - Use official tarball and so drop autoreconf Signed-off-by: Fabrice Fontaine Signed-off-by: Thomas Petazzoni --- package/modsecurity2/modsecurity2.hash | 4 +++- package/modsecurity2/modsecurity2.mk | 6 +++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/package/modsecurity2/modsecurity2.hash b/package/modsecurity2/modsecurity2.hash index 1501b5642e..a19f4823a8 100644 --- a/package/modsecurity2/modsecurity2.hash +++ b/package/modsecurity2/modsecurity2.hash @@ -1,3 +1,5 @@ +# From https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.5/modsecurity-2.9.5.tar.gz.sha256 +sha256 e2bfc8cd8b8de1e21f054d310543373ea5d89adbd96784e832be0da3e4dc149e modsecurity-2.9.5.tar.gz + # Locally computed -sha256 686695c650449a338757711254ea78c67dedb1d258e03e5c8686f869388fff8c modsecurity2-2.9.4.tar.gz sha256 2c564f5a67e49e74c80e5a7dcacd1904e7408f1fd6a95218b38c04f012d94cb9 LICENSE diff --git a/package/modsecurity2/modsecurity2.mk b/package/modsecurity2/modsecurity2.mk index 5d91818ade..a1ad8fe5bc 100644 --- a/package/modsecurity2/modsecurity2.mk +++ b/package/modsecurity2/modsecurity2.mk @@ -4,15 +4,15 @@ # ################################################################################ -MODSECURITY2_VERSION = 2.9.4 -MODSECURITY2_SITE = $(call github,SpiderLabs,ModSecurity,v$(MODSECURITY2_VERSION)) +MODSECURITY2_VERSION = 2.9.5 +MODSECURITY2_SOURCE = modsecurity-$(MODSECURITY2_VERSION).tar.gz +MODSECURITY2_SITE = https://github.com/SpiderLabs/ModSecurity/releases/download/v$(MODSECURITY2_VERSION) MODSECURITY2_LICENSE = Apache-2.0 MODSECURITY2_LICENSE_FILES = LICENSE MODSECURITY2_CPE_ID_VENDOR = trustwave MODSECURITY2_CPE_ID_PRODUCT = modsecurity MODSECURITY2_INSTALL_STAGING = YES MODSECURITY2_DEPENDENCIES = apache libxml2 pcre -MODSECURITY2_AUTORECONF = YES MODSECURITY2_CONF_OPTS = \ --with-pcre=$(STAGING_DIR)/usr/bin/pcre-config \