Update to 2.9.6 is out: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.6 Christian Folini (Maintainer of the OWASP Core Rule Set) stated the following: "Reading through the release notes does not really make it clear this is a security release. Being familiar with all the weaknesses in question, I assure you this is grave. Please update your servers." https://sourceforge.net/p/mod-security/mailman/message/37704757/
Created attachment 236454 [details] Patch for 2.9.6
You can remove PORTREVISION since 0 is the default value.
(In reply to Fernando Apesteguía from comment #2) It's almost a philosophical question that keeps coming up on FreeBSD ports. See here https://svnweb.freebsd.org/ports/head/www/mod_security/Makefile?r1=490715&r2=490714&pathrev=490715 I'm not sure if there is a "right" and a "wrong" there
(In reply to Pascal Christen from comment #3) It should be removed really.
Created attachment 236514 [details] Patch for Update No PORTREVISION
Updated patch is working for me on FreeBSD 13.1-p2.
joneum@?
I've been running this patch on a production server for almost a month at this point, any idea when this patch will get merged??
Committed, Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ecca07542ff99dfe12fbfb9d26ff3c2ad7ffd03a commit ecca07542ff99dfe12fbfb9d26ff3c2ad7ffd03a Author: Pascal Christen <pascal.christen@hostpoint.ch> AuthorDate: 2022-10-19 05:43:56 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2022-10-19 16:11:58 +0000 www/mod_security: Update to 2.9.6 ChangeLog: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.6 New features and security impacting issues Adjust parser activation rules in modsecurity.conf-recommended Multipart parsing fixes and new MULTIPART_PART_HEADERS collection Bug fixes * Limit rsub null termination to where necessary * IIS: Update dependencies for next planned release * XML parser cleanup: NULL duplicate pointer * Properly cleanup XML parser contexts upon completion * Fix memory leak in streams * Fix: negative usec on log line when data type long is 32b * mlogc log-line parsing fails due to enhanced timestamp * Allow no-key, single-value JSON body * Set SecStatusEngine Off in modsecurity.conf-recommended * Fix memory leak that occurs on JSON parsing error * Multipart names/filenames may include single quote if double-quote enclosed * Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended PR: 266318 Reported by: pascal.christen@hostpoint.ch Reviewed by: tuc03516@gmail.com Approved by: joneum@ (maintainer, timeout > 1 month) www/mod_security/Makefile | 3 +-- www/mod_security/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-)