Bug 266318

Summary:

www/mod_security: Update to 2.9.6

Product:

Ports & Packages

Reporter:

Pascal Christen <pascal.christen>

Component:

Individual Port(s)

Assignee:

Fernando Apesteguía <fernape>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

fernape, tuc03516

Priority:

---

Keywords:

security

Version:

Latest

Flags:

fernape: maintainer-feedback? (joneum)

Hardware:

Any

OS:

Any

URL:

https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.6

Attachments:

Description	Flags
Patch for 2.9.6	none
Patch for Update	none

Description Pascal Christen 2022-09-09 14:05:38 UTC

Update to 2.9.6 is out: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.6

Christian Folini (Maintainer of the OWASP Core Rule Set) stated the following: "Reading through the release notes does not really make it clear this is
a security release. Being familiar with all the weaknesses in question,
I assure you this is grave. Please update your servers."

https://sourceforge.net/p/mod-security/mailman/message/37704757/

Comment 1 Pascal Christen 2022-09-09 14:10:18 UTC

Created attachment 236454 [details]
Patch for 2.9.6

Comment 2 Fernando Apesteguía freebsd_committer

2022-09-12 06:14:39 UTC

You can remove PORTREVISION since 0 is the default value.

Comment 3 Pascal Christen 2022-09-12 06:24:01 UTC

(In reply to Fernando Apesteguía from comment #2)

It's almost a philosophical question that keeps coming up on FreeBSD ports.
See here https://svnweb.freebsd.org/ports/head/www/mod_security/Makefile?r1=490715&r2=490714&pathrev=490715

I'm not sure if there is a "right" and a "wrong" there

Comment 4 Fernando Apesteguía freebsd_committer

2022-09-12 06:35:14 UTC

(In reply to Pascal Christen from comment #3)
It should be removed really.

Comment 5 Pascal Christen 2022-09-12 09:34:32 UTC

Created attachment 236514 [details]
Patch for Update

No PORTREVISION

Comment 6 tuc03516 2022-09-24 23:37:50 UTC

Updated patch is working for me on FreeBSD 13.1-p2.

Comment 7 Fernando Apesteguía freebsd_committer

2022-10-06 06:04:26 UTC

joneum@?

Comment 8 tuc03516 2022-10-18 19:50:33 UTC

I've been running this patch on a production server for almost a month at this point, any idea when this patch will get merged??

Comment 9 Fernando Apesteguía freebsd_committer

2022-10-19 16:16:06 UTC

Committed,

Thanks!

Comment 10 commit-hook freebsd_committer

2022-10-19 16:16:09 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ecca07542ff99dfe12fbfb9d26ff3c2ad7ffd03a

commit ecca07542ff99dfe12fbfb9d26ff3c2ad7ffd03a
Author:     Pascal Christen <pascal.christen@hostpoint.ch>
AuthorDate: 2022-10-19 05:43:56 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2022-10-19 16:11:58 +0000

    www/mod_security: Update to 2.9.6

    ChangeLog: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.6

    New features and security impacting issues

        Adjust parser activation rules in modsecurity.conf-recommended
        Multipart parsing fixes and new MULTIPART_PART_HEADERS collection

    Bug fixes

     * Limit rsub null termination to where necessary
     * IIS: Update dependencies for next planned release
     * XML parser cleanup: NULL duplicate pointer
     * Properly cleanup XML parser contexts upon completion
     * Fix memory leak in streams
     * Fix: negative usec on log line when data type long is 32b
     * mlogc log-line parsing fails due to enhanced timestamp
     * Allow no-key, single-value JSON body
     * Set SecStatusEngine Off in modsecurity.conf-recommended
     * Fix memory leak that occurs on JSON parsing error
     * Multipart names/filenames may include single quote if double-quote enclosed
     * Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended

    PR:             266318
    Reported by:    pascal.christen@hostpoint.ch
    Reviewed by:    tuc03516@gmail.com
    Approved by:    joneum@ (maintainer, timeout > 1 month)

 www/mod_security/Makefile | 3 +--
 www/mod_security/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)