Bug 278180

Summary:

www/mod_security: Update to 2.9.8 and Latest Project Changes

Product:

Ports & Packages

Reporter:

Pascal Christen <pascal.christen>

Component:

Individual Port(s)

Assignee:

Jochen Neumeister <joneum>

Status:

New ---

Severity:

Affects Many People

CC:

einar, fernape

Priority:

---

Keywords:

security

Version:

Latest

Flags:

bugzilla: maintainer-feedback? (joneum)

Hardware:

Any

OS:

Any

URL:

https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.7

Attachments:

Description	Flags
patch	none
Updates mod_security to 2.9.8	einar: maintainer-approval?

Description Pascal Christen 2024-04-05 06:29:15 UTC

Created attachment 249730 [details]
patch

Hello,

This update upgrades ModSecurity to version 2.9.7, which was released over a year ago. It addresses several security-related issues.

Trustwave has announced the transfer of ModSecurity custodianship to OWASP, effective January 25, 2024. You can find more information about this change at https://www.modsecurity.org/.

As a result of this transfer, the new links have been adjusted accordingly. Additionally, the documentation for the CRS has been updated to reflect some new changes (version 4.0, ...).

Comment 1 Einar Bjarni Halldórsson 2024-09-04 10:37:14 UTC

Created attachment 253321 [details]
Updates mod_security to 2.9.8

Updates to latest version and links against pcre2 instead of deprecated pcre

Also reflects project changes since OWASP took over maintainership

Comment 2 Einar Bjarni Halldórsson 2024-09-04 10:39:42 UTC

*** Bug 279561 has been marked as a duplicate of this bug. ***

Comment 3 Einar Bjarni Halldórsson 2024-09-04 13:31:46 UTC

I've built with https://bugs.freebsd.org/bugzilla/attachment.cgi?id=253321 in poudriere on 14.1-RELEASE and I'm running with 2.9.8 in our staging env now.

If you Pascal agree with my patch, I'd like to move forward with maintainer-timeout and send a request to ports mailing list

Comment 4 Pascal Christen 2024-09-05 07:26:10 UTC

(In reply to Einar Bjarni Halldórsson from comment #3)

Thanks Einar for updating this issue.

Looks good. The only thing I'm currently not sure about is the used source-code.

In the current setup, it is using the "packed" modsecurity-v2.9.X.tar.gz from the releases page. Your change is using the "source code" tar.gz from the release page. But I'm not that experienced with the FreeBSD build system and if this is the way to go.

Comment 5 Einar Bjarni Halldórsson 2024-09-09 19:44:00 UTC

I discovered a bug with 2.9.8 compiled with pcre2.
httpd segfaults, apparently when mod_security tries to log:

```
* thread #1, name = 'httpd', stop reason = signal SIGSEGV
  * frame #0: 0x0000000825107699 libapr-1.so.0`apr_global_mutex_lock + 9
    frame #1: 0x000000083a3a2425 mod_security2.so`sec_audit_logger_native(msr=0x00003cdf55b0fa28) at msc_logging.c:1653:14
```

I'm still debugging it, but I'm told replacing `SecAuditLogType Serial` with `SecAuditLogType Concurrent` doesn't trigger the bug.
We're running httpd with syslog logging.

I tried reverting my changes to which tarball is fetched, but the bug is also present when using the built tarball.

Comment 6 Einar Bjarni Halldórsson 2024-09-20 11:53:41 UTC

https://github.com/owasp-modsecurity/ModSecurity/pull/3257 fixes the crashes for me. Hopefully it will get merged soon and a new release put out