Bug 278180 - www/mod_security: Update to 2.9.8 and Latest Project Changes
Summary: www/mod_security: Update to 2.9.8 and Latest Project Changes
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Jochen Neumeister
URL: https://github.com/owasp-modsecurity/...
Keywords: security
: 279561 (view as bug list)
Depends on:
Blocks:
 
Reported: 2024-04-05 06:29 UTC by Pascal Christen
Modified: 2024-09-20 11:53 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (joneum)

Attachments
patch (2.20 KB, patch)
2024-04-05 06:29 UTC, Pascal Christen 		no flags Details | Diff
Updates mod_security to 2.9.8 (4.26 KB, patch)
2024-09-04 10:37 UTC, Einar Bjarni Halldórsson 		einar: maintainer-approval?
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pascal Christen 2024-04-05 06:29:15 UTC 
Created attachment 249730 [details]
patch

Hello,

This update upgrades ModSecurity to version 2.9.7, which was released over a year ago. It addresses several security-related issues.

Trustwave has announced the transfer of ModSecurity custodianship to OWASP, effective January 25, 2024. You can find more information about this change at https://www.modsecurity.org/.

As a result of this transfer, the new links have been adjusted accordingly. Additionally, the documentation for the CRS has been updated to reflect some new changes (version 4.0, ...).
Comment 1 Einar Bjarni Halldórsson 2024-09-04 10:37:14 UTC 
Created attachment 253321 [details]
Updates mod_security to 2.9.8

Updates to latest version and links against pcre2 instead of deprecated pcre

Also reflects project changes since OWASP took over maintainership
Comment 2 Einar Bjarni Halldórsson 2024-09-04 10:39:42 UTC 
*** Bug 279561 has been marked as a duplicate of this bug. ***
Comment 3 Einar Bjarni Halldórsson 2024-09-04 13:31:46 UTC 
I've built with https://bugs.freebsd.org/bugzilla/attachment.cgi?id=253321 in poudriere on 14.1-RELEASE and I'm running with 2.9.8 in our staging env now.

If you Pascal agree with my patch, I'd like to move forward with maintainer-timeout and send a request to ports mailing list
Comment 4 Pascal Christen 2024-09-05 07:26:10 UTC 
(In reply to Einar Bjarni Halldórsson from comment #3)

Thanks Einar for updating this issue.

Looks good. The only thing I'm currently not sure about is the used source-code.

In the current setup, it is using the "packed" modsecurity-v2.9.X.tar.gz from the releases page. Your change is using the "source code" tar.gz from the release page. But I'm not that experienced with the FreeBSD build system and if this is the way to go.
Comment 5 Einar Bjarni Halldórsson 2024-09-09 19:44:00 UTC 
I discovered a bug with 2.9.8 compiled with pcre2.
httpd segfaults, apparently when mod_security tries to log:

```
* thread #1, name = 'httpd', stop reason = signal SIGSEGV
  * frame #0: 0x0000000825107699 libapr-1.so.0`apr_global_mutex_lock + 9
    frame #1: 0x000000083a3a2425 mod_security2.so`sec_audit_logger_native(msr=0x00003cdf55b0fa28) at msc_logging.c:1653:14
```

I'm still debugging it, but I'm told replacing `SecAuditLogType Serial` with `SecAuditLogType Concurrent` doesn't trigger the bug.
We're running httpd with syslog logging.

I tried reverting my changes to which tarball is fetched, but the bug is also present when using the built tarball.
Comment 6 Einar Bjarni Halldórsson 2024-09-20 11:53:41 UTC 
https://github.com/owasp-modsecurity/ModSecurity/pull/3257 fixes the crashes for me. Hopefully it will get merged soon and a new release put out