rpms/mod_security
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI mod_security-2.9.6-2.el9_6.1

Browse Source
This commit is contained in:
eabdullin 2025-08-05 05:08:32 +00:00
parent 09993d343e
commit df6f7a1b3e
2 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
SOURCES/mod_security-2.9.6-CVE-2025-48866.patch Normal file
View File

@ -0,0 +1,26 @@
From 614c6e18a734bd31a483abc2fa2faf217dcb81c3 Mon Sep 17 00:00:00 2001
From: Ervin Hegedus <airween@gmail.com>
Date: Sat, 24 May 2025 12:04:39 +0200
Subject: [PATCH] fix: add ARGS to sanitize list only if it's not added yet in
case of sanitizeArg
---
apache2/re_actions.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/apache2/re_actions.c b/apache2/re_actions.c
index 4a922d27f..febc4759e 100644
--- a/apache2/re_actions.c
+++ b/apache2/re_actions.c
@@ -1455,8 +1455,9 @@ static apr_status_t msre_action_sanitizeArg_execute(modsec_rec *msr, apr_pool_t
for (i = 0; i < tarr->nelts; i++) {
msc_arg *arg = (msc_arg *)telts[i].val;
- if (strcasecmp(sargname, arg->name) == 0) {
+ if (arg->marked_for_sanitization == 0 && strcasecmp(sargname, arg->name) == 0) {
apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg);
+ arg->marked_for_sanitization = 1;
}
}

7
SPECS/mod_security.spec
View File

@ -10,7 +10,7 @@
Summary: Security module for the Apache HTTP Server Summary: Security module for the Apache HTTP Server
Name: mod_security Name: mod_security
Version: 2.9.6 Version: 2.9.6
Release: 2%{?dist} Release: 2%{?dist}.1
License: ASL 2.0 License: ASL 2.0
URL: http://www.modsecurity.org/ URL: http://www.modsecurity.org/
Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/modsecurity-%{version}.tar.gz Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/modsecurity-%{version}.tar.gz
@ -21,6 +21,7 @@ Patch0: modsecurity-2.9.3-lua-54.patch
Patch1: modsecurity-2.9.3-apulibs.patch Patch1: modsecurity-2.9.3-apulibs.patch
Patch2: mod_security-2.9.3-remote-rules-timeout.patch Patch2: mod_security-2.9.3-remote-rules-timeout.patch
Patch3: mod_security-2.9.6-CVE-2025-47947.patch Patch3: mod_security-2.9.6-CVE-2025-47947.patch
Patch4: mod_security-2.9.6-CVE-2025-48866.patch
Requires: httpd httpd-mmn = %{_httpd_mmn} Requires: httpd httpd-mmn = %{_httpd_mmn}
%if 0%{?fedora} || 0%{?rhel} > 7 %if 0%{?fedora} || 0%{?rhel} > 7
@ -144,6 +145,10 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
%endif %endif
%changelog %changelog
* Wed Jul 09 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.9.6-2.1
- Resolves: RHEL-100102 - CVE-2025-48866 mod_security: ModSecurity
Denial of Service Vulnerability
* Thu May 29 2025 Joe Orton <jorton@redhat.com> - 2.9.6-2 * Thu May 29 2025 Joe Orton <jorton@redhat.com> - 2.9.6-2
- add fix for CVE-2025-47947 - add fix for CVE-2025-47947
- Resolves: RHEL-93016 - Resolves: RHEL-93016