Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
@ -1,48 +0,0 @@
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2025-47947
|
||||
|
||||
https://github.com/owasp-modsecurity/ModSecurity/commit/26161b907e792e53d01c7293e630240db13e28b3
|
||||
|
||||
--- modsecurity-2.9.6/apache2/modsecurity.h.cve47947
|
||||
+++ modsecurity-2.9.6/apache2/modsecurity.h
|
||||
@@ -693,6 +693,7 @@
|
||||
unsigned int value_origin_offset;
|
||||
unsigned int value_origin_len;
|
||||
const char *origin;
|
||||
+ unsigned int marked_for_sanitization;
|
||||
};
|
||||
|
||||
struct msc_string {
|
||||
--- modsecurity-2.9.6/apache2/msc_json.c.cve47947
|
||||
+++ modsecurity-2.9.6/apache2/msc_json.c
|
||||
@@ -58,6 +58,7 @@
|
||||
arg->name, arg->value);
|
||||
}
|
||||
|
||||
+ arg->marked_for_sanitization = 0;
|
||||
apr_table_addn(msr->arguments,
|
||||
log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *) arg);
|
||||
|
||||
--- modsecurity-2.9.6/apache2/msc_parsers.c.cve47947
|
||||
+++ modsecurity-2.9.6/apache2/msc_parsers.c
|
||||
@@ -340,6 +340,7 @@
|
||||
*/
|
||||
void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg)
|
||||
{
|
||||
+ arg->marked_for_sanitization = 0;
|
||||
if (msr->txcfg->debuglog_level >= 5) {
|
||||
msr_log(msr, 5, "Adding request argument (%s): name \"%s\", value \"%s\"",
|
||||
arg->origin, log_escape_ex(msr->mp, arg->name, arg->name_len),
|
||||
--- modsecurity-2.9.6/apache2/re_actions.c.cve47947
|
||||
+++ modsecurity-2.9.6/apache2/re_actions.c
|
||||
@@ -1413,8 +1413,9 @@
|
||||
telts = (const apr_table_entry_t*)tarr->elts;
|
||||
for (i = 0; i < tarr->nelts; i++) {
|
||||
msc_arg *arg = (msc_arg *)telts[i].val;
|
||||
- if (strcasecmp(sargname, arg->name) == 0) {
|
||||
+ if (arg->marked_for_sanitization == 0 && strcasecmp(sargname, arg->name) == 0) {
|
||||
apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg);
|
||||
+ arg->marked_for_sanitization = 1;
|
||||
}
|
||||
}
|
||||
break;
|
||||
@ -10,7 +10,7 @@
|
||||
Summary: Security module for the Apache HTTP Server
|
||||
Name: mod_security
|
||||
Version: 2.9.6
|
||||
Release: 2%{?dist}
|
||||
Release: 1%{?dist}
|
||||
License: ASL 2.0
|
||||
URL: http://www.modsecurity.org/
|
||||
Group: System Environment/Daemons
|
||||
@ -19,7 +19,6 @@ Source1: mod_security.conf
|
||||
Source2: 10-mod_security.conf
|
||||
Source3: modsecurity_localrules.conf
|
||||
Patch1: mod_security-2.9.2-remote-rules-timeout.patch
|
||||
Patch3: mod_security-2.9.6-CVE-2025-47947.patch
|
||||
Requires: httpd httpd-mmn = %{_httpd_mmn}
|
||||
# To ensure correct file ownership
|
||||
Requires(pre): httpd-filesystem
|
||||
@ -59,7 +58,6 @@ This package contains the ModSecurity Audit Log Collector.
|
||||
%prep
|
||||
%setup -q -n modsecurity-%{version}
|
||||
%patch1 -p1 -b .remote-rules-timeout
|
||||
%patch3 -p1 -b .cve47947
|
||||
|
||||
%build
|
||||
%configure --enable-pcre-match-limit=1000000 \
|
||||
@ -138,10 +136,6 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu May 29 2025 Joe Orton <jorton@redhat.com> - 2.9.6-2
|
||||
- add fix for CVE-2025-47947
|
||||
- Resolves: RHEL-93005
|
||||
|
||||
* Thu Dec 08 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.9.6-1
|
||||
- new version 2.9.6
|
||||
- Resolves: #2143207 - [RFE] upgrade mod_security to 2.9.6
|
||||
|
||||
Loading…
Reference in New Issue
Block a user