Commit Graph

19 Commits

Author SHA1 Message Date
Frank Vanbever d4b065e35c package/libmodsecurity: security bump to 3.0.12
The project has been transferred from Trustwave (SpiderLabs) to OWASP, hence the
change in URLs. The upstream CPE vendor ID will likely also change in the future
but the upstream is still working on this [1].

- Fixes:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1019

[1] https://github.com/owasp-modsecurity/ModSecurity/issues/3083

Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-21 18:09:35 +01:00
Frank Vanbever cec73bb5f8 package/libmodsecurity: bump to version 3.0.11
Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-12-23 14:41:45 +01:00
Frank Vanbever 670329f057 package/libmodsecurity: security bump to version 3.0.10
- Fixes CVE-2023-38285 [1]
- Adapted 0001-configure.ac-drop-usage-of-git-at-configure-time.patch due to
  upstream moving to autoconf portable shell constructs.

Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>

[1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/

Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-08-24 20:55:47 +02:00
Frank Vanbever a1e0e7276c package/libmodsecurity: bump to version 3.0.9
- Drop 0003-Revert-Fix-maxminddb-link-on-FreeBSD.patch, handling of libmaxminddb
  was fixed upstream in d2b700d
- Drop 0004-build-pcre.m4-fix-build-without-pcre.patch, handling of PCRE was
  fixed upstream in 791964a

Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-05-01 09:26:55 +02:00
Fabrice Fontaine 97bdc0616c package/libmodsecurity: needs dynamic library
Commit 9fc652a373 was incomplete as
mbedtls can be pulled in libcurl through libssh2 resulting in the
following build failure:

/home/autobuild/autobuild/instance-4/output-1/host/lib/gcc/powerpc64le-buildroot-linux-musl/11.3.0/../../../../powerpc64le-buildroot-linux-musl/bin/ld: /home/autobuild/autobuild/instance-4/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/lib//libmbedcrypto.a(md5.c.o): in function `mbedtls_md5_init':
md5.c:(.text+0x0): multiple definition of `mbedtls_md5_init'; ../../src/.libs/libmodsecurity.a(libmbedtls_la-md5.o):md5.c:(.text+0x0): first defined here

Fixes:
 - http://autobuild.buildroot.org/results/4c235e46188f23d1a48297f4e5942cec7b25959a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-02-21 09:30:41 +01:00
Fabrice Fontaine 1b20c52a5b package/libmodsecurity: bump to version 3.0.8
https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-01-27 13:46:23 +01:00
Fabrice Fontaine f5e1cec700 package/libmodsecurity: select pcre2
Commit ea746f3128 forgot to select pcre2
resulting in the following build failure:

Makefile:575: *** pcre2 is in the dependency chain of libmodsecurity that has added it to its _DEPENDENCIES variable without selecting it or depending on it from Config.in.  Stop.

Fixes:
 - http://autobuild.buildroot.org/results/6528d2611bd1a45c1e94bc6b866de9c33dd90a7b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2022-07-28 22:56:21 +02:00
Fabrice Fontaine ea746f3128 package/libmodsecurity: bump to version 3.0.7
Switch to pcre2 as pcre is deprecated

https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.7

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2022-07-27 16:43:56 +02:00
Fabrice Fontaine 9fc652a373 package/libmodsecurity: needs dynamic library with libcurl and mbedtls
libmodsecurity embeds several mbedtls source files since version 3.0.0
and
a3ae686f25
resulting in the following static build failure if curl is built with
mbedtls support:

/home/buildroot/autobuild/instance-0/output-1/host/opt/ext-toolchain/m68k-buildroot-uclinux-uclibc/bin/ld.real: /home/buildroot/autobuild/instance-0/output-1/host/bin/../m68k-buildroot-uclinux-uclibc/sysroot/usr/lib/libmbedcrypto.a(md5.c.o): in function `mbedtls_md5_free':
md5.c:(.text+0x16): multiple definition of `mbedtls_md5_free'; ../../src/.libs/libmodsecurity.a(libmbedtls_la-md5.o):md5.c:(.text+0x16): first defined here

Fixes:
 - http://autobuild.buildroot.org/results/98472a3a41cdbcb3d02289a437074a267f4b2e8e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2022-06-19 17:22:26 +02:00
Fabrice Fontaine d317b76458 package/libmodsecurity: security bump to version 3.0.6
Support configurable limit on depth of JSON parsing (possible DoS issue)

https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.6

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-11-28 14:35:43 +01:00
Giulio Benetti 2a48a6ee9d package/libmodsecurity: disable -fPIC on m68k_cf
This package has -fPIC gcc option set by default but we can't use it on
m68k_cf since it doesn't support it throwing a gcc build failure. So let's
disable it by passing -fno-PIC.

Fixes:
http://autobuild.buildroot.net/results/b92980a563fe7ee331e70f288ce041be0bf29d40/

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-08-24 00:24:48 +02:00
Fabrice Fontaine 94b6fbd582 package/libmodsecurity: fix build with libmaxminddb
Build with libmaxminddb is broken since bump to version 3.0.5 in commit
464d0be380 because of
785958f9b5

So revert this commit until upstream answer to comment to
https://github.com/SpiderLabs/ModSecurity/issues/2131

Reverting this commit requires autoreconfiguring, which itself causes
lots of warnings as configure.ac queries git to know the version of
various parts of libmodsecurity. However, it turns out that those
versions are only used to be displayed in the output of the configure
script, which is quite useless. The only one that is referenced
elsewhere is LIBINJECTION_VERSION, but it's in fact a different thing:
it is defined by others/libinjection/src/libinjection_sqli.c.

The only variable that was AC_SUBST() and therefore visible elsewhere
was MSC_GIT_VERSION, but it is not used anywhere in the code base,
except in the configure script itself.

Note that one patch is 0001 and the other 0003, because there was
already a 0002 patch.

Fixes:
 - http://autobuild.buildroot.org/results/4c639fd967faa06f8ae362bacd38f3409c47267c

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-08-02 22:23:23 +02:00
Fabrice Fontaine 489cbfd7df package/libmodsecurity: fix static build
Fix the following static build failure with nginx raised since bump of
libmodsecurity to version 3.0.5 in commit
464d0be380c84ac7c3f1684e49153c3868280d7e:

/home/buildroot/autobuild/instance-2/output-1/host/lib/gcc/xtensa-buildroot-linux-uclibc/10.3.0/../../../../xtensa-buildroot-linux-uclibc/bin/ld: /home/buildroot/autobuild/instance-2/output-1/host/bin/../xtensa-buildroot-linux-uclibc/sysroot/usr/lib/libmodsecurity.a(libmodsecurity_la-transaction.o): in function `std::basic_streambuf<char, std::char_traits<char> >::sbumpc() [clone .isra.0]':
transaction.cc:(.text+0x40): undefined reference to `std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_dispose()'

Fixes:
 - http://autobuild.buildroot.org/results/e5a9eb8448980f1c5cafe97180b7d1f48ddf02ca

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-07-28 21:41:45 +02:00
Fabrice Fontaine 464d0be380 package/libmodsecurity: security bump to version 3.0.5
Security Impacting Issues

    Handle URI received with uri-fragment
    [@martinhsv]

- Drop patches (already in version) and so drop autoreconf
- Static linking is supported since
  f76a1a667b
- Update indentation in hash file (two spaces)

https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-07-15 22:42:12 +02:00
Fabrice Fontaine 82f5293d73 package/libmodsecurity: drop AC_CHECK_FILE workaround
Drop AC_CHECK_FILE workaround as it is not needed since version 3.0.4:
8af8cad907

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-07-15 22:41:53 +02:00
Fabrice Fontaine 87c9fd60d4 package/libmodsecurity: add CPE variables
cpe:2.3🅰️trustwave:modsecurity is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Atrustwave%3Amodsecurity

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-06 11:18:24 +01:00
Fabrice Fontaine 7be9224885 package/libmodsecurity: needs threads
Fixes:
 - http://autobuild.buildroot.org/results/78391abbf87ac9c04b13d7aab7acf7d1aaade75d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-03 14:06:35 +01:00
Frank Vanbever 788a7560cb package/libmodsecurity: point to staging pcre-config
The libmodsecurity build system uses the file installed on the host if not
explicitly pointed to pcre-config in the staging dir.

Fixes:
- http://autobuild.buildroot.net/results/f936ad05bca4bb776917306700750ba6d2498ef0
  + similar failures for other architectures

Signed-off-by: Frank Vanbever <frank.vanbever@essensium.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-02-01 10:26:29 +01:00
Frank Vanbever d9205b4da5 package/libmodsecurity: new package
The dependency on !BR2_STATIC_LIBS is due to missing Libs.private in the
libmodconfig pkg-config file making builds that statically link against
libmodsecurity fail.

Lua is disabled due to using the host libraries.

Yajl is disabled as enabling it forces the tests to be built. These tests have a
hard dependency on libmodsecurity.a which is not built when --disable-static is
used in the configuration. There is no flag to disable these tests.

Signed-off-by: Frank Vanbever <frank.vanbever@essensium.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-01-30 11:26:05 +01:00