[Buildroot] [PATCH 2023.02.x] package/libmodsecurity: backport security fix for CVE-2023-28882
Peter Korsgaard
peter at korsgaard.com
Sat Aug 26 20:06:23 UTC 2023
>>>>> "Frank" == Frank Vanbever via buildroot <buildroot at buildroot.org> writes:
> Fixes the following issue:
> - CVE-2023-28882: Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows
> a denial of service (worker crash and unresponsiveness) because some inputs
> cause a segfault in the Transaction class for some configurations.
> https://security-tracker.debian.org/tracker/CVE-2023-28882
> Signed-off-by: Frank Vanbever <frank.vanbever at mind.be>
Sorry for the slow response.
We are using 3.0.8 on 2023.02.x. Is the delta between 3.0.8 and 3.0.9 so
big that it makes sense to add this patch rather than just bumping to
3.0.9 - Especially given that 3.0.10 contained another security fix?
Looking at the 3.0.9 release notes, it seems to be almost entirely
fixes:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.9
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list