diff --git a/CVE-2025-48866.patch b/CVE-2025-48866.patch new file mode 100644 index 0000000000000000000000000000000000000000..b4e4f086260535b199aaf35e5d865f6dfdd35042 --- /dev/null +++ b/CVE-2025-48866.patch @@ -0,0 +1,25 @@ +From 614c6e18a734bd31a483abc2fa2faf217dcb81c3 Mon Sep 17 00:00:00 2001 +From: Ervin Hegedus +Date: Sat, 24 May 2025 12:04:39 +0200 +Subject: [PATCH] fix: add ARGS to sanitize list only if it's not added yet in + case of sanitizeArg + +--- + apache2/re_actions.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/apache2/re_actions.c b/apache2/re_actions.c +index 4a922d27f..febc4759e 100644 +--- a/apache2/re_actions.c ++++ b/apache2/re_actions.c +@@ -1455,8 +1455,9 @@ static apr_status_t msre_action_sanitizeArg_execute(modsec_rec *msr, apr_pool_t + for (i = 0; i < tarr->nelts; i++) { + msc_arg *arg = (msc_arg *)telts[i].val; + +- if (strcasecmp(sargname, arg->name) == 0) { ++ if (arg->marked_for_sanitization == 0 && strcasecmp(sargname, arg->name) == 0) { + apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg); ++ arg->marked_for_sanitization = 1; + } + } + diff --git a/mod_security.spec b/mod_security.spec index 4c5510b30db3e476dd4edb55aa951b51154f4d99..7cee26361b026e583f64cf314c6f6ae9f43b44e6 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -7,7 +7,7 @@ Name: mod_security Version: 2.9.9 -Release: 1 +Release: 2 Summary: Security module for the Apache HTTP Server License: Apache-2.0 URL: https://www.modsecurity.org/ @@ -17,6 +17,7 @@ Source2: 10-mod_security.conf Source3: modsecurity_localrules.conf Patch0001: modsecurity-2.9.3-apulibs.patch Patch0002: mod_security-2.9.8-remote-rules-timeout.patch +Patch0003: CVE-2025-48866.patch Requires: httpd httpd-mmn = %{_httpd_mmn} @@ -107,6 +108,9 @@ install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load %endif %changelog +* Wed Jun 25 2025 yaoxin <1024769339@qq.com> - 2.9.9-2 +- Fix CVE-2025-48866 + * Mon May 26 2025 wangkai <13474090681@163.com> - 2.9.9-1 - Update to 2.9.9 for fix CVE-2025-47947