diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000000000000000000000000000000000..f087b429e2f81a9f37b28a8308e2210f84df6c9b --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.tar.gz filter=lfs diff=lfs merge=lfs -text diff --git a/.lfsconfig b/.lfsconfig new file mode 100644 index 0000000000000000000000000000000000000000..4861c71a0a9d5923a142239da6075b9eecbcc32c --- /dev/null +++ b/.lfsconfig @@ -0,0 +1,2 @@ +[lfs] + url = https://artlfs.openeuler.openatom.cn/src-openEuler/mod_security diff --git a/CVE-2025-48866.patch b/CVE-2025-48866.patch deleted file mode 100644 index b4e4f086260535b199aaf35e5d865f6dfdd35042..0000000000000000000000000000000000000000 --- a/CVE-2025-48866.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 614c6e18a734bd31a483abc2fa2faf217dcb81c3 Mon Sep 17 00:00:00 2001 -From: Ervin Hegedus -Date: Sat, 24 May 2025 12:04:39 +0200 -Subject: [PATCH] fix: add ARGS to sanitize list only if it's not added yet in - case of sanitizeArg - ---- - apache2/re_actions.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/apache2/re_actions.c b/apache2/re_actions.c -index 4a922d27f..febc4759e 100644 ---- a/apache2/re_actions.c -+++ b/apache2/re_actions.c -@@ -1455,8 +1455,9 @@ static apr_status_t msre_action_sanitizeArg_execute(modsec_rec *msr, apr_pool_t - for (i = 0; i < tarr->nelts; i++) { - msc_arg *arg = (msc_arg *)telts[i].val; - -- if (strcasecmp(sargname, arg->name) == 0) { -+ if (arg->marked_for_sanitization == 0 && strcasecmp(sargname, arg->name) == 0) { - apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg); -+ arg->marked_for_sanitization = 1; - } - } - diff --git a/mod_security.spec b/mod_security.spec index 7cee26361b026e583f64cf314c6f6ae9f43b44e6..4e92e71fb43f0d8f0cf90b97348b80d15f80918a 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -6,8 +6,8 @@ %global mod_audit_log_collector 0 Name: mod_security -Version: 2.9.9 -Release: 2 +Version: 2.9.11 +Release: 1 Summary: Security module for the Apache HTTP Server License: Apache-2.0 URL: https://www.modsecurity.org/ @@ -17,8 +17,6 @@ Source2: 10-mod_security.conf Source3: modsecurity_localrules.conf Patch0001: modsecurity-2.9.3-apulibs.patch Patch0002: mod_security-2.9.8-remote-rules-timeout.patch -Patch0003: CVE-2025-48866.patch - Requires: httpd httpd-mmn = %{_httpd_mmn} BuildRequires: gcc make perl-generators httpd-devel yajl yajl-devel pcre2-devel @@ -108,6 +106,9 @@ install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load %endif %changelog +* Fri Jul 04 2025 wangkai <13474090681@163.com> - 2.9.11-1 +- Update to 2.9.11 for fix CVE-2025-52891 + * Wed Jun 25 2025 yaoxin <1024769339@qq.com> - 2.9.9-2 - Fix CVE-2025-48866 diff --git a/modsecurity-v2.9.11.tar.gz b/modsecurity-v2.9.11.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..6e96af1d3a7951818af0bf27ec79bb1baa075d95 --- /dev/null +++ b/modsecurity-v2.9.11.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1fe16eb96b6093f062cef73ec8b7ae481a59813766d49a7f5e4d1b85900e239e +size 4356754 diff --git a/modsecurity-v2.9.9.tar.gz b/modsecurity-v2.9.9.tar.gz deleted file mode 100644 index f3649b8e3b452c031dd1d8e826cc1d896eef1e00..0000000000000000000000000000000000000000 Binary files a/modsecurity-v2.9.9.tar.gz and /dev/null differ