package/modsecurity2: security bump to v2.9.10
Fixes the following security issues:
- CVE 2025-47947: Versions up to and including 2.9.8 are vulnerable to
denial of service in one special case (in stable released versions):
when the payload's content type is application/json, and there is at
least one rule which does a sanitiseMatchedBytes action. A patch is
available at pull request 3389 and expected to be part of version
2.9.9. No known workarounds are available.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-47947
- https://github.com/owasp-modsecurity/ModSecurity/pull/3389
- CVE-2025-48866: Versions prior to 2.9.10 contain a denial of service
vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The
`sanitiseArg` (and `sanitizeArg` - this is the same action but an
alias) is vulnerable to adding an excessive number of arguments,
thereby leading to denial of service. Version 2.9.10 fixes the issue.
As a workaround, avoid using rules that contain the `sanitiseArg` (or
`sanitizeArg`) action.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-48866
- https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e
For more details on the version bump, see:
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.8
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.9
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.10
Also this patch change the _SOURCE variable that now include a 'v'
prefixing the version.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: update hash source url in hash file comment]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Thomas Perale