karljohns0n / nginx-more

Development repository for nginx-more package
MIT License
120 stars 29 forks source link

Cannot configurable limit on depth of JSON parsing #30

Closed skrlance closed 2 years ago

skrlance commented 2 years ago

Libmodsecurity v3.0.6 support configurable limit on depth of JSON parsing i.e. possible DoS issue was fixed on this version.

Can we get this update to fix the security issue?

Thanks!

karljohns0n commented 2 years ago

Hi, sure I'll bump libmodsecurity to 3.0.6, I thought I already did it! It should be in the stable repo in the next few days.

karljohns0n commented 2 years ago

Packages are now in the testing repo:

[root@68b82ac3a93d ~]# dnf --enablerepo=aeris-testing update nginx-more libmodsecurity
Last metadata expiration check: 0:01:06 ago on Thu May 19 17:11:02 2022.
Dependencies resolved.
=========================================================================================================================================================================================================================================================================
 Package                                                                       Architecture                                           Version                                                        Repository                                                     Size
=========================================================================================================================================================================================================================================================================
Upgrading:
 libmodsecurity                                                                x86_64                                                 3.0.6-1.el8                                                    aeris-testing                                                 597 k
 nginx-more                                                                    x86_64                                                 1.20.2-4.el8                                                   aeris-testing                                                 6.2 M
 nginx-more-module-modsecurity                                                 x86_64                                                 1.20.2-4.el8                                                   aeris-testing                                                  24 k

Transaction Summary
=========================================================================================================================================================================================================================================================================
Upgrade  3 Packages
skrlance commented 2 years ago

I shall wait for the stable ones