[Buildroot] [PATCH] package/modsecurity2: security bump to v2.9.12

Titouan Christophe titouan.christophe at mind.be
Mon Oct 13 16:21:58 UTC 2025 

See the release notes:
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.11
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.12

This fixes the following vulnerabilities:
- CVE-2025-52891:
    ModSecurity is an open source, cross platform web application firewall
    (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before
    2.9.11, an empty XML tag can cause a segmentation fault. If
    SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is
    application/xml, and at least one XML tag is empty (eg <foo></foo>),
    then a segmentation fault occurs. This issue has been patched in
    version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to
    Off.
    https://www.cve.org/CVERecord?id=CVE-2025-52891

- CVE-2025-54571:
    ModSecurity is an open source, cross platform web application firewall
    (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below,
    an attacker can override the HTTP response’s Content-Type, which could
    lead to several issues depending on the HTTP scenario. For example, we
    have demonstrated the potential for XSS and arbitrary script source
    code disclosure in the latest version of mod_security2. This issue is
    fixed in version 2.9.12.
    https://www.cve.org/CVERecord?id=CVE-2025-54571

Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
---
 package/modsecurity2/modsecurity2.hash | 4 ++--
 package/modsecurity2/modsecurity2.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/modsecurity2/modsecurity2.hash b/package/modsecurity2/modsecurity2.hash
index 186e13d766..3e6019d043 100644
--- a/package/modsecurity2/modsecurity2.hash
+++ b/package/modsecurity2/modsecurity2.hash
@@ -1,5 +1,5 @@
-# From https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.10/modsecurity-v2.9.10.tar.gz.sha256
-sha256  081cda52975494139922fa4b54f474fed8a6db4b7f586cb0d3aeec635f7a4d53  modsecurity-v2.9.10.tar.gz
+# From https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.12/modsecurity-v2.9.12.tar.gz.sha256
+sha256  79ada8693303be3490201397344bf66900a45f07ae328bf6cf01ca99e5d135fa  modsecurity-v2.9.12.tar.gz
 
 # Locally computed
 sha256  2c564f5a67e49e74c80e5a7dcacd1904e7408f1fd6a95218b38c04f012d94cb9  LICENSE
diff --git a/package/modsecurity2/modsecurity2.mk b/package/modsecurity2/modsecurity2.mk
index 402ba6317b..0754d5c907 100644
--- a/package/modsecurity2/modsecurity2.mk
+++ b/package/modsecurity2/modsecurity2.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-MODSECURITY2_VERSION = 2.9.10
+MODSECURITY2_VERSION = 2.9.12
 MODSECURITY2_SOURCE = modsecurity-v$(MODSECURITY2_VERSION).tar.gz
 MODSECURITY2_SITE = https://github.com/owasp-modsecurity/ModSecurity/releases/download/v$(MODSECURITY2_VERSION)
 MODSECURITY2_LICENSE = Apache-2.0
-- 
2.51.0

More information about the buildroot mailing list