Ubuntu
modsecurity-apache package

Older ModSecurity (2.9.5) with Ubuntu 22.04 LTS blocking updates to ModSecurity Core Rule Set.

Asked by Martin Hudec

Hello,

Newer versions of OWASP ModSecurity Core Rule Set require newer ModSecurity package (>2.9.6 or >3.0.8) or older with backported patches, but Ubuntu 22.04 LTS provides ModSecurity version 2.9.5 with last changes from October 2021... any plans to address this? Or should I just uninstall it and compile from sources?

More information:
Important Notice: From CRS 3.2.2, 3.3.3 and up, ModSecurity 2.9.6 or 3.0.8 (or versions with backported patches) are required due to the addition of new protections. We recommend upgrading your ModSecurity as soon as possible. If your ModSecurity is too old, your webserver will refuse to start with an Unknown variable: &MULTIPART_PART_HEADERS error. If you are in trouble, you can temporarily delete file rules/REQUEST-922-MULTIPART-ATTACK.conf as a workaround and get your server up, however, you will be missing some protections. Therefore we recommend to upgrade ModSecurity before deploying this release.

Regards,
 Martin

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu modsecurity-apache Edit question
Assignee:
No assignee Edit question
Solved by:
Martin Hudec
Solved:
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

There is a backport of the 2.9.6 version for Ubuntu 22.04 in a PPA, https://launchpad.net/~mapreri/+archive/ubuntu/modsecurity
Maybe that helps for the moment.

If you rate the issue important enough, then you might consider creating a bug report to request an official backport.
see https://wiki.ubuntu.com/UbuntuBackports

Revision history for this message
Martin Hudec (martinhudec) said : 		#2

Thank you, Manfred, yes, this definitely helps (I already use similar approach for Apache and PHP and did not think about it in this case...).

Have a great day,
 Martin

Revision history for this message
Martin Hudec (martinhudec) said : 		#3

Note: it is supposed to say >=2.9.6 or >=3.0.8 in the ModSecurity package requirements in the question description, I made a mistake there.