libmodsecurity bump version and fix CVE-2020-15598

[tnias]

Motivation for this change

I am using this software and there are patches.

There is a dispute whether this is a vuln or not:

• https://coreruleset.org/20200914/cve-2020-15598/
• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-regular-expressions-and-disputed-cve-2020-15598/
• NIST has not published anything yet: https://nvd.nist.gov/vuln/detail/CVE-2020-15598
• related upstream issue: ModSecurity, Regular Expressions and Disputed CVE-2020-15598 owasp-modsecurity/ModSecurity#2401

Things done

Bumped the version. Applied the patch. Rebuilt the server. The website is still working and modsecurity still blocks shady requests.

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

CC maintainer: @Izorkin

[ajs124]

If upstream doesn't consider it an issue where does this patch come from and what exactly does it do?

[tnias]

Patch was taken from the corerulesset blog post and the PR should reproduce the recommended build instructions.

[...] Since Trustwave does not want to release a new version, we are providing you with a backported patch for the vanilla ModSecurity 3.0.4. Please note that this is the patch that the Debian packaging team as well as NGINX will be using for their security updates.

cve-2020-15598.patch

This patch is a backport of the git commit, that brings back the former behavior of the regular expression matching. [...]

As I understand the issue: Matching behaviour changed from version 2.x to 3.x, and some rules (in the coreruleset) can now trigger resource exhaustion. CRS team wants modsecurity to fix it (that is what the patch should do). Modsecurity team wants CRS to fix their rules.

[dune73]

CRS project here: Vendor has reverted behavior but refuses to release an update. The patch in question is derived from the official tree of the vendor. It's also the patch that NGINX Plus uses and the one that Debian is going to use (but has not pushed to the repo yet).