Inquiry About Upgrading ModSecurity Version Bundled with Ubuntu...
15 views
Skip to first unread message
Michael Bullut
Jun 16, 2025, 8:28:37 AMJun 16
to modsecurity-core...@owasp.org
Good Afternoon Team,
I hope this e-mail finds you well.
I am reaching out to inquire about the process or recommendations for upgrading the version of ModSecurity that is bundled with Ubuntu. As you may know, Ubuntu’s repositories often include older versions of software, and I’ve noticed that the provided ModSecurity package is not the latest release.
Please advise on the best way to upgrade ModSecurity to the newest version on Ubuntu, specifically:
I am reaching out to inquire about the process or recommendations for upgrading the version of ModSecurity that is bundled with Ubuntu. As you may know, Ubuntu’s repositories often include older versions of software, and I’ve noticed that the provided ModSecurity package is not the latest release.
Please advise on the best way to upgrade ModSecurity to the newest version on Ubuntu, specifically:
- Are there official or recommended repositories or PPAs for obtaining the latest stable version of ModSecurity?
- Does the ModSecurity CRS team provide guidance or documentation for such upgrades?
- Are there any compatibility considerations when upgrading ModSecurity alongside the Core Rule Set?
Ervin Hegedüs
Jun 16, 2025, 8:53:18 AMJun 16
to Michael Bullut, modsecurity-core...@owasp.org
Hi Michael,
On Mon, Jun 16, 2025 at 03:28:15PM +0300, 'Michael Bullut' via ModSecurity Core Rule Set project wrote:
> I am reaching out to inquire about the process or recommendations for
> upgrading the version of ModSecurity that is bundled with Ubuntu. As you
> may know, Ubuntu’s repositories often include older versions of software,
> and I’ve noticed that the provided ModSecurity package is not the latest
> release.
yes, this is a policy in case of most stable Linux distributions.
> Please advise on the best way to upgrade ModSecurity to the newest version
> on Ubuntu, specifically:
>
> 1. Are there official or recommended repositories or PPAs for obtaining
supported Debian and Ubuntu systems:
https://modsecurity.digitalwave.hu
Note, that this repository provides only CRS 3.3, there is no
package for CRS 4 yet.
> 2. Does the ModSecurity CRS team provide guidance or documentation for
> such upgrades?
Uhm, sorry to ask, but are you looking for a documentation for
CRS or for ModSecurity?
> 3. Are there any compatibility considerations when upgrading ModSecurity
There we added a new conf file, REQUEST-922-MULTIPART-ATTACK, which
requires ModSecurity 2.9.6 or 3.0.8.
https://github.com/coreruleset/coreruleset/blob/v3.3/master/rules/REQUEST-922-MULTIPART-ATTACK.conf#L16
I think there is no other depedendency.
Regards,
a.
On Mon, Jun 16, 2025 at 03:28:15PM +0300, 'Michael Bullut' via ModSecurity Core Rule Set project wrote:
> I am reaching out to inquire about the process or recommendations for
> upgrading the version of ModSecurity that is bundled with Ubuntu. As you
> may know, Ubuntu’s repositories often include older versions of software,
> and I’ve noticed that the provided ModSecurity package is not the latest
> release.
> Please advise on the best way to upgrade ModSecurity to the newest version
> on Ubuntu, specifically:
>
> the latest stable version of ModSecurity?
it's not an official, but here you can find the packages for all
supported Debian and Ubuntu systems:
https://modsecurity.digitalwave.hu
Note, that this repository provides only CRS 3.3, there is no
package for CRS 4 yet.
> 2. Does the ModSecurity CRS team provide guidance or documentation for
> such upgrades?
Uhm, sorry to ask, but are you looking for a documentation for
CRS or for ModSecurity?
> 3. Are there any compatibility considerations when upgrading ModSecurity
> alongside the Core Rule Set?
The last compatibility requirement was when we released CRS 3.3.3.
There we added a new conf file, REQUEST-922-MULTIPART-ATTACK, which
requires ModSecurity 2.9.6 or 3.0.8.
https://github.com/coreruleset/coreruleset/blob/v3.3/master/rules/REQUEST-922-MULTIPART-ATTACK.conf#L16
I think there is no other depedendency.
Regards,
a.
Reply all
Reply to author
Forward
0 new messages