Hi Michael,
On Mon, Jun 16, 2025 at 03:28:15PM +0300, 'Michael Bullut' via ModSecurity Core Rule Set project wrote:
> I am reaching out to inquire about the process or recommendations for
> upgrading the version of ModSecurity that is bundled with Ubuntu. As you
> may know, Ubuntu’s repositories often include older versions of software,
> and I’ve noticed that the provided ModSecurity package is not the latest
> release.
yes, this is a policy in case of most stable Linux distributions.
> Please advise on the best way to upgrade ModSecurity to the newest version
> on Ubuntu, specifically:
>
> 1. Are there official or recommended repositories or PPAs for obtaining
> the latest stable version of ModSecurity?
it's not an official, but here you can find the packages for all
supported Debian and Ubuntu systems:
https://modsecurity.digitalwave.hu
Note, that this repository provides only CRS 3.3, there is no
package for CRS 4 yet.
> 2. Does the ModSecurity CRS team provide guidance or documentation for
> such upgrades?
Uhm, sorry to ask, but are you looking for a documentation for
CRS or for ModSecurity?
> 3. Are there any compatibility considerations when upgrading ModSecurity
> alongside the Core Rule Set?
The last compatibility requirement was when we released CRS 3.3.3.
There we added a new conf file, REQUEST-922-MULTIPART-ATTACK, which
requires ModSecurity 2.9.6 or 3.0.8.
https://github.com/coreruleset/coreruleset/blob/v3.3/master/rules/REQUEST-922-MULTIPART-ATTACK.conf#L16
I think there is no other depedendency.
Regards,
a.