Modsecurity 2.9.8 Released
Answered
Hi,
Modsecurity 2.9.8 has been officially released, when is it expected to be released by cpanel?
https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.8
Thanks
-
mod_security 2.9.7 was added to cPanel on the 16th of Feb 2023 ( https://support.cpanel.net/hc/en-us/community/posts/19163810661911-EasyApache-February-16-Release) after being released on the 5th of Jan 2023 ( https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-297/ ) so I would have expected 2.9.8 released in September last year to have been added already.
It might be worth submitting it to the roadmap at https://features.cpanel.net/tabs/11-planned-roadmap/submit-idea to encourage cPanel to add it - emphasis what features you need from it that 2.9.7 doesn't currently offer (apart from a few memory leak issues and the MULTIPART HEADER check, I can't seen much myself: but the change in the error log format *might* require considerable changes to the parsing cPanel does on the log files - hence why the "reward/risk" ratio may skew in to the "not worth doing at the moment" side of things)
0 -
Our team has case EA-12604 open to get ModSec updated to the latest version. We're still doing some testing with it on our end, but it will hopefully be released soon.
0 -
Hi CPrex,
Do you know if OWASP CRS will also be updated from version 3.3.X (3.3.7) to 4.x.x (4.11.1)?
Thanks
0 -
At this time, no. Our team has case EA-12674 to see if it is compatible with our existing tools, but I don't have any updates about that just yet.
0 -
Thanks :)
0 -
Sure thing!
0 -
Apologies for reviving a 3month old thread but this morning I see that the cPanel update is pushing out an update for all versions of ModSecurity except version 2.9.8 which is the version I am running and I received the following error:
info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup
The system failed to update the vendor from the URL “http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml”: The vendor metadata does not contain an entry for your version of ModSecurity, “2.9.8”. The only versions of ModSecurity this rule set supports are “2.9.0”, “2.9.2”, “2.9.3”, “2.9.4”, “2.9.5”, “2.9.6”, “2.9.7”, “3.0.0”, “3.0.1”, “3.0.2”, “3.0.3”, and “3.0.4”.
warn [modsec_vendor] The system failed to update the vendor from the URL “http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml”: The vendor metadata does not contain an entry for your version of ModSecurity, “2.9.8”. The only versions of ModSecurity this rule set supports are “2.9.0”, “2.9.2”, “2.9.3”, “2.9.4”, “2.9.5”, “2.9.6”, “2.9.7”, “3.0.0”, “3.0.1”, “3.0.2”, “3.0.3”, and “3.0.4”.[root@sv01 ~]# rpm -qa | grep mod_security
ea-apache24-mod_security2-2.9.8-1.2.1.cpanel.x86_64I did not manually select my version of ModSecurity so the only way that I have 2.9.8 is through a previous update or maybe todays cPanel updated pushed the ModSecurity to 2.9.8.
But nonetheless, I have this error. So why update to 2.9.8 only to exclude it from future updates?
I suspect I should ignore this error because from what I understand, todays update is just saying that there is no update for my version and maybe I'll get one in the future but it should not FAIL the update process.
0 -
BlueSteam - this is a known issue with the update process and we're tracking this with case CPANEL-47289. We have a workaround posted in the following support article, which you can also follow along with to receive updates on the case:
I'll be sure to post an update here as well once I hear something on my end!
0 -
I just spoke with the team about this and the issue has been resolved already, so you should no longer see this problem when running updates.
0 -
cPRex Thanks for letting me know. So should I run 'upcp --force' to get the update to make sure everything is fine??
0 -
There's no need to do that manually unless you really want to - it will happen as part of the nightly update.
0 -
I received this error again this morning but this time it is for version 2.9.10 so seems the problem is back.
[2025-06-05 02:15:07 +0200] [/usr/local/cpanel/scripts/modsec_vendor] The system failed to update the vendor from the URL “http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml”: The vendor metadata does not contain an entry for your version of ModSecurity, “2.9.10”. The only versions of ModSecurity this rule set supports are “2.9.0”, “2.9.2”, “2.9.3”, “2.9.4”, “2.9.5”, “2.9.6”, “2.9.7”, “2.9.8”, “3.0.0”, “3.0.1”, “3.0.2”, “3.0.3”, and “3.0.4”.
[2025-06-05 02:15:07 +0200] E [/usr/local/cpanel/scripts/modsec_vendor] The “/usr/local/cpanel/scripts/modsec_vendor update --auto” command (process 1794083) reported error number 1 when it ended.0 -
At this point it would be best to create a ticket on this issue since I'm not seeing other complaints about the update or installation.
0 -
The previous issue went away like you said it would. this morning it came back for a different version.
0 -
I understand that, but there shouldn't be repeated failures from your server no matter what the version is, so it would be best to get it checked out as I don't have any other reports of this behavior.
0 -
Same here, three different servers, two on 126.0.19 and one on 124.0.34 (awaiting Mailman fixes):
root@xxxxx [~]# /usr/local/cpanel/scripts/modsec_vendor update --auto
info [modsec_vendor] Updates are in progress for all of the installed ModSecurity vendors with automatic updates enabled.
info [modsec_vendor] You have not configured the vendor “OWASP” to receive automatic updates.
warn [modsec_vendor] The system could not add the vendor: The vendor metadata does not contain an entry for your version of ModSecurity, “2.9.10”. The only versions of ModSecurity this rule set supports are “2.9.0”, “2.9.2”, “2.9.3”, “2.9.4”, “2.9.5”, “2.9.6”, “2.9.7”, “2.9.8”, “3.0.0”, “3.0.1”, “3.0.2”, “3.0.3”, and “3.0.4”.
info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup
The system failed to update the vendor from the URL “http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml”: The vendor metadata does not contain an entry for your version of ModSecurity, “2.9.10”. The only versions of ModSecurity this rule set supports are “2.9.0”, “2.9.2”, “2.9.3”, “2.9.4”, “2.9.5”, “2.9.6”, “2.9.7”, “2.9.8”, “3.0.0”, “3.0.1”, “3.0.2”, “3.0.3”, and “3.0.4”.
warn [modsec_vendor] The system failed to update the vendor from the URL “http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml”: The vendor metadata does not contain an entry for your version of ModSecurity, “2.9.10”. The only versions of ModSecurity this rule set supports are “2.9.0”, “2.9.2”, “2.9.3”, “2.9.4”, “2.9.5”, “2.9.6”, “2.9.7”, “2.9.8”, “3.0.0”, “3.0.1”, “3.0.2”, “3.0.3”, and “3.0.4”.0 -
But I do not see UPCP failures this morning on any server. Not sure what's changed:
root@xxxxx [~]# /usr/local/cpanel/scripts/modsec_vendor update --auto
info [modsec_vendor] Updates are in progress for all of the installed ModSecurity vendors with automatic updates enabled.
info [modsec_vendor] You have not configured the vendor “OWASP” to receive automatic updates.
info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup
info [modsec_vendor] The vendor “OWASP3” is already up to date.0 -
Yup, same for me.
I just re-ran this to test it and it seems to have gone through fine now. So not sure what's going on to be honest.
[root@sv01 ~]# /usr/local/cpanel/scripts/modsec_vendor update --auto
info [modsec_vendor] Updates are in progress for all of the installed ModSecurity vendors with automatic updates enabled.
info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup
info [modsec_vendor] The vendor “OWASP3” is already up to date.
[root@sv01 ~]#0 -
It sounds like there was a temporary glitch in the update mirrors since it's working for both of you now without any intervention necessary.
0
Please sign in to leave a comment.
Comments
20 comments