SearchVarnish WAF 1.2.2 is a maintenance release. The headline change is an update of the vendored ModSecurity library to 3.0.15, which brings a number of upstream security and stability fixes. The release also expands the set of supported package platforms.
The notable changes are highlighted below. Please see the changelog for the complete list of changes.
The vendored ModSecurity library has been updated from 3.0.14 to
3.0.15. The most notable upstream security fix is for
CVE-2026-42268, an unsigned integer underflow in the verify*
operators.
3.0.15 also contains the upstream fix for CVE-2026-30923, a
buffer overflow in hex_decode.cc. This issue was discovered
independently and already fixed in Varnish WAF 1.2.1 via a local
patch; with 1.2.2 that patch is dropped in favor of the upstream fix.
The regression test from 1.2.1 is retained to verify that the
upstream fix behaves as expected.
See the ModSecurity 3.0.15 release notes for the full list of upstream changes.
Packages are now also built and published for Ubuntu 26.04 (Resolute Raccoon).