Secunia wrote: A vulnerability has been reported in ModSecurity, which potentially can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error within the transformation caching, which may be exploited to evade ModSecurity under certain unspecified circumstances. Successful exploitation requires that "SecCacheTransformations" is enabled. Note: It was also reported that this option is unstable and may crash the web server. The vulnerability is reported in version 2.5.0 through 2.5.5. SOLUTION: Update to version 2.5.6. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://blog.modsecurity.org/2008/08/transformation.html http://freshmeat.net/projects/modsecurity/?branch_id=34901&release_id=282329
ping, apache herd please bump.
CVE-2008-5676: Multiple unspecified vulnerabilities in the ModSecurity (aka mod_security) module 2.5.0 through 2.5.5 for the Apache HTTP Server, when SecCacheTransformations is enabled, allow remote attackers to cause a denial of service (daemon crash) or bypass the product's functionality via unknown vectors related to "transformation caching." Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5676
*ping*
2.5.6 in cvs
Thanks, closing since this only affected ~arch.
