From Secunia: Two vulnerabilities have been reported in ModSecurity, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error in the PDF XSS protection implementation can be exploited to cause a crash via a specially crafted HTTP request. Successful exploitation requires that PDF XSS protection is enabled (disabled by default). 2) An error when parsing multipart requests can be exploited to cause a crash via multipart content with a missing part header name.
chtekk, apache guys: Please bump to 2.5.9. (http://sourceforge.net/project/shownotes.php?release_id=667542)
Created attachment 188238 [details] ebuild for version 2.5.9 This is my quick and dirty approach for an 2.5.9 ebuild that built fine for me (x86 arch). This is basically the 2.5.7 ebuild with "econf --with-apxs="${APXS}" \" commented out.
I've added a 2.5.9 ebuild with the proper fix for the broken autotools (also reported upstream).
Arches, please test and mark stable: =www-apache/mod_security-2.5.9 Target keywords : "amd64 ppc sparc x86"
amd64/x86 stable
ppc done
sparc stable
ebuild doesn't work for me: config.status: creating mod_security2_config.h apxs:Error: Unknown option: s. Usage: apxs -g [-S <var>=<val>] -n <modname> apxs -q [-S <var>=<val>] <query> ... apxs -c [-S <var>=<val>] [-o <dsofile>] [-D <name>[=<value>]] [-I <incdir>] [-L <libdir>] [-l <libname>] [-Wc,<flags>] [-Wl,<flags>] [-p] <files> ... apxs -i [-S <var>=<val>] [-a] [-A] [-n <modname>] <dsofile> ... apxs -e [-S <var>=<val>] [-a] [-A] [-n <modname>] <dsofile> ... make: *** [mod_security2.la] Fehler 1 * * ERROR: www-apache/mod_security-2.5.9 failed. * Call stack: * ebuild.sh, line 48: Called src_compile * environment, line 2871: Called die * The specific snippet of code: * emake APXS_CFLAGS="${CFLAGS}" APXS_LDFLAGS="${LDFLAGS}" APXS_EXTRA_CFLAGS="${APXS_FLAGS}" || die "emake failed" * The die message: * emake failed
(In reply to comment #8) > ebuild doesn't work for me: > Please file a new bug for this. GLSA voting: I say YES.
(In reply to comment #9) > (In reply to comment #8) > > ebuild doesn't work for me: > Please file a new bug for this. .. and mark it as blocking thi bug.
(In reply to comment #10) > .. and mark it as blocking thi bug. > bug 272401, already resolved. (Broken LDFLAGS on the user's machine)
CVE-2009-1902 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1902): The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference. CVE-2009-1903 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1903): The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd crash) via a request for a PDF file that does not use the GET method.
Yes, too.
Request was filed.
GLSA 200907-02