304147 – <www-apache/mod_security-2.5.12: possible multiple vulnerabilities

Bug 304147 - <www-apache/mod_security-2.5.12: possible multiple vulnerabilities

Summary: <www-apache/mod_security-2.5.12: possible multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-02-09 17:19 UTC by Diego Elio Pettenò (RETIRED)
Modified:	2010-11-21 16:27 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Diego Elio Pettenò (RETIRED) gentoo-dev

2010-02-09 17:19:29 UTC

From the 2.5.12 announcement:

“This release fixes several important issues to help prevent a detection bypass and denial of service attacks against ModSecurity.”

Full changelog for this release:

* Fixed SecUploadFileMode to set the correct mode.

* Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.

* Added additional file info definitions introduced in APR 0.9.5 so that
build will work with older APRs (IBM HTTP Server v6).

* Added SecUploadFileLimit to limit the number of uploaded file parts that
will be processed in a multipart POST. The default is 100.

* Fixed path normalization to better handle backreferences that extend
above root directories. Reported by Sogeti/ESEC R&D.

* Trim whitespace around phrases used with @pmFromFile and allow
for both LF and CRLF terminated lines.

* Allow for more robust parsing for multipart header folding. Reported
by Sogeti/ESEC R&D.

* Fixed failure to match internally set TX variables with regex
(TX:/.../) syntax.

* Fixed failure to log full internal TX variable names and populate
MATCHED_VAR* vars.

* Enabled PCRE "studying" by default. This is now a configure-time option.

* Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
aide in REDoS type attacks. A rule that goes over the limits will set
TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release
of ModSecurity (2.6.x) will move these flags to a dedicated collection.

* Reduced default PCRE match limits reducing impact of REDoS on poorly
written regex rules. Reported by Sogeti/ESEC R&D.

* Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.

* Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)

* Update copyright to 2010.

* Reserved 700,000-799,999 IDs for Ivan Ristic.

* Fixed SecAction not working when CONNECT request method is used
(MODSEC-110). [Ivan Ristic]

* Do not escape quotes in macro resolution and only escape NUL in setenv
values.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2010-02-09 23:29:54 UTC

Can this go stable?

Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev

2010-02-10 07:39:38 UTC

I'll let you know today, I need to check this on my blog to make sure they didn't break HTTP Parameter Pollution further…

Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev

2010-02-10 09:16:02 UTC

Feels like good to go for me.

Comment 4 Alex Legler (RETIRED) archtester

2010-03-05 08:16:32 UTC

Arches, please test and mark stable:
=www-apache/mod_security-2.5.12
Target keywords : "amd64 ppc sparc x86"

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2010-03-05 12:30:00 UTC

x86 stable

Comment 6 Markus Meier gentoo-dev

2010-03-07 14:52:07 UTC

amd64 stable

Comment 7 Joe Jezak (RETIRED) gentoo-dev

2010-03-09 22:07:16 UTC

Marked ppc stable.

Comment 8 Raúl Porcel (RETIRED) gentoo-dev

2010-03-14 19:22:46 UTC

sparc stable

Comment 9 Tim Sammut (RETIRED) gentoo-dev

2010-11-20 23:15:12 UTC

GLSA Vote: no.

Comment 10 Stefan Behte (RETIRED) gentoo-dev

2010-11-21 16:27:47 UTC

Vote: NO, closing noglsa.