From secunia security advisory at $URL: Description A vulnerability has been reported in ModSecurity, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error when parsing quotes within multipart requests and can be exploited to bypass certain filtering rules. The vulnerability is reported in versions prior to 2.6.6. Solution Update to version 2.6.6.
@maintainer: Is 2.6.6 ready to be stabilized?
Yes it is.
Arches, please test and mark stable: =www-apache/mod_security-2.6.6 Target KEYWORDS : "amd64 ppc sparc x86"
amd64 stable
x86 stable, thanks!
ppc done
sparc stable
@security: please vote.
CVE-2012-2751 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2751): ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031. CVE-2009-5031 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5031): ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Disposition field of a request with a multipart/form-data Content-Type header.
Thanks, everyone. GLSA vote: no.
Thanks, folks. GLSA Vote: no too. Closing noglsa.