From ${URL} : Description Martin Holst Swende has reported a vulnerability in ModSecurity, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error in the "modsecurity_tx_init()" function (apache2/modsecurity.c), which can be exploited to bypass the HTTP request body processing via a specially crafted request using chunked encoding. The vulnerability is reported in versions prior to 2.7.6. Solution: Update to version 2.7.6 or later. Provided and/or discovered by: Martin Holst Swende Original Advisory: ModSecurity: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.7.6 Martin Holst Swende: http://martin.swende.se/blog/HTTPChunked.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
2.7.7 in the tree... maybe should be stabilized
CVE-2013-5705 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5705): apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.
@arches, please stabilize the following: =www-apache/mod_security-2.7.7
amd64 stable
x86 stable
ppc stable
sparc stable. Maintainer(s), please cleanup.
Cleaned: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f9f1f3dc99de237ca4fce5c5ee4a540900ce42ca GLSA Vote: No.