CVE-2019-19886 (https://nvd.nist.gov/vuln/detail/CVE-2019-19886): Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to the server becoming slow or unresponsive (Denial of Service) because of a flaw in Transaction::addRequestHeader in transaction.cc. ---- PR (merged): https://github.com/SpiderLabs/ModSecurity/pull/2202 PR (merged): https://github.com/SpiderLabs/ModSecurity/pull/2023
3.0.4 also fixes a buffer overflow in Utils::Md5::hexdigest(). PR (merged): https://github.com/SpiderLabs/ModSecurity/pull/2002
Gentoo only contains modsecurity 2.9.x, so below CVEs are probably not applicable as v3.x is a complete rewrite of modsecurity.
Yes, this only affects branch 3.x which we currently don't have in Gentoo. Our version in portage is unaffected.