Summary: | <www-apache/mod_security-2.7.0: multipart/invalid part ruleset bypass (CVE-2012-4528) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | apache-bugs, flameeyes |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/fulldisclosure/2012/Oct/113 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2012-10-17 17:33:36 UTC
Status update. I'm testing ModSec 2.7 on my blog. It requires modsecurity-crs-2.2.6 as well to work or Apache won't start. But even then the optional/experimental rules won't work. So I'm not sure. Can somebody judge the severity and tell me how much should I push for this? (In reply to comment #1) > Status update. > > I'm testing ModSec 2.7 on my blog. It requires modsecurity-crs-2.2.6 as well > to work or Apache won't start. But even then the optional/experimental rules > won't work. So I'm not sure. > > Can somebody judge the severity and tell me how much should I push for this? If you were looking for a severity rating from the security team: attackers would be able to bypass filtering rules. Target delay: 20 days. Sounds good, feel free to ask for stable whenever it's convenient, my tests are vastly (although not absolutely) positive. Arches, please test and mark stable: =www-apache/mod_security-2.7.0 Target KEYWORDS="amd64 ppc sparc x86" amd64 stable x86 done, together with modsecurity-crs-2.2.6-r1. stable ppc sparc stable Thanks, everyone. GLSA vote: no. Vote: no. Closing noglsa. |