Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 719250 (CVE-2019-11387, CVE-2019-11388, CVE-2019-11389, CVE-2019-11390, CVE-2019-11391)

Summary: <www-apache/modsecurity-crs-3.3.0: Multiple vulnerabilities (CVE-2019-{11387,11388,11389,11390,11391})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hydrapolic, moixa
Priority: Normal Keywords: PullRequest
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/17741
https://github.com/gentoo/gentoo/pull/18826
Whiteboard: B3 [noglsa cve]
Package list:
www-apache/modsecurity-crs-3.3.0
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-24 14:29:14 UTC
CVE-2019-11391 (https://nvd.nist.gov/vuln/detail/CVE-2019-11391):
  An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through
  3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote
  attackers to cause a denial of service (ReDOS) by entering a specially
  crafted string with $a# at the beginning and nested repetition operators.

CVE-2019-11390 (https://nvd.nist.gov/vuln/detail/CVE-2019-11390):
  An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through
  3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote
  attackers to cause a denial of service (ReDOS) by entering a specially
  crafted string with set_error_handler# at the beginning and nested
  repetition operators.

CVE-2019-11389 (https://nvd.nist.gov/vuln/detail/CVE-2019-11389):
  An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through
  3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote
  attackers to cause a denial of service (ReDOS) by entering a specially
  crafted string with next# at the beginning and nested repetition operators.

CVE-2019-11388 (https://nvd.nist.gov/vuln/detail/CVE-2019-11388):
  An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through
  3.1.0. /rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf allows remote
  attackers to cause a denial of service (ReDOS) by entering a specially
  crafted string with nested repetition operators.

CVE-2019-11387 (https://nvd.nist.gov/vuln/detail/CVE-2019-11387):
  An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through
  3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf allows remote
  attackers to cause a denial of service (ReDOS) by entering a specially
  crafted string with nested repetition operators.
Comment 1 Larry the Git Cow gentoo-dev 2020-10-07 18:58:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df0f81ee11f036df6b46f5b6d968295335ef532d

commit df0f81ee11f036df6b46f5b6d968295335ef532d
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2020-10-01 18:39:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-10-07 18:58:17 +0000

    www-apache/modsecurity-crs: bump to 3.3.0
    
    Closes: https://bugs.gentoo.org/706148
    Bug: https://bugs.gentoo.org/719250
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/17741
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apache/modsecurity-crs/Manifest                |  1 +
 www-apache/modsecurity-crs/metadata.xml            |  2 +-
 .../modsecurity-crs/modsecurity-crs-3.3.0.ebuild   | 33 ++++++++++++++++++++++
 3 files changed, 35 insertions(+), 1 deletion(-)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-07 18:59:23 UTC
Tell us when ready to stable, thanks!
Comment 3 Agostino Sarubbo gentoo-dev 2020-10-09 08:41:41 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-10-09 15:23:38 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Larry the Git Cow gentoo-dev 2020-12-29 02:00:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afcb3db2b6daac76d20b7c7009305e75f8b7e3bb

commit afcb3db2b6daac76d20b7c7009305e75f8b7e3bb
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-12-27 07:29:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-12-29 01:59:42 +0000

    www-apache/modsecurity-crs: security cleanup (drop <3.3.0)
    
    Bug: https://bugs.gentoo.org/719250
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/18826
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apache/modsecurity-crs/Manifest                |  2 -
 .../modsecurity-crs/modsecurity-crs-3.0.2.ebuild   | 55 ----------------------
 .../modsecurity-crs/modsecurity-crs-3.1.0.ebuild   | 38 ---------------
 3 files changed, 95 deletions(-)