Summary: | <www-apache/modsecurity-crs-3.3.2: WAF bypass (CVE-2021-35368) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hydrapolic, maintainer-needed |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://portswigger.net/daily-swig/waf-bypass-severe-owasp-modsecurity-core-rule-set-bug-was-present-for-several-years | ||
See Also: |
https://github.com/gentoo/gentoo/pull/23437 https://github.com/gentoo/gentoo/pull/23482 |
||
Whiteboard: | B4 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 829741 | ||
Bug Blocks: |
Description
John Helmert III
2021-11-05 20:30:54 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=38b60368c54e4cd1e60c9348d205c443a1d09d96 commit 38b60368c54e4cd1e60c9348d205c443a1d09d96 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2021-12-20 18:17:13 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-21 02:04:50 +0000 www-apache/modsecurity-crs: bump to 3.3.2 Bug: https://bugs.gentoo.org/822003 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Sam James <sam@gentoo.org> www-apache/modsecurity-crs/Manifest | 1 + .../modsecurity-crs/modsecurity-crs-3.3.2.ebuild | 33 ++++++++++++++++++++++ 2 files changed, 34 insertions(+) Please stable when ready. Thanks! Please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be388d9d12b30c1b64da56852ebf5ff3af69be98 commit be388d9d12b30c1b64da56852ebf5ff3af69be98 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2021-12-23 12:40:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-24 08:01:43 +0000 www-apache/modsecurity-crs: drop vulnerable Bug: https://bugs.gentoo.org/822003 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/23482 Signed-off-by: Sam James <sam@gentoo.org> www-apache/modsecurity-crs/Manifest | 1 - .../modsecurity-crs/modsecurity-crs-3.3.0.ebuild | 33 ---------------------- 2 files changed, 34 deletions(-) GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=e18d39bd8feec34396dd5f946e2b6a0c3031adff commit e18d39bd8feec34396dd5f946e2b6a0c3031adff Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-21 19:43:55 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-21 19:51:33 +0000 [ GLSA 202305-25 ] OWASP ModSecurity Core Rule Set: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/822003 Bug: https://bugs.gentoo.org/872077 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-25.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) GLSA released, all done! |