Summary: | <www-apache/mod_security-2.9.7, <dev-libs/modsecurity-3.0.9: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | minor | CC: | hydrapolic, proxy-maint |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/SpiderLabs/ModSecurity/pull/2857 | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=872077 https://github.com/gentoo/gentoo/pull/29267 |
||
Whiteboard: | B3 [cleanup glsa?] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2023-01-22 23:15:12 UTC
CVE-2022-48279: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase. This is fixed in 2.9.6 and 3.0.8. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff270e81a87d860d557a52ee763ad810f93e586a commit ff270e81a87d860d557a52ee763ad810f93e586a Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2023-01-25 15:27:47 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-02-05 09:12:51 +0000 www-apache/mod_security: add 2.9.7 Bug: https://bugs.gentoo.org/891777 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/29267 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-apache/mod_security/Manifest | 1 + www-apache/mod_security/metadata.xml | 4 + www-apache/mod_security/mod_security-2.9.7.ebuild | 128 ++++++++++++++++++++++ 3 files changed, 133 insertions(+) Hm. Apparently there's two packages based on the SpiderLabs upstream, dev-libs/modsecurity and www-apache/mod_security. Are they the same thing? Are they both affected by these? There's also www-apache/modsecurity-crs, is that affected too? CVE-2023-28882 (https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-309/): Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations. (In reply to John Helmert III from comment #0) > What I do not like about the situation is that the Changelog makes it > look rather innocent, when it can be abused for a buffer > overflow. This gives attackers taking a deeper look an advantage over > users who read the changelog and think it's no big deal." The claim of a buffer overflow was retracted: https://github.com/SpiderLabs/ModSecurity/pull/2857 (it's a buffer over-read). Release notes are here: https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-297/ My understanding is also that version 3.x is more or less a rewrite that is less linked to apache, so it's not strange that there is no mention of 3.x as being vulnerable. (In reply to John Helmert III from comment #3) > Hm. Apparently there's two packages based on the SpiderLabs upstream, > dev-libs/modsecurity and www-apache/mod_security. Are they the same thing? > Are they both affected by these? dev-libs/modsecurity is upstream's 3.x taking a more generic (i.e. non-apache) approach. www-apache/mod_security is upstream's 2.x. > There's also www-apache/modsecurity-crs, is that affected too? www-apache/modsecurity-crs is the core rule set that can be applied by either the 2.x or 3.x versions. |