Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 464188 - <www-apache/mod_security-2.7.3 : XML External Entity Processing Vulnerability (CVE-2013-1915)
Summary: <www-apache/mod_security-2.7.3 : XML External Entity Processing Vulnerability...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52847/
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-02 12:15 UTC by Agostino Sarubbo
Modified: 2014-01-29 11:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-02 12:15:58 UTC
From ${URL} :

Description
Positive Technologies has reported a vulnerability in ModSecurity, which can be exploited by 
malicious people to disclose potentially sensitive information or cause a DoS (Denial of Service).

The vulnerability is caused due to an error when parsing external XML entities and can be exploited 
to e.g. disclose local files or cause excessive memory and CPU consumption.

The vulnerability is reported in version 2.7.2. Prior versions may also be affected.


Solution
Update to version 2.7.3.

Provided and/or discovered by
Timur Yunusov and Alexey Osipov, Positive Technologies

Original Advisory
ModSecurity:
https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2013-04-02 14:46:11 UTC
Go for it, 2.7.3 is in tree and should be fine to go stable.
Comment 2 Agostino Sarubbo gentoo-dev 2013-04-02 15:06:16 UTC
Arches, please test and mark stable:
=www-apache/mod_security-2.7.3
Target keywords : "amd64 ppc sparc x86
Comment 3 Agostino Sarubbo gentoo-dev 2013-04-03 18:15:03 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-04-05 17:17:57 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-04-05 21:50:42 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-04-13 07:39:57 UTC
sparc stable
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-04-26 11:13:40 UTC
CVE-2013-1915 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1915):
  ModSecurity before 2.7.3 allows remote attackers to read arbitrary files,
  send HTTP requests to intranet servers, or cause a denial of service (CPU
  and memory consumption) via an XML external entity declaration in
  conjunction with an entity reference, aka an XML External Entity (XXE)
  vulnerability.
Comment 8 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 04:01:24 UTC
GLSA vote: no.
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-29 11:34:40 UTC
GLSA vote: no.

Closing as [noglsa]