718360 – www-apache/mod_security: Multiple vulnerabilities (CVE-2019-19886)

Bug 718360 - www-apache/mod_security: Multiple vulnerabilities (CVE-2019-19886)

Summary: www-apache/mod_security: Multiple vulnerabilities (CVE-2019-19886)

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [ebuild cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-04-19 15:53 UTC by GLSAMaker/CVETool Bot
Modified:	2020-10-01 14:00 UTC (History)
CC List:	3 users (show)

See Also:	718358
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2020-04-19 15:53:47 UTC

CVE-2019-19886 (https://nvd.nist.gov/vuln/detail/CVE-2019-19886):
  Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted
  requests that may, when sent quickly in large volumes, lead to the server
  becoming slow or unresponsive (Denial of Service) because of a flaw in
  Transaction::addRequestHeader in transaction.cc.


----
PR (merged): https://github.com/SpiderLabs/ModSecurity/pull/2202
PR (merged): https://github.com/SpiderLabs/ModSecurity/pull/2023

Comment 1 Sam James archtester

2020-04-19 15:55:24 UTC

3.0.4 also fixes a buffer overflow in Utils::Md5::hexdigest().

PR (merged): https://github.com/SpiderLabs/ModSecurity/pull/2002

Comment 2 Tobias Sager 2020-05-17 10:08:28 UTC

Gentoo only contains modsecurity 2.9.x, so below CVEs are probably not applicable as v3.x is a complete rewrite of modsecurity.

Comment 3 Tomáš Mózes 2020-10-01 13:46:27 UTC

Yes, this only affects branch 3.x which we currently don't have in Gentoo. Our version in portage is unaffected.