CVE-2019-11391 (https://nvd.nist.gov/vuln/detail/CVE-2019-11391): An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with $a# at the beginning and nested repetition operators. CVE-2019-11390 (https://nvd.nist.gov/vuln/detail/CVE-2019-11390): An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with set_error_handler# at the beginning and nested repetition operators. CVE-2019-11389 (https://nvd.nist.gov/vuln/detail/CVE-2019-11389): An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with next# at the beginning and nested repetition operators. CVE-2019-11388 (https://nvd.nist.gov/vuln/detail/CVE-2019-11388): An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators. CVE-2019-11387 (https://nvd.nist.gov/vuln/detail/CVE-2019-11387): An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df0f81ee11f036df6b46f5b6d968295335ef532d commit df0f81ee11f036df6b46f5b6d968295335ef532d Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2020-10-01 18:39:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-10-07 18:58:17 +0000 www-apache/modsecurity-crs: bump to 3.3.0 Closes: https://bugs.gentoo.org/706148 Bug: https://bugs.gentoo.org/719250 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/17741 Signed-off-by: Sam James <sam@gentoo.org> www-apache/modsecurity-crs/Manifest | 1 + www-apache/modsecurity-crs/metadata.xml | 2 +- .../modsecurity-crs/modsecurity-crs-3.3.0.ebuild | 33 ++++++++++++++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-)
Tell us when ready to stable, thanks!
x86 stable
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afcb3db2b6daac76d20b7c7009305e75f8b7e3bb commit afcb3db2b6daac76d20b7c7009305e75f8b7e3bb Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-12-27 07:29:37 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-12-29 01:59:42 +0000 www-apache/modsecurity-crs: security cleanup (drop <3.3.0) Bug: https://bugs.gentoo.org/719250 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/18826 Signed-off-by: Sam James <sam@gentoo.org> www-apache/modsecurity-crs/Manifest | 2 - .../modsecurity-crs/modsecurity-crs-3.0.2.ebuild | 55 ---------------------- .../modsecurity-crs/modsecurity-crs-3.1.0.ebuild | 38 --------------- 3 files changed, 95 deletions(-)