Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 891777 (CVE-2022-48279, CVE-2023-24021, CVE-2023-28882) - dev-libs/modsecurity: multiple vulnerabilities
Summary: dev-libs/modsecurity: multiple vulnerabilities
Alias: CVE-2022-48279, CVE-2023-24021, CVE-2023-28882
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [??]
Keywords: PullRequest
Depends on:
Reported: 2023-01-22 23:15 UTC by John Helmert III
Modified: 2023-04-29 16:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-22 23:15:12 UTC
CVE-2023-24021 (

In ModSecurity before 2.9.7, FILES_TMP_CONTENT sometimes lacked the complete content. This can lead to a Web Application Firewall bypass.

This particular fix is in 2.9.7, but it 3.x affected? According to
URL, "It's a bit unfortunate it comes out of the blue, since we could
have written a better advisory than the one now listed at
NIST. Namely because
the problem is bigger than it seems.

What I do not like about the situation is that the Changelog makes it
look rather innocent, when it can be abused for a buffer
overflow. This gives attackers taking a deeper look an advantage over
users who read the changelog and think it's no big deal."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-22 23:41:40 UTC

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.

This is fixed in 2.9.6 and 3.0.8.
Comment 2 Larry the Git Cow gentoo-dev 2023-02-05 09:12:57 UTC
The bug has been referenced in the following commit(s):

commit ff270e81a87d860d557a52ee763ad810f93e586a
Author:     Tomáš Mózes <>
AuthorDate: 2023-01-25 15:27:47 +0000
Commit:     Joonas Niilola <>
CommitDate: 2023-02-05 09:12:51 +0000

    www-apache/mod_security: add 2.9.7
    Signed-off-by: Tomáš Mózes <>
    Signed-off-by: Joonas Niilola <>

 www-apache/mod_security/Manifest                  |   1 +
 www-apache/mod_security/metadata.xml              |   4 +
 www-apache/mod_security/mod_security-2.9.7.ebuild | 128 ++++++++++++++++++++++
 3 files changed, 133 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-18 23:42:03 UTC
Hm. Apparently there's two packages based on the SpiderLabs upstream, dev-libs/modsecurity and www-apache/mod_security. Are they the same thing? Are they both affected by these?

There's also www-apache/modsecurity-crs, is that affected too?
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 16:41:58 UTC
CVE-2023-28882 (

Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.