CVE-2023-24021 (https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.7): In ModSecurity before 2.9.7, FILES_TMP_CONTENT sometimes lacked the complete content. This can lead to a Web Application Firewall bypass. This particular fix is in 2.9.7, but it 3.x affected? According to URL, "It's a bit unfortunate it comes out of the blue, since we could have written a better advisory than the one now listed at NIST. https://nvd.nist.gov/vuln/detail/CVE-2023-24021 Namely because the problem is bigger than it seems. What I do not like about the situation is that the Changelog makes it look rather innocent, when it can be abused for a buffer overflow. This gives attackers taking a deeper look an advantage over users who read the changelog and think it's no big deal."
CVE-2022-48279: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase. This is fixed in 2.9.6 and 3.0.8.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff270e81a87d860d557a52ee763ad810f93e586a commit ff270e81a87d860d557a52ee763ad810f93e586a Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2023-01-25 15:27:47 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-02-05 09:12:51 +0000 www-apache/mod_security: add 2.9.7 Bug: https://bugs.gentoo.org/891777 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/29267 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-apache/mod_security/Manifest | 1 + www-apache/mod_security/metadata.xml | 4 + www-apache/mod_security/mod_security-2.9.7.ebuild | 128 ++++++++++++++++++++++ 3 files changed, 133 insertions(+)
Hm. Apparently there's two packages based on the SpiderLabs upstream, dev-libs/modsecurity and www-apache/mod_security. Are they the same thing? Are they both affected by these? There's also www-apache/modsecurity-crs, is that affected too?
CVE-2023-28882 (https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-309/): Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.
(In reply to John Helmert III from comment #0) > What I do not like about the situation is that the Changelog makes it > look rather innocent, when it can be abused for a buffer > overflow. This gives attackers taking a deeper look an advantage over > users who read the changelog and think it's no big deal." The claim of a buffer overflow was retracted: https://github.com/SpiderLabs/ModSecurity/pull/2857 (it's a buffer over-read). Release notes are here: https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-297/ My understanding is also that version 3.x is more or less a rewrite that is less linked to apache, so it's not strange that there is no mention of 3.x as being vulnerable.
(In reply to John Helmert III from comment #3) > Hm. Apparently there's two packages based on the SpiderLabs upstream, > dev-libs/modsecurity and www-apache/mod_security. Are they the same thing? > Are they both affected by these? dev-libs/modsecurity is upstream's 3.x taking a more generic (i.e. non-apache) approach. www-apache/mod_security is upstream's 2.x. > There's also www-apache/modsecurity-crs, is that affected too? www-apache/modsecurity-crs is the core rule set that can be applied by either the 2.x or 3.x versions.
