CVE-2023-24021 (https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.7): In ModSecurity before 2.9.7, FILES_TMP_CONTENT sometimes lacked the complete content. This can lead to a Web Application Firewall bypass. This particular fix is in 2.9.7, but it 3.x affected? According to URL, "It's a bit unfortunate it comes out of the blue, since we could have written a better advisory than the one now listed at NIST. https://nvd.nist.gov/vuln/detail/CVE-2023-24021 Namely because the problem is bigger than it seems. What I do not like about the situation is that the Changelog makes it look rather innocent, when it can be abused for a buffer overflow. This gives attackers taking a deeper look an advantage over users who read the changelog and think it's no big deal."
CVE-2022-48279: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase. This is fixed in 2.9.6 and 3.0.8.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff270e81a87d860d557a52ee763ad810f93e586a commit ff270e81a87d860d557a52ee763ad810f93e586a Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2023-01-25 15:27:47 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-02-05 09:12:51 +0000 www-apache/mod_security: add 2.9.7 Bug: https://bugs.gentoo.org/891777 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/29267 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-apache/mod_security/Manifest | 1 + www-apache/mod_security/metadata.xml | 4 + www-apache/mod_security/mod_security-2.9.7.ebuild | 128 ++++++++++++++++++++++ 3 files changed, 133 insertions(+)
Hm. Apparently there's two packages based on the SpiderLabs upstream, dev-libs/modsecurity and www-apache/mod_security. Are they the same thing? Are they both affected by these? There's also www-apache/modsecurity-crs, is that affected too?
CVE-2023-28882 (https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-309/): Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.