The severity of this bug is set too high. It is not "grave" in the context of Debian.
Here is why: The Core Rule Set project explained the situation in https://coreruleset.org/20190425/regular-expression-dos-weaknesses-in-crs/ The CVEs were issues against the Regular Expression itself, not CRS running on ModSecurity. This means that ModSecurity has protection measures itself that save the WAF from this type of DoS. In the case of ModSecurity 2, it is the manual setting of the PCRE match limits that protect you and the default value is very low. ModSecurity 2 protects you from all of these RegEx weaknesses. ModSecurity 3 protects you from 4 of these 5 RegEx weaknesses. Number 5 is an issue, but only at higher Paranoia Levels which are disabled by default. Debian Stable comes wtih ModSecurity 2. Debian Testing comes with ModSecurity 3. So Debian Stable is not affected. Debian Testing is affected at PL 2 and higher. CVE-2019-11391 Not affected. -> https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1357#issuecomment-487344464 CVE-2019-11390 Not affected. -> https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1358#issuecomment-487344517 CVE-2019-11389 Not affected. -> https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1356#issuecomment-487073750 CVE-2019-11388 Not affected. -> https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1354#issuecomment-487070518 CVE-2019-11387 ModSecurity 3 and thus NGINX 3 and thus Debian Unstable is affected at Paranoia Level 2 and above. The default setting is Paranoia Level 1. -> https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1359#issuecomment-487344654 The CRS project is actively solving the problems that these issues bring. However, we want to solve them without changing the behavior of the WAF that could introduce other security problems for our users. And that is very tricky. Hope this brings some clarity and you can reduce the severity of the bug until we can deliver a solution. Cheers, Christian Folini, CRS Co-Lead
