On Sat, May 11, 2019 at 06:45:13AM +0200, Christian Folini wrote: Hi Christian,
Thanks for chiming in, much appreciated! But I need some further clarification. > The Core Rule Set project explained the situation in > https://coreruleset.org/20190425/regular-expression-dos-weaknesses-in-crs/ > > The CVEs were issues against the Regular Expression itself, not CRS running > on ModSecurity. CVEs are not assigned for regular expressions by itself. And the CVE description explicitly refers to ModSecurity, so if those reports are not correct, the CVE IDs should be rejected as MITRE. > Debian Stable comes wtih ModSecurity 2. > Debian Testing comes with ModSecurity 3. Debian stable actually has 3.0.0, but it doesn't matter here. > CVE-2019-11391 > Not affected. > -> > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1357#issuecomment-487344464 > > CVE-2019-11390 > Not affected. > -> > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1358#issuecomment-487344517 > > CVE-2019-11389 > Not affected. > -> > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1356#issuecomment-487073750 > > CVE-2019-11388 > Not affected. > -> > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1354#issuecomment-487070518 So if there's no circumstance where this triggers in modsecurity-crs, the four CVE ID should be rejected. Otherwise this will only cause confusion. Do you know who requested these? Rejects can be requested via https://cveform.mitre.org -> Select a request type -> Request an update to an existing CVE Entry. > CVE-2019-11387 > ModSecurity 3 and thus NGINX 3 and thus Debian Unstable is affected at > Paranoia Level 2 and above. The default setting is Paranoia Level 1. > -> > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1359#issuecomment-487344654 I don't understand. What does Nginx 3 have to do with it? There's not even such a version in unstable, the latest is 1.14.2? Cheers, Moritz
