Hi, Paul. On Mon, Sep 12, 2022 at 10:21:12PM +0200, Paul Gevers wrote: > Hi, > > Sorry for the delay in responding. This list is very high volume (it > receives bug reports too) and plain messages sometimes slip through. > > On 02-09-2022 14:35, Ervin Hegedüs wrote: > > *We need to know if we could add this patch to the existing packages > > (3.3 in both Debian 10 and Debian 11) without CVE or not.* > > Well, Debian 10 got it's last official point release last Saturday, so we're > not considering that anymore. For the current stable (Debian 11), we don't > need CVE's for updates, just a good justification of all the changes > (assuming the justifications are in line with our stable release policy).
The reason for the update to modsecurity is a new set of rules in de Core Rule Set that is coming out soon fixing a CVE. These (CRS) will also get updated in stable (either through -security or a stable upload). So we are getting modsecurity ready for them. Here's the draft for the CRS release: ------------------------------------------------------------------------------ CVE-2022-39956 - Content-Type or Content-Transfer-Encoding MIME header fields abuse The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively. Important: The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an updated version with backports of the security fixes in these versions. If you fail to update ModSecurity, the webserver / engine will refuse to start with the following error message: "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS". You can disable / remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround. ------------------------------------------------------------------------------ I'll quote that same announcement in the bug report for the upload to release.debian.org. Thanks, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
