Hi Salvatore, On Thu, Jun 01, 2023 at 10:24:28PM +0200, Salvatore Bonaccorso wrote: > Hi Paul, > > > Yet there is a huge amount of white space changes and other changes that > > look gratuitous. This is really not looking like a targeted fix. @Salvatore, > > can we do a targeted security upload via security? > > The targeted should be (Alberto, Ervin can you confirm) > https://github.com/SpiderLabs/ModSecurity/commit/db84d8cf771d39db578707cd03ec2b60f74c9785 > . While it would have been nice to start with modsecurity without > (known) security issues open in bookworm, I guess at this point of the > release preparation and soon entering the last week, skip it and the > CVE can be fixed in the first bookworm point release.
yes, this is a critical bug, which leads to an unexpected behavior (the attacker can DOS-ed the whole Nginx). But - as I explained in my other e-mail - libmodsecurity3 has a complex codebase, with a language (grammar) parser. This can cause a huge diff's, unfortunately. > Regards, > Salvatore > > p.s.: The PCRE to PCRE2 switch is one other aspect why it would have > been nice to have 3.0.9 in bookworm. Exactly. We upload this library earlier, but meanwhile Nginx bumped the PCRE version (finally!) to PCRE2. We *MUST* to update this package too to ingore the other unexpected behaviors. Thanks, a.
