Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Apr 2013 08:23:19 -0400 (EDT)
From: Jan Lieskovsky <>
Cc: "Steven M. Christey" <>,
        Breno Silva <>
Subject: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks

Hello Kurt, Steve, Breno, vendors,

  ModSecurity upstream has released v2.7.3 version:

correcting one security flaw (from [2]):
"It was reported that the XML files parser of ModSecurity,
a security module for the Apache HTTP Server, was vulnerable
to XML External Entity attacks. A remote attacker could
provide a specially-crafted XML file that, when processed
might lead to local files disclosure or, potentially,
excessive resources (memory, CPU) consumption."


Relevant upstream patch (seems to be the following):

Could you allocate a CVE id [*] for this?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

[*] According to:
    there doesn't seem to have been a CVE id allocated for this issue yet.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ