Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Apr 2013 09:17:58 -0300
From: Breno Silva <breno.silva@...il.com>
To: Jan Lieskovsky <jlieskov@...hat.com>
Cc: "Steven M. Christey" <coley@...us.mitre.org>, oss-security@...ts.openwall.com, 
	Athmane Madjoudj <athmanem@...il.com>
Subject: Re: Re: CVE Request -- ModSecurity (X < 2.7.3):
 Vulnerable to XXE attacks

Hello Jan,

I'm attaching a patch for 2.5.12. However it is small and i think can help
you do the same for 2.6.8.
Let me know if you have any questions.

Thanks

Breno


On Tue, Apr 9, 2013 at 6:26 AM, Jan Lieskovsky <jlieskov@...hat.com> wrote:

> Hi Breno,
>
>   (Cc-ing Athmane on this due reasons which will get obvious below).
>
>   thank you for checking with us.
>
> AFAICT to fix this in Fedora and Fedora EPEL-6 versions, we have
> just rebased to latest upstream 2.7.3 version. But you are truly
> right (assuming this being the reason you are checking with us),
> that on Fedora EPEL-5 we are shipping older (2.6.8 based version
> of ModSecurity).
>
> FWIHL:
>   [1] https://bugzilla.redhat.com/show_bug.cgi?id=947842#c1
>
> it's wasn't immediately clear how the backported upstream patch
> would look like in / against that version (and not completely
> sure we can just rebase in that product too - Athmane could you
> clarify here if we can rebase or would rather want upstream patch
> form against 2.6.8 version?)
>
> Breno, so if you are willing to help (and Athmane would confirm
> we need patch against 2.6.8 version), it would be appreciated
> if you could provide it.
>
> That's just for our expectations. Obviously other vendors might
> be interested in upstream patch backports against different versions
> yet (but I will let them to speak out their needs by themselves).
>
> Thank you for your time / check anyway. It's appreciated.
>
> Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
>
> ----- Original Message -----
> Hello Jan,
>
> Are you guys backporting de patch to old versions of ModSecurity ?
>
> Thanks
>
> Breno
>
>
> On Wed, Apr 3, 2013 at 9:23 AM, Jan Lieskovsky <jlieskov@...hat.com>
> wrote:
>
> > Hello Kurt, Steve, Breno, vendors,
> >
> >   ModSecurity upstream has released v2.7.3 version:
> > [1] https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
> >
> > correcting one security flaw (from [2]):
> > "It was reported that the XML files parser of ModSecurity,
> > a security module for the Apache HTTP Server, was vulnerable
> > to XML External Entity attacks. A remote attacker could
> > provide a specially-crafted XML file that, when processed
> > might lead to local files disclosure or, potentially,
> > excessive resources (memory, CPU) consumption."
> >
> > References:
> > [2] https://bugzilla.redhat.com/show_bug.cgi?id=947842
> > [3] https://bugs.gentoo.org/show_bug.cgi?id=464188
> > [4] https://secunia.com/advisories/52847/
> >
> > Relevant upstream patch (seems to be the following):
> > [5]
> >
> https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
> >
> > Could you allocate a CVE id [*] for this?
> >
> > Thank you && Regards, Jan.
> > --
> > Jan iankko Lieskovsky / Red Hat Security Response Team
> >
> > [*] According to:
> > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ModSecurity
> >     there doesn't seem to have been a CVE id allocated for this issue
> yet.
> >
>

[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ