Date: Tue, 9 Apr 2013 09:17:58 -0300 From: Breno Silva <breno.silva@...il.com> To: Jan Lieskovsky <jlieskov@...hat.com> Cc: "Steven M. Christey" <coley@...us.mitre.org>, oss-security@...ts.openwall.com, Athmane Madjoudj <athmanem@...il.com> Subject: Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Hello Jan, I'm attaching a patch for 2.5.12. However it is small and i think can help you do the same for 2.6.8. Let me know if you have any questions. Thanks Breno On Tue, Apr 9, 2013 at 6:26 AM, Jan Lieskovsky <jlieskov@...hat.com> wrote: > Hi Breno, > > (Cc-ing Athmane on this due reasons which will get obvious below). > > thank you for checking with us. > > AFAICT to fix this in Fedora and Fedora EPEL-6 versions, we have > just rebased to latest upstream 2.7.3 version. But you are truly > right (assuming this being the reason you are checking with us), > that on Fedora EPEL-5 we are shipping older (2.6.8 based version > of ModSecurity). > > FWIHL: >  https://bugzilla.redhat.com/show_bug.cgi?id=947842#c1 > > it's wasn't immediately clear how the backported upstream patch > would look like in / against that version (and not completely > sure we can just rebase in that product too - Athmane could you > clarify here if we can rebase or would rather want upstream patch > form against 2.6.8 version?) > > Breno, so if you are willing to help (and Athmane would confirm > we need patch against 2.6.8 version), it would be appreciated > if you could provide it. > > That's just for our expectations. Obviously other vendors might > be interested in upstream patch backports against different versions > yet (but I will let them to speak out their needs by themselves). > > Thank you for your time / check anyway. It's appreciated. > > Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team > > > ----- Original Message ----- > Hello Jan, > > Are you guys backporting de patch to old versions of ModSecurity ? > > Thanks > > Breno > > > On Wed, Apr 3, 2013 at 9:23 AM, Jan Lieskovsky <jlieskov@...hat.com> > wrote: > > > Hello Kurt, Steve, Breno, vendors, > > > > ModSecurity upstream has released v2.7.3 version: > >  https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES > > > > correcting one security flaw (from ): > > "It was reported that the XML files parser of ModSecurity, > > a security module for the Apache HTTP Server, was vulnerable > > to XML External Entity attacks. A remote attacker could > > provide a specially-crafted XML file that, when processed > > might lead to local files disclosure or, potentially, > > excessive resources (memory, CPU) consumption." > > > > References: > >  https://bugzilla.redhat.com/show_bug.cgi?id=947842 > >  https://bugs.gentoo.org/show_bug.cgi?id=464188 > >  https://secunia.com/advisories/52847/ > > > > Relevant upstream patch (seems to be the following): > >  > > > https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe > > > > Could you allocate a CVE id [*] for this? > > > > Thank you && Regards, Jan. > > -- > > Jan iankko Lieskovsky / Red Hat Security Response Team > > > > [*] According to: > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ModSecurity > > there doesn't seem to have been a CVE id allocated for this issue > yet. > > > [ CONTENT OF TYPE text/html SKIPPED ] [ CONTENT OF TYPE application/octet-stream SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ