Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1516728290.1074389.1364991799818.JavaMail.root@redhat.com>
Date: Wed, 3 Apr 2013 08:23:19 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Breno Silva <breno.silva@...il.com>
Subject: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks

Hello Kurt, Steve, Breno, vendors,

  ModSecurity upstream has released v2.7.3 version:
[1] https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES

correcting one security flaw (from [2]):
"It was reported that the XML files parser of ModSecurity,
a security module for the Apache HTTP Server, was vulnerable
to XML External Entity attacks. A remote attacker could
provide a specially-crafted XML file that, when processed
might lead to local files disclosure or, potentially,
excessive resources (memory, CPU) consumption."

References:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=947842
[3] https://bugs.gentoo.org/show_bug.cgi?id=464188
[4] https://secunia.com/advisories/52847/

Relevant upstream patch (seems to be the following):
[5] https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe

Could you allocate a CVE id [*] for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

[*] According to: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ModSecurity
    there doesn't seem to have been a CVE id allocated for this issue yet.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.