Date: Wed, 3 Apr 2013 08:23:19 -0400 (EDT) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org>, Breno Silva <breno.silva@...il.com> Subject: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Hello Kurt, Steve, Breno, vendors, ModSecurity upstream has released v2.7.3 version:  https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES correcting one security flaw (from ): "It was reported that the XML files parser of ModSecurity, a security module for the Apache HTTP Server, was vulnerable to XML External Entity attacks. A remote attacker could provide a specially-crafted XML file that, when processed might lead to local files disclosure or, potentially, excessive resources (memory, CPU) consumption." References:  https://bugzilla.redhat.com/show_bug.cgi?id=947842  https://bugs.gentoo.org/show_bug.cgi?id=464188  https://secunia.com/advisories/52847/ Relevant upstream patch (seems to be the following):  https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe Could you allocate a CVE id [*] for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team [*] According to: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ModSecurity there doesn't seem to have been a CVE id allocated for this issue yet.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.