Date: Mon, 8 Apr 2013 15:34:15 -0300 From: Breno Silva <breno.silva@...il.com> To: Jan Lieskovsky <jlieskov@...hat.com> Cc: oss-security@...ts.openwall.com, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Hello Jan, Are you guys backporting de patch to old versions of ModSecurity ? Thanks Breno On Wed, Apr 3, 2013 at 9:23 AM, Jan Lieskovsky <jlieskov@...hat.com> wrote: > Hello Kurt, Steve, Breno, vendors, > > ModSecurity upstream has released v2.7.3 version: >  https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES > > correcting one security flaw (from ): > "It was reported that the XML files parser of ModSecurity, > a security module for the Apache HTTP Server, was vulnerable > to XML External Entity attacks. A remote attacker could > provide a specially-crafted XML file that, when processed > might lead to local files disclosure or, potentially, > excessive resources (memory, CPU) consumption." > > References: >  https://bugzilla.redhat.com/show_bug.cgi?id=947842 >  https://bugs.gentoo.org/show_bug.cgi?id=464188 >  https://secunia.com/advisories/52847/ > > Relevant upstream patch (seems to be the following): >  > https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe > > Could you allocate a CVE id [*] for this? > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team > > [*] According to: > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ModSecurity > there doesn't seem to have been a CVE id allocated for this issue yet. >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.