Your message dated Fri, 12 Apr 2013 18:02:04 +0000
with message-id <[email protected]>
and subject line Bug#704625: fixed in libapache-mod-security 2.5.12-1+squeeze2
has caused the Debian Bug report #704625,
regarding modsecurity-apache: CVE-2013-1915: Vulnerable to XXE attacks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
704625: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704625
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: modsecurity-apache
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for modsecurity-apache.
CVE-2013-1915[0]:
Vulnerable to XXE attacks
Patches where added upstream for 2.7.3[1,2] but might need some
adjustments for current versions in Debian.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915
http://security-tracker.debian.org/tracker/CVE-2013-1915
[1] https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
[2]
https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libapache-mod-security
Source-Version: 2.5.12-1+squeeze2
We believe that the bug you reported is fixed in the latest version of
libapache-mod-security, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <[email protected]> (supplier of updated
libapache-mod-security package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 02 Jul 2012 14:47:33 +0000
Source: libapache-mod-security
Binary: libapache-mod-security mod-security-common
Architecture: source all i386
Version: 2.5.12-1+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <[email protected]>
Changed-By: Alberto Gonzalez Iniesta <[email protected]>
Description:
libapache-mod-security - Tighten web applications security for Apache
mod-security-common - Tighten web applications security - common files
Closes: 704625
Changes:
libapache-mod-security (2.5.12-1+squeeze2) stable-security; urgency=high
.
* CVE-2013-1915: Fix for XXE attacks.
Applied backported patch from 2.7.3. (Closes: #704625)
Adds new SecXmlExternalEntity option which by default (Off) disables
the external entity load task executed by libxml2.
Checksums-Sha1:
4472feb1aeec57eff2308b03fbee27b6f78cc124 1283
libapache-mod-security_2.5.12-1+squeeze2.dsc
768f5ff29abaeb71c43280a9808550c17e1440e7 10769
libapache-mod-security_2.5.12-1+squeeze2.debian.tar.gz
d123776838f467d2f676133d8a93e02797541da0 961526
mod-security-common_2.5.12-1+squeeze2_all.deb
e10feb33b9eb39fe98dd14c880e8512d70c17f63 114430
libapache-mod-security_2.5.12-1+squeeze2_i386.deb
Checksums-Sha256:
654ab7973fcbd79c6fc10438bbc995f06b1f66ef8bb03894339e7895a4105a0e 1283
libapache-mod-security_2.5.12-1+squeeze2.dsc
7b958e8f695e0fefe16fda2c34731aaa1c57a9a5a50dae9cafd649495cb6cdff 10769
libapache-mod-security_2.5.12-1+squeeze2.debian.tar.gz
323145d8068e972e84014052a61fee54b81089ba6c716d2542904eaa94106d6b 961526
mod-security-common_2.5.12-1+squeeze2_all.deb
bf54cd81663fb11934e0f91a4781cbf635870b70a9512f97793b5cd819de4d3b 114430
libapache-mod-security_2.5.12-1+squeeze2_i386.deb
Files:
19655d5c5c65857e2a7c271db29133a3 1283 httpd optional
libapache-mod-security_2.5.12-1+squeeze2.dsc
e90fb879eb247a782eabca20395757e8 10769 httpd optional
libapache-mod-security_2.5.12-1+squeeze2.debian.tar.gz
f2352b44ee9e3ff1a6af0b2e5b518a35 961526 httpd optional
mod-security-common_2.5.12-1+squeeze2_all.deb
461c539be94a4eb33692e7061ff98903 114430 httpd optional
libapache-mod-security_2.5.12-1+squeeze2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlFi4zgACgkQxRSvjkukAcNb0QCfe13uxOQbiHNw76trXYjfL1ZZ
fngAoKmoalP/SdXgYiq6qnG54smYW4+J
=PO0x
-----END PGP SIGNATURE-----
--- End Message ---
