Your message dated Thu, 09 Sep 2021 07:47:08 +0000
with message-id <[email protected]>
and subject line Bug#992000: fixed in modsecurity-crs 3.3.0-1+deb11u1
has caused the Debian Bug report #992000,
regarding modsecurity-crs: Needs update to 3.3.2 for CVE-2021-35368
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
992000: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: modsecurity-crs
Version: 3.3.0-1
Severity: normal
Dear Maintainer,
The version of modsecurity-crs contains a vulnerability and needs to be
updated to 3.3.2 to get the security fix:
https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
-- System Information:
Debian Release: 11.0
APT prefers testing
APT policy: (800, 'testing'), (750, 'proposed-updates'), (700, 'stable'),
(600, 'oldstable'), (200, 'unstable'), (160, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-7-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
modsecurity-crs depends on no packages.
Versions of packages modsecurity-crs recommends:
ii libapache2-mod-security2 2.9.3-3
Versions of packages modsecurity-crs suggests:
pn geoip-database-contrib <none>
pn lua <none>
pn python <none>
ii ruby 1:2.7+2
-- Configuration Files:
/etc/modsecurity/crs/crs-setup.conf changed [not included]
-- no debconf information
-- debsums errors found:
debsums: changed file
/usr/share/modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
(from modsecurity-crs package)
--- End Message ---
--- Begin Message ---
Source: modsecurity-crs
Source-Version: 3.3.0-1+deb11u1
Done: Alberto Gonzalez Iniesta <[email protected]>
We believe that the bug you reported is fixed in the latest version of
modsecurity-crs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <[email protected]> (supplier of updated
modsecurity-crs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 24 Aug 2021 17:40:57 +0200
Source: modsecurity-crs
Binary: modsecurity-crs
Architecture: source all
Version: 3.3.0-1+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Alberto Gonzalez Iniesta <[email protected]>
Changed-By: Alberto Gonzalez Iniesta <[email protected]>
Description:
modsecurity-crs - OWASP ModSecurity Core Rule Set
Closes: 992000
Changes:
modsecurity-crs (3.3.0-1+deb11u1) bullseye; urgency=medium
.
* Add upstream patch to fix request body bypass
CVE-2021-35368 (Closes: #992000)
Checksums-Sha1:
c36a30830db512ba09898a96aa703752d6b06a4c 1995
modsecurity-crs_3.3.0-1+deb11u1.dsc
26d558af66fe026511430250f0553b900fda5cf5 5064
modsecurity-crs_3.3.0-1+deb11u1.debian.tar.xz
8066d0ffb4c09e810463de1f48a7b5acf82a928e 158492
modsecurity-crs_3.3.0-1+deb11u1_all.deb
24d9a136b2f4d08c0540bf39229f676efec78619 5754
modsecurity-crs_3.3.0-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
355ebb76093e3effa7a4a0bf8bb0ff18fdd6ad12dc45ef9b9636c9387cc733e7 1995
modsecurity-crs_3.3.0-1+deb11u1.dsc
063de15f46c6a7b856fe1610278e7c7c2e0f786be06e082afb4d613885edabd6 5064
modsecurity-crs_3.3.0-1+deb11u1.debian.tar.xz
f45bd7dbecefe31c2f1f1597fd4786ff1499442d26be0d0cc64f3c52952c2cce 158492
modsecurity-crs_3.3.0-1+deb11u1_all.deb
6b22afab23a24e2b7872dca64b5eab251a6621285d9244ac79a698acc4c04fdc 5754
modsecurity-crs_3.3.0-1+deb11u1_amd64.buildinfo
Files:
45b4fc60f7890cb414f18655333e9cc3 1995 httpd optional
modsecurity-crs_3.3.0-1+deb11u1.dsc
c7a570fab1d6941b8470e52a99d193aa 5064 httpd optional
modsecurity-crs_3.3.0-1+deb11u1.debian.tar.xz
8b9c8693424b57c0dff2e8d3d07b772e 158492 httpd optional
modsecurity-crs_3.3.0-1+deb11u1_all.deb
5c8fc51b4b734fada4109d4a3bcd897d 5754 httpd optional
modsecurity-crs_3.3.0-1+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAmE3engQHGFnaUBpbml0
dGFiLm9yZwAKCRAAmzN1a5qqVas/D/9jK2HOqR4/P2O9dXk9Bdjr0YzZ0jpDsiQr
aoOP1yj0VXbilApA0vLtq2WHCFiEBCVZ/cGgX2TMREbpFJeplnyynVgvQH45fWRI
NbBRaBjCRlAeWupucrhWHG2BbfBVjTr5fIxB1IbKVia+fRFwOT2JpVFeP8jt+vQE
qKwYQ9j0mKT+pUI/1jUn3vreSqgGY1khKRyDWwn8kYPmgEtDHgRn4LdHo8QoK97V
Y8spUgWGXBK1HIiLYRzMlT40Yn18b6ZliMQckP/Gw/E+1OItIxuohN4JrTrHRrOy
+nBZvfDGkpCfDiPXpVs54sX9i6jZuOhleOG8Y4M+m8RRC2Yi0wpTCA3AH5FHdVct
MpI9MDjGrjNP2umzICd+lnipL06xt7LBzVj80Ge7R54cGz7uNksjMVN4avVJULgF
DtJq6gvEZIOaEXygrQFu0CpAZwV7lbEU0ZUWb3+x4/PXFU6nbqk2T/ZblkTvwR41
OwmjdSd16DO7OmvnWMWEjmS26ul++jRp/BX4NGevKML0oS+0K9eEP0L1aVuhu6or
MjNVFc8dWhu8GetwLsdGZIufy7CwfnO9EtlFRZXk/3zbC/8jwkwOytfYuBBYeRUp
vlUTmZV/f+peaTMbA7beOZun0gSlzI6H+95oTimZSr4xr5bsWWkWkArR+oqPzcOo
pFtCauK6WQ==
=lFnQ
-----END PGP SIGNATURE-----
--- End Message ---
