Your message dated Wed, 05 Nov 2025 21:32:18 +0000
with message-id <[email protected]>
and subject line Bug#1110480: fixed in modsecurity-apache 2.9.11-1+deb13u1
has caused the Debian Bug report #1110480,
regarding modsecurity-apache: CVE-2025-54571
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110480: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110480
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: modsecurity-apache
Version: 2.9.11-1
Severity: important
Tags: upstream
Forwarded: https://github.com/owasp-modsecurity/ModSecurity/issues/2514
X-Debbugs-Cc: [email protected]
Hi,
The following vulnerability was published for modsecurity-apache.
CVE-2025-54571[0]:
| ModSecurity is an open source, cross platform web application
| firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11
| and below, an attacker can override the HTTP response’s Content-
| Type, which could lead to several issues depending on the HTTP
| scenario. For example, we have demonstrated the potential for XSS
| and arbitrary script source code disclosure in the latest version of
| mod_security2. This issue is fixed in version 2.9.12.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-54571
https://www.cve.org/CVERecord?id=CVE-2025-54571
[1] https://github.com/owasp-modsecurity/ModSecurity/issues/2514
[2]
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-cg44-9m43-3f9v
[3]
https://github.com/owasp-modsecurity/ModSecurity/commit/dfbde557acc41d858dbe04d4b6eaec64478347ff
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: modsecurity-apache
Source-Version: 2.9.11-1+deb13u1
Done: Ervin Hegedüs <[email protected]>
We believe that the bug you reported is fixed in the latest version of
modsecurity-apache, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ervin Hegedüs <[email protected]> (supplier of updated modsecurity-apache
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Aug 2025 13:40:00 +0200
Source: modsecurity-apache
Architecture: source
Version: 2.9.11-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Ervin Hegedus <[email protected]>
Changed-By: Ervin Hegedüs <[email protected]>
Closes: 1110480
Changes:
modsecurity-apache (2.9.11-1+deb13u1) trixie; urgency=medium
.
* Add patch against new CVE; Fixes CVE-2025-54571 (Closes: #1110480)
* Remove d/patches/aclocal.patch, not necessary
Checksums-Sha1:
2f7f960766c7d7722f5a0424ca7fa4589390c17a 2246
modsecurity-apache_2.9.11-1+deb13u1.dsc
8f0c62d7846ca0097847870c01272bebabf19ce8 10444
modsecurity-apache_2.9.11-1+deb13u1.debian.tar.xz
1b478be45073ae019f202ac947084533cceef71f 9105
modsecurity-apache_2.9.11-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
595a096f92c2e94ec2148aeba637ea2e39381be51d079fca0110dede89c08a00 2246
modsecurity-apache_2.9.11-1+deb13u1.dsc
c214a85c949c9140936b1ec608e2d9b6aade7e746394fe8c6efc5551fe8ae553 10444
modsecurity-apache_2.9.11-1+deb13u1.debian.tar.xz
f04fa70c86ffc81421fcfa070576bbc75a89ac11db3c5ddac4b241b18d9c5740 9105
modsecurity-apache_2.9.11-1+deb13u1_amd64.buildinfo
Files:
12bb6f6b4bcacfbc04a0816a942ae4f7 2246 httpd optional
modsecurity-apache_2.9.11-1+deb13u1.dsc
8f00a56c621e29d8a9b75a2c96cf4273 10444 httpd optional
modsecurity-apache_2.9.11-1+deb13u1.debian.tar.xz
3f7880ddbc260ef00df37999fe647f00 9105 httpd optional
modsecurity-apache_2.9.11-1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAmkJ6rYQHGFnaUBpbml0
dGFiLm9yZwAKCRAAmzN1a5qqVQs6D/9qWXExmLbJ14puIO/heDTJ70Nt3EQw0Y6+
TCo0F7F75/nulNKn2PqQNZsy0M74sbN/66haYSvMe+ygg6pwSscNpj8eWd3ZfgIT
ZyWu+JUPu78zPeP3zf5OxijRk7s7dRDBoCMSpi1wvIuuh7StOaC7DbGBNMqYFmQA
9K3dJ0xS5OKezc/kjdcMPF/ExwR59xnB1m7K4zEcfdSbQlF+YPT0f08T0v5ocnAR
LziLggegvxHYeiMobd2lgppLuyenfG75EjTdlxIdcXahJlWWAtgaHCdM4AhgYqds
eyurGBMiSKZmAWCWuR7kH2wEGbY54keBEWseZtkQTjX0ZJMX20SpPbSQHX4PJNnW
zFDcERbEucSYq0m2gwPUqamphUWmDDZsm2EISXKU2Y3QPMjw2l7mJ6ViBBybIvqq
9xuKhvx5bTKWbR748sF4rLYc6p7a5eqcuwbxCEyaB73p0mrMEm98OfWegHa9aGF4
n4fam36WB2WEVF7PBdxmgHAaCWfTbcU1OQkAbSpWt0wVHCPRBMPDM3YkSWMsp4hy
Sw4IW/ow1xbi/GEcM4mDR6RMoX9GPefNUz17OeI24hqIcOqlbbfoiSxqvbA21TCU
QzGp7UQBKTTgaNxzPugb+HVQxG7/CvNoZmpjjqSegqwvSxZAgeOFJthiQK+lRHK7
vIsCriwOmg==
=cTci
-----END PGP SIGNATURE-----
pgpmQZ9Yt3you.pgp
Description: PGP signature
--- End Message ---
