Your message dated Sat, 24 Jan 2026 11:34:33 +0000
with message-id <[email protected]>
and subject line Bug#1125084: fixed in modsecurity-crs 3.3.4-1+deb12u1
has caused the Debian Bug report #1125084,
regarding modsecurity-crs: CVE-2026-21876
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125084: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125084
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: modsecurity-crs
Version: 3.3.7-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for modsecurity-crs.
CVE-2026-21876[0]:
| The OWASP core rule set (CRS) is a set of generic attack detection
| rules for use with compatible web application firewalls. Prior to
| versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when
| processing multipart requests with multiple parts. When the first
| rule in a chain iterates over a collection (like
| `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`)
| get overwritten with each iteration. Only the last captured value is
| available to the chained rule, which means malicious charsets in
| earlier parts can be missed if a later part has a legitimate
| charset. Versions 4.22.0 and 3.3.8 patch the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21876
https://www.cve.org/CVERecord?id=CVE-2026-21876
[1]
https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5
[2]
https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: modsecurity-crs
Source-Version: 3.3.4-1+deb12u1
Done: Ervin Hegedüs <[email protected]>
We believe that the bug you reported is fixed in the latest version of
modsecurity-crs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ervin Hegedüs <[email protected]> (supplier of updated modsecurity-crs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 10 Jan 2026 17:35:44 +0100
Source: modsecurity-crs
Architecture: source
Version: 3.3.4-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Alberto Gonzalez Iniesta <[email protected]>
Changed-By: Ervin Hegedüs <[email protected]>
Closes: 1125084
Changes:
modsecurity-crs (3.3.4-1+deb12u1) bookworm-security; urgency=medium
.
* Fixes CVE-2025-21876 (Closes: #1125084)
Checksums-Sha1:
63fc84a019832a42dc6e797d0214c4207fe77ae2 1995
modsecurity-crs_3.3.4-1+deb12u1.dsc
821796a48bbedd1a0d962614ef473625da85feae 301112
modsecurity-crs_3.3.4.orig.tar.gz
2627d711534abd93ea928e3cd51d734c512f0245 5572
modsecurity-crs_3.3.4-1+deb12u1.debian.tar.xz
949f517083bcf92d9c275fb3885aee234e88cc2d 6447
modsecurity-crs_3.3.4-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
374a8b5037d0a4e1a8bf6c519012ebbd2a2e0993ab3b089d90c23b9fe723360a 1995
modsecurity-crs_3.3.4-1+deb12u1.dsc
15a84aaa041aa532905a34546b613bd3aed122e3f9814fbb5c28e1655d02b74d 301112
modsecurity-crs_3.3.4.orig.tar.gz
8cd4f04c34585bb720dbfa6a53e0e6ddbc68f055b297ed734a0809b26541fbe2 5572
modsecurity-crs_3.3.4-1+deb12u1.debian.tar.xz
0cef763ecde31ee2f8937fdda74e037f50f673ef9554d46c4b9f680cda7e7d81 6447
modsecurity-crs_3.3.4-1+deb12u1_amd64.buildinfo
Files:
48290851e882f3b5b23465ede217c201 1995 httpd optional
modsecurity-crs_3.3.4-1+deb12u1.dsc
f85d55f66d58e7347268665508eefd0b 301112 httpd optional
modsecurity-crs_3.3.4.orig.tar.gz
587dfe0d53f4d0e22fc12885754b7a48 5572 httpd optional
modsecurity-crs_3.3.4-1+deb12u1.debian.tar.xz
4d28c01fa8345f0e14871e4b38240c56 6447 httpd optional
modsecurity-crs_3.3.4-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAmlvtJgQHGFnaUBpbml0
dGFiLm9yZwAKCRAAmzN1a5qqVQfhD/9MdXoCrxt1eKIfYZRpiCiD0nleTC09EdAT
rmtcPLtZXUadRQIYhpO9ERqOHwiUIYUop5AohB52lzsMT+GkKRAD4lampdoNpmU8
GoMi3roFmeCTDoqjVyrdKE5k54kmlT1ZP0ApRoIwerAdDdQCE2vtcNKh2F3qaPT2
WwJ2Z8bcIksN3IWha7Dj+Bd8ec5JT5RB6FIYB0L8NvUOIfrafa1vYObWIXl2R2Vo
cdXMlQGzt0r2QEFoV5ZBNftSSGdwGjg7XL1B0wH7heaIaUQYFN1VKInXH6oFu975
Ggn4OZx3KPwZEgQoUmXRf7k+F0fQGa28lD57SvhwqvhJ3LqPVt+rrEhXIwh1o4FL
MYwzwBDEUZr8ho2PC8T8OOcVMDA5NmiJ/hbkkcqEivqsePe0Dg67OMxoc2Cvf6KE
icx3rnbENEVn7aVAPeZOSZxDg6sIG8oW2KLsrFGcqr7K/wf4oG5s0COnPWu5cfut
V8amHZoxsJtW6uNft8SvzndkZ98AE9LaIpPF8Zn82ayxs1KJ6xM7Kv5xotTdkv8b
fhzKL7Qqp2gqYoDGxcRA4z3IaemHash0I83yJXhmIqoQcvRsAz6dKwflNfNyYo6K
qjefrZgx4pLPSVvvGk4MCzURKMCMGgn3ZfWL4IqbRW6hAjvvZZofAcrs6UORkBrn
A7X2K43XFg==
=ROaF
-----END PGP SIGNATURE-----
pgpxr4Jh3hgf0.pgp
Description: PGP signature
--- End Message ---
