Your message dated Sat, 24 Jan 2026 23:47:48 +0000
with message-id <[email protected]>
and subject line Bug#1125084: fixed in modsecurity-crs 3.3.7-1+deb13u1
has caused the Debian Bug report #1125084,
regarding modsecurity-crs: CVE-2026-21876
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125084: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125084
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: modsecurity-crs
Version: 3.3.7-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for modsecurity-crs.
CVE-2026-21876[0]:
| The OWASP core rule set (CRS) is a set of generic attack detection
| rules for use with compatible web application firewalls. Prior to
| versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when
| processing multipart requests with multiple parts. When the first
| rule in a chain iterates over a collection (like
| `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`)
| get overwritten with each iteration. Only the last captured value is
| available to the chained rule, which means malicious charsets in
| earlier parts can be missed if a later part has a legitimate
| charset. Versions 4.22.0 and 3.3.8 patch the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21876
https://www.cve.org/CVERecord?id=CVE-2026-21876
[1]
https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5
[2]
https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: modsecurity-crs
Source-Version: 3.3.7-1+deb13u1
Done: Ervin Hegedüs <[email protected]>
We believe that the bug you reported is fixed in the latest version of
modsecurity-crs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ervin Hegedüs <[email protected]> (supplier of updated modsecurity-crs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 10 Jan 2026 17:00:48 +0100
Source: modsecurity-crs
Architecture: source
Version: 3.3.7-1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Ervin Hegedus <[email protected]>
Changed-By: Ervin Hegedüs <[email protected]>
Closes: 1125084
Changes:
modsecurity-crs (3.3.7-1+deb13u1) trixie-security; urgency=medium
.
* Fixes CVE-2026-21876 (Closes: #1125084)
Checksums-Sha1:
75ebe34b04e21841ed0685c3458f7bc15d7fd231 2001
modsecurity-crs_3.3.7-1+deb13u1.dsc
980b6fb642c854eedb9583951d8accf346f3833c 301633
modsecurity-crs_3.3.7.orig.tar.gz
ac267929af4419fcb856829024504d4394051e10 5924
modsecurity-crs_3.3.7-1+deb13u1.debian.tar.xz
eb1b89ca1063833e59d33f3fe5e47a896ec529b1 5851
modsecurity-crs_3.3.7-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
0984c5ef3d569f56bf940d96c2da10570ab16f3c5b05ae7a06d0564d4352cfbe 2001
modsecurity-crs_3.3.7-1+deb13u1.dsc
3b8cb35f0f00a24712f02b3edad2ec8e92626ed2dddaf6363219cbe8125749ea 301633
modsecurity-crs_3.3.7.orig.tar.gz
db3fac6ce2b964e447ee59be4a1efd066b6d44ce5c1b26a2a194453e29caac03 5924
modsecurity-crs_3.3.7-1+deb13u1.debian.tar.xz
1569cea87d99f0913bba2e2158f62ad873f26aee85374ab4e9fcdb8fac14b420 5851
modsecurity-crs_3.3.7-1+deb13u1_amd64.buildinfo
Files:
42dfbbafc3482ce8b33cfb1e2e44bba0 2001 httpd optional
modsecurity-crs_3.3.7-1+deb13u1.dsc
72a2d2b591d3d9835d65f47edfc11ce8 301633 httpd optional
modsecurity-crs_3.3.7.orig.tar.gz
9fee3f5b298301118c843dc539b49b0a 5924 httpd optional
modsecurity-crs_3.3.7-1+deb13u1.debian.tar.xz
198bcf1b19ed80a159ec0746293f7eab 5851 httpd optional
modsecurity-crs_3.3.7-1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAmlv4GgQHGFnaUBpbml0
dGFiLm9yZwAKCRAAmzN1a5qqVdtyD/9aJUSoPhtjFkXnLW74FGHlrIYtis0zIM1u
iHDWGxYar0yZdkob78ULC2NfQcFaNMIlXV9NHe1TLq6t54SIOFegk2280ZWMFcZv
LOHs3BDOHe5XVlWO+Y3V74sn1gz4e5vhVN6fJqaw+tnWjg/yPEqbMtPmXSosKbbN
j5aMaYcImzJCgffZmeq/lNGnDIr/WjE/uNlLgijrtMd0ibHUITbw+Ferc0VXRWYp
5mE6HxxnpO5qULTmQKKhynXX9ITHezq2StMtP0dLM1l91qfe5TTOpBdcpuSJMjyT
IQqJQ9ASHOzPob/6QYT1N0dc3n9uUXbC80vzpMrKS0fcrQVBr5uagijpPjtdjmnC
YdTa1mpg0VkcRiYpdK5lNuZk5ApmDB6tuK4a4FguizMN6JpyU6a8WRH+sz2TAYla
97qerNAyNq68dvuCqS/3ixQ2TE1lZ7ZSOlRE9h0RPMnji+HlJeJce1Gvgv8nd1Ce
wVU3OgBO4cMsGN0cWr0pNLpR9vp3nTZZEXp+C6kMhRvq8C4ah+495vKObNwYBuc8
89rqfMLesqJzRONgu503DpLP88fBmfeLX3Rx+kVSKyxsF6VzNrhCS0VRq+9BkuwB
7APiS9fqqDIMBzuQQpvwyL6PP3nkopSZ0OszXthEUE5+7W2Ev9uq8Wxsux/MZxSb
laNLhM62fw==
=JzfO
-----END PGP SIGNATURE-----
pgpGOjfZ702jE.pgp
Description: PGP signature
--- End Message ---
