Your message dated Sat, 11 Jul 2026 10:42:31 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1137280,
regarding bookworm-pu: package modsecurity/3.0.9-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1137280: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137280
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: security
X-Debbugs-Cc: [email protected], [email protected], Debian 
Security Team <[email protected]>
Control: affects -1 + src:modsecurity
User: [email protected]
Usertags: pu

[ Reason ]
Fixes for CVE-2026-42268 and CVE-2026-30923

[ Impact ]
Possible segmentation faults resulting in DoS.

[ Tests ]
Fixed and tested by upstream.

[ Risks ]
Low risk, simple patch.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Use safer iteration loops.
diff -Nru modsecurity-3.0.9/debian/changelog modsecurity-3.0.9/debian/changelog
--- modsecurity-3.0.9/debian/changelog  2023-09-25 14:43:11.000000000 +0200
+++ modsecurity-3.0.9/debian/changelog  2026-04-30 17:13:44.000000000 +0200
@@ -1,3 +1,10 @@
+modsecurity (3.0.9-1+deb12u2) bookworm; urgency=medium
+
+  [ Ervin Hegedus ]
+  * Add fixes for CVE-2026-30923 and 2026-42268
+
+ -- Hegedüs Ervin <[email protected]>  Thu, 30 Apr 2026 17:13:44 +0200
+
 modsecurity (3.0.9-1+deb12u1) bookworm; urgency=medium
 
   * Applied upstream patch to fix DoS.
diff -Nru modsecurity-3.0.9/debian/patches/fix-CVE-2026-30923.patch 
modsecurity-3.0.9/debian/patches/fix-CVE-2026-30923.patch
--- modsecurity-3.0.9/debian/patches/fix-CVE-2026-30923.patch   1970-01-01 
01:00:00.000000000 +0100
+++ modsecurity-3.0.9/debian/patches/fix-CVE-2026-30923.patch   2026-04-30 
17:13:44.000000000 +0200
@@ -0,0 +1,39 @@
+From: Ervin Hegedus <[email protected]>
+Date: Thu, 30 Apr 2026 16:58:17 +0200
+Subject: fix-CVE-2026-30923
+
+---
+ src/actions/transformations/hex_decode.cc                          | 2 +-
+ .../secrules-language-tests/transformations/hexDecode.json         | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/actions/transformations/hex_decode.cc 
b/src/actions/transformations/hex_decode.cc
+index e626bc5..e5df0e8 100644
+--- a/src/actions/transformations/hex_decode.cc
++++ b/src/actions/transformations/hex_decode.cc
+@@ -64,7 +64,7 @@ int HexDecode::inplace(unsigned char *data, int len) {
+         return 0;
+     }
+ 
+-    for (i = 0; i <= len - 2; i += 2) {
++    for (std::string::size_type i = 0; i + 1 < len; i += 2) {
+         *d++ = utils::string::x2c(&data[i]);
+         count++;
+     }
+diff --git 
a/test/test-cases/secrules-language-tests/transformations/hexDecode.json 
b/test/test-cases/secrules-language-tests/transformations/hexDecode.json
+index 664fbd8..907a092 100644
+--- a/test/test-cases/secrules-language-tests/transformations/hexDecode.json
++++ b/test/test-cases/secrules-language-tests/transformations/hexDecode.json
+@@ -40,5 +40,12 @@
+        "input" : "01234567890a0",
+        "output" : "\\x01#Eg\\x89\\x0a",
+        "ret" : 1
++   },
++   {
++       "type" : "tfn",
++       "name" : "hexDecode",
++       "input" : "a",
++       "output" : "",
++       "ret" : 1
+    }
+ ]
diff -Nru modsecurity-3.0.9/debian/patches/fix-CVE-2026-42268.patch 
modsecurity-3.0.9/debian/patches/fix-CVE-2026-42268.patch
--- modsecurity-3.0.9/debian/patches/fix-CVE-2026-42268.patch   1970-01-01 
01:00:00.000000000 +0100
+++ modsecurity-3.0.9/debian/patches/fix-CVE-2026-42268.patch   2026-04-30 
17:13:44.000000000 +0200
@@ -0,0 +1,111 @@
+From: Ervin Hegedus <[email protected]>
+Date: Thu, 30 Apr 2026 17:03:11 +0200
+Subject: fix-CVE-2026-42268
+
+---
+ src/operators/verify_cpf.cc                                    |  2 +-
+ src/operators/verify_ssn.cc                                    |  2 +-
+ src/operators/verify_svnr.cc                                   |  2 +-
+ .../secrules-language-tests/operators/verifycpf.json           | 10 +++++++---
+ .../secrules-language-tests/operators/verifyssn.json           |  9 +++++++--
+ .../secrules-language-tests/operators/verifysvnr.json          | 10 +++++++---
+ 6 files changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/src/operators/verify_cpf.cc b/src/operators/verify_cpf.cc
+index 778584d..09d19a4 100644
+--- a/src/operators/verify_cpf.cc
++++ b/src/operators/verify_cpf.cc
+@@ -118,7 +118,7 @@ bool VerifyCPF::evaluate(Transaction *t, RuleWithActions 
*rule,
+         return false;
+     }
+ 
+-    for (i = 0; i < input.size() - 1 && is_cpf == false; i++) {
++    for (size_t i = 0; i + 1 < input.size() && !is_cpf; i++) {
+         matches = m_re->searchAll(input.substr(i, input.size()));
+         for (const auto & m : matches) {
+             is_cpf = verify(m.str().c_str(), m.str().size());
+diff --git a/src/operators/verify_ssn.cc b/src/operators/verify_ssn.cc
+index 59a36dd..b634182 100644
+--- a/src/operators/verify_ssn.cc
++++ b/src/operators/verify_ssn.cc
+@@ -120,7 +120,7 @@ bool VerifySSN::evaluate(Transaction *t, RuleWithActions 
*rule,
+         return false;
+     }
+ 
+-    for (i = 0; i < input.size() - 1 && is_ssn == false; i++) {
++    for (size_t i = 0; i + 1 < input.size() && !is_ssn; i++) {
+         matches = m_re->searchAll(input.substr(i, input.size()));
+         for (const auto & j : matches) {
+             is_ssn = verify(j.str().c_str(), j.str().size());
+diff --git a/src/operators/verify_svnr.cc b/src/operators/verify_svnr.cc
+index 248e6b4..fc7152a 100644
+--- a/src/operators/verify_svnr.cc
++++ b/src/operators/verify_svnr.cc
+@@ -87,7 +87,7 @@ bool VerifySVNR::evaluate(Transaction *t, RuleWithActions 
*rule,
+         return is_svnr;
+     }
+ 
+-    for (i = 0; i < input.size() - 1 && is_svnr == false; i++) {
++    for (size_t i = 0; i + 1 < input.size() && !is_svnr; i++) {
+         matches = m_re->searchAll(input.substr(i, input.size()));
+ 
+         for (const auto & j : matches) {
+diff --git a/test/test-cases/secrules-language-tests/operators/verifycpf.json 
b/test/test-cases/secrules-language-tests/operators/verifycpf.json
+index fe362a5..642be5f 100644
+--- a/test/test-cases/secrules-language-tests/operators/verifycpf.json
++++ b/test/test-cases/secrules-language-tests/operators/verifycpf.json
+@@ -12,8 +12,12 @@
+       "ret" : 0,
+       "type" : "op",
+       "name" : "verifycpf"
++   },
++   {
++      "param" : "([0-9]{3}\\.){2}[0-9]{3}-[0-9]{2}",
++      "input" : "",
++      "ret" : 0,
++      "type" : "op",
++      "name" : "verifycpf"
+    }
+-
+-
+-
+ ]
+diff --git a/test/test-cases/secrules-language-tests/operators/verifyssn.json 
b/test/test-cases/secrules-language-tests/operators/verifyssn.json
+index 9ded1af..2c5b001 100644
+--- a/test/test-cases/secrules-language-tests/operators/verifyssn.json
++++ b/test/test-cases/secrules-language-tests/operators/verifyssn.json
+@@ -26,7 +26,12 @@
+       "ret" : 0,
+       "type" : "op",
+       "name" : "verifyssn"
++   },
++   {
++      "param" : "\\d{3}-?\\d{2}-?\\d{4}",
++      "input" : "",
++      "ret" : 0,
++      "type" : "op",
++      "name" : "verifyssn"
+    }
+-
+-
+ ]
+diff --git a/test/test-cases/secrules-language-tests/operators/verifysvnr.json 
b/test/test-cases/secrules-language-tests/operators/verifysvnr.json
+index 426dd86..52f6cdf 100644
+--- a/test/test-cases/secrules-language-tests/operators/verifysvnr.json
++++ b/test/test-cases/secrules-language-tests/operators/verifysvnr.json
+@@ -19,8 +19,12 @@
+       "ret" : 0,
+       "type" : "op",
+       "name" : "verifysvnr"
++   },
++   {
++      "param" : "([0-9]{4} ?[0-9]{6})",
++      "input" : "",
++      "ret" : 0,
++      "type" : "op",
++      "name" : "verifysvnr"
+    }
+-
+-
+-
+ ]
diff -Nru modsecurity-3.0.9/debian/patches/series 
modsecurity-3.0.9/debian/patches/series
--- modsecurity-3.0.9/debian/patches/series     2023-09-25 14:43:11.000000000 
+0200
+++ modsecurity-3.0.9/debian/patches/series     2026-04-30 17:13:44.000000000 
+0200
@@ -1,3 +1,5 @@
 disable-network-dependent-tests.patch
 ftbfs_1034760.patch
 cve-2023-38285.diff
+fix-CVE-2026-30923.patch
+fix-CVE-2026-42268.patch

--- End Message ---
--- Begin Message ---
Version: 12.15

This update was released as part of 12.15.

--- End Message ---

Reply via email to