Hi Ervin, [CC to security team alias to document the questions]
On Wed, Aug 06, 2025 at 09:02:00PM +0200, Ervin Hegedüs wrote: > Hi Salvatore, > > > On Wed, Aug 06, 2025 at 08:17:02PM +0200, Salvatore Bonaccorso wrote: > > Source: modsecurity-apache > > Version: 2.9.11-1 > > Severity: important > > Tags: upstream > > Forwarded: https://github.com/owasp-modsecurity/ModSecurity/issues/2514 > > X-Debbugs-Cc: [email protected] > > > > Hi, > > > > The following vulnerability was published for modsecurity-apache. > > > > CVE-2025-54571[0]: > > | ModSecurity is an open source, cross platform web application > > | firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 > > | and below, an attacker can override the HTTP response’s Content- > > | Type, which could lead to several issues depending on the HTTP > > | scenario. For example, we have demonstrated the potential for XSS > > | and arbitrary script source code disclosure in the latest version of > > | mod_security2. This issue is fixed in version 2.9.12. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > Thanks for sharing this. > > The new upstream is already prepared in Salsa, and the > d/changelog contains the CVE: > > https://salsa.debian.org/modsecurity-packaging-team/modsecurity-apache/-/blob/master/debian/changelog?ref_type=heads#L5 > > > Alberto (@agi) will upload the package soon. > > I'm going to create patch for Bookworm soon. Thanks for your quick response. Note that we are in the quiet week before the trixie release. My gut feeling is that the update does not necessarily need a DSA, would you agree? If so the changes should go (after the trixie release this weekend) to the first trixie point release and as well to the next bookworm point release. But happy to hear your opinion. Regards, Salvatore
