Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
Hi, (again, see #992863) This [1] security bug was found in modsecurity-crs. As stated in #992863 by the security team, a DSA won't be issued (security team on Cc:) so I'm targeting bullseye proposed updates instead. Here's the debdiff. Hope it's all OK. I'll wait for your instructions before uploading. Cheers, Alberto [1] https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000 -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
diff -Nru modsecurity-crs-3.3.0/debian/changelog modsecurity-crs-3.3.0/debian/changelog --- modsecurity-crs-3.3.0/debian/changelog 2020-08-16 20:24:09.000000000 +0200 +++ modsecurity-crs-3.3.0/debian/changelog 2021-08-24 17:40:57.000000000 +0200 @@ -1,3 +1,10 @@ +modsecurity-crs (3.3.0-1+deb11u1) bullseye; urgency=medium + + * Add upstream patch to fix request body bypass + CVE-2021-35368 (Closes: #992000) + + -- Alberto Gonzalez Iniesta <a...@inittab.org> Tue, 24 Aug 2021 17:40:57 +0200 + modsecurity-crs (3.3.0-1) unstable; urgency=medium * New upstream version 3.3.0 diff -Nru modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch --- modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch 1970-01-01 01:00:00.000000000 +0100 +++ modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch 2021-08-24 17:40:57.000000000 +0200 @@ -0,0 +1,136 @@ +From b05cd8569862ee9599edd153a09cbbca2c74600a Mon Sep 17 00:00:00 2001 +From: Walter Hop <wal...@lifeforms.nl> +Date: Wed, 30 Jun 2021 12:37:56 +0200 +Subject: [PATCH] Fix CVE-2021-35368 WAF bypass using pathinfo (Christian Folini) + +--- +diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +index f29ab3e1..2e5ce88f 100644 +--- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf ++++ b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +@@ -64,6 +64,15 @@ + + SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ + "id:9001000,\ ++ phase:1,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ ver:'OWASP_CRS/3.3.0',\ ++ skipAfter:END-DRUPAL-RULE-EXCLUSIONS" ++ ++SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ ++ "id:9001001,\ + phase:2,\ + pass,\ + t:none,\ +@@ -267,55 +276,60 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_ht + # + # Extensive checks make sure these uploads are really legitimate. + # +-SecRule REQUEST_METHOD "@streq POST" \ +- "id:9001180,\ +- phase:1,\ +- pass,\ +- t:none,\ +- nolog,\ +- noauditlog,\ +- ver:'OWASP_CRS/3.3.0',\ +- chain" +- SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ +- "chain" +- SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +- "ctl:requestBodyAccess=Off" +- +-SecRule REQUEST_METHOD "@streq POST" \ +- "id:9001182,\ +- phase:1,\ +- pass,\ +- t:none,\ +- nolog,\ +- noauditlog,\ +- ver:'OWASP_CRS/3.3.0',\ +- chain" +- SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \ +- "chain" +- SecRule ARGS:destination "@streq admin/content/assets" \ +- "chain" +- SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ +- "chain" +- SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +- "ctl:requestBodyAccess=Off" +- +-SecRule REQUEST_METHOD "@streq POST" \ +- "id:9001184,\ +- phase:1,\ +- pass,\ +- t:none,\ +- nolog,\ +- noauditlog,\ +- ver:'OWASP_CRS/3.3.0',\ +- chain" +- SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \ +- "chain" +- SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ +- "chain" +- SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ +- "chain" +- SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +- "ctl:requestBodyAccess=Off" ++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368. ++# ++#SecRule REQUEST_METHOD "@streq POST" \ ++# "id:9001180,\ ++# phase:1,\ ++# pass,\ +# t:none,\ ++# nolog,\ ++# noauditlog,\ ++# ver:'OWASP_CRS/3.3.0',\ ++# chain" ++# SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ ++# "chain" ++# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ ++# "ctl:requestBodyAccess=Off" ++ ++# Rule 9001182 was commented out in 2021 in order to fight CVE-2021-35368. ++# ++#SecRule REQUEST_METHOD "@streq POST" \ ++# "id:9001182,\ ++# phase:1,\ ++# pass,\ ++# t:none,\ ++# nolog,\ ++# noauditlog,\ ++# ver:'OWASP_CRS/3.3.0',\ ++# chain" ++# SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \ ++# "chain" ++# SecRule ARGS:destination "@streq admin/content/assets" \ ++# "chain" ++# SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ ++# "chain" ++# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ ++# "ctl:requestBodyAccess=Off" ++ ++# Rule 9001184 was commented out in 2021 in order to fight CVE-2021-35368. ++# ++#SecRule REQUEST_METHOD "@streq POST" \ ++# "id:9001184,\ ++# phase:1,\ ++# pass,\ ++# t:none,\ ++# nolog,\ ++# noauditlog,\ ++# ver:'OWASP_CRS/3.3.0',\ ++# chain" ++# SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \ ++# "chain" ++# SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ ++# "chain" ++# SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ ++# "chain" ++# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ ++# "ctl:requestBodyAccess=Off" + + + # diff -Nru modsecurity-crs-3.3.0/debian/patches/series modsecurity-crs-3.3.0/debian/patches/series --- modsecurity-crs-3.3.0/debian/patches/series 2020-08-16 20:12:36.000000000 +0200 +++ modsecurity-crs-3.3.0/debian/patches/series 2021-08-24 17:40:57.000000000 +0200 @@ -1 +1,2 @@ fix_paths +CVE-2021-35368.patch