Hi Salvatore,
On Wed, Aug 06, 2025 at 08:17:02PM +0200, Salvatore Bonaccorso wrote: > Source: modsecurity-apache > Version: 2.9.11-1 > Severity: important > Tags: upstream > Forwarded: https://github.com/owasp-modsecurity/ModSecurity/issues/2514 > X-Debbugs-Cc: [email protected] > > Hi, > > The following vulnerability was published for modsecurity-apache. > > CVE-2025-54571[0]: > | ModSecurity is an open source, cross platform web application > | firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 > | and below, an attacker can override the HTTP response’s Content- > | Type, which could lead to several issues depending on the HTTP > | scenario. For example, we have demonstrated the potential for XSS > | and arbitrary script source code disclosure in the latest version of > | mod_security2. This issue is fixed in version 2.9.12. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Thanks for sharing this. The new upstream is already prepared in Salsa, and the d/changelog contains the CVE: https://salsa.debian.org/modsecurity-packaging-team/modsecurity-apache/-/blob/master/debian/changelog?ref_type=heads#L5 Alberto (@agi) will upload the package soon. I'm going to create patch for Bookworm soon. a.
