Package: release.debian.org Severity: normal Tags: security X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: affects -1 + src:modsecurity-crs User: [email protected] Usertags: pu
This o-s-p-u fixes CVE-2023-38199, previously uploaded to LTS and ELTS to close the gap in bookworm. I was in close contact with the maintainer (also upstream) when creating the (E)LTS updates, and LTS is the same version as bookworm. Please see attached debdiff. the security vulnerability is a web application firewall (WAF) bypass, [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x ] attach debdiff against the package in (old)stable [x ] the issue is verified as fixed in unstable [ Changes ] Beside the patch for the CVE, originating at upstream I've enabled salsa-ci and also fixed a typo in the previous security uplaod, as the year of the fixed CVE was off-by-one. I'll be uploading the package to o-s-p-u after sending this mail. -- tobi
