Of course I've forgot to add the debdiff…
diff -Nru modsecurity-crs-3.3.4/debian/changelog modsecurity-crs-3.3.4/debian/changelog --- modsecurity-crs-3.3.4/debian/changelog 2026-01-10 17:35:44.000000000 +0100 +++ modsecurity-crs-3.3.4/debian/changelog 2026-02-22 09:39:48.000000000 +0100 @@ -1,6 +1,15 @@ +modsecurity-crs (3.3.4-1+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload for the LTS team, targeting o-s-p-u. + * Backported from upstream 3.3.5: + - CVE-2023-38199 - WAF bypass (Closes: #1041109) + * Enable salsa-ci. + + -- Tobias Frost <[email protected]> Sun, 22 Feb 2026 09:39:48 +0100 + modsecurity-crs (3.3.4-1+deb12u1) bookworm-security; urgency=medium - * Fixes CVE-2025-21876 (Closes: #1125084) + * Fixes CVE-2026-21876 (Closes: #1125084) -- Ervin Hegedüs <[email protected]> Sat, 10 Jan 2026 17:35:44 +0100 diff -Nru modsecurity-crs-3.3.4/debian/patches/CVE-2023-38199.patch modsecurity-crs-3.3.4/debian/patches/CVE-2023-38199.patch --- modsecurity-crs-3.3.4/debian/patches/CVE-2023-38199.patch 1970-01-01 01:00:00.000000000 +0100 +++ modsecurity-crs-3.3.4/debian/patches/CVE-2023-38199.patch 2026-02-17 20:38:44.000000000 +0100 @@ -0,0 +1,83 @@ +Description: CVE-2023-38199 - WAF bypass +Origin: https://github.com/coreruleset/coreruleset/pull/3253 +Origin: (backported from:) https://github.com/coreruleset/coreruleset/pull/3237 +Bug: https://github.com/coreruleset/coreruleset/issues/3191 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041109 + +From 621600fbfcb88c51cc4beaddcc6896d1b837d23f Mon Sep 17 00:00:00 2001 +From: Felipe Zipitria <[email protected]> +Date: Mon, 17 Jul 2023 22:51:53 +0200 +Subject: [PATCH] feat: new rule 920620 + +Signed-off-by: Felipe Zipitria <[email protected]> +--- + rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 31 +++++++++++++++++++ + .../920620.yaml | 17 ++++++++++ + 2 files changed, 48 insertions(+) + create mode 100644 tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920620.yaml + +diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +index 6aae1a99a0..4e3ca293b5 100644 +--- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf ++++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +@@ -1161,6 +1161,37 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?: + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + ++# ++# The following rule (920620) checks for the presence of 2 or more request Content-Type headers. ++# Content-Type confusion poses a significant security risk to a web application. It occurs when ++# the server and client have different interpretations of the Content-Type header, leading to ++# miscommunication, potential exploitation and WAF bypass. ++# ++# Using Apache, when multiple Content-Type request headers are received, the server combines them ++# into a single header with the values separated by commas. For example, if a client sends multiple ++# Content-Type headers with values "application/json" and "text/plain", Apache will combine them ++# into a single header like this: "Content-Type: application/json, text/plain". ++# ++# On the other hand, Nginx handles multiple Content-Type headers differently. It preserves each ++# header as a separate entity without combining them. So, if a client sends multiple Content-Type ++# headers, Nginx will keep them separate, maintaining the original values. ++# ++SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \ ++ "id:920620,\ ++ phase:1,\ ++ block,\ ++ t:none,\ ++ msg:'Multiple Content-Type Request Headers',\ ++ logdata:'%{MATCHED_VAR}',\ ++ tag:'application-multi',\ ++ tag:'language-multi',\ ++ tag:'platform-multi',\ ++ tag:'attack-protocol',\ ++ tag:'paranoia-level/1',\ ++ tag:'OWASP_CRS',\ ++ ver:'OWASP_CRS/3.3.4',\ ++ severity:'CRITICAL',\ ++ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" + SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920620.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920620.yaml +new file mode 100644 +index 0000000000..7fa4b050ca +--- /dev/null ++++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920620.yaml +@@ -0,0 +1,17 @@ ++--- ++meta: ++ author: "Andrea (theMiddle) Menin" ++ enabled: false ++ name: "920620.yaml" ++ description: "Tests for 920620" ++tests: ++ - test_title: 920620-1 ++ desc: Multiple Content-Type request headers ++ stages: ++ - stage: ++ input: ++ dest_addr: "127.0.0.1" ++ port: 80 ++ encoded_request: "R0VUIC9nZXQgSFRUUC8xLjENCkhvc3Q6IGxvY2FsaG9zdA0KVXNlci1BZ2VudDogT1dBU1AgQ1JTIHRlc3QgYWdlbnQNCkFjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24NCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veG1sDQoNCg==" ++ output: ++ log_contains: "id \"920620\"" diff -Nru modsecurity-crs-3.3.4/debian/patches/series modsecurity-crs-3.3.4/debian/patches/series --- modsecurity-crs-3.3.4/debian/patches/series 2026-01-10 17:35:44.000000000 +0100 +++ modsecurity-crs-3.3.4/debian/patches/series 2026-02-22 09:39:48.000000000 +0100 @@ -1,2 +1,3 @@ fix_paths cve-2026-21876.patch +CVE-2023-38199.patch diff -Nru modsecurity-crs-3.3.4/debian/salsa-ci.yml modsecurity-crs-3.3.4/debian/salsa-ci.yml --- modsecurity-crs-3.3.4/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ modsecurity-crs-3.3.4/debian/salsa-ci.yml 2026-02-22 09:39:48.000000000 +0100 @@ -0,0 +1,6 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bookworm'
