Hi Salvatore,

just for the record: patches and new releases are already uploaded to salsa.

Bookworm:
https://salsa.debian.org/modsecurity-packaging-team/modsecurity/-/commit/3c59f9a64930170b9fbd8def0cf2b25afe4dd1f0

Trixie:
https://salsa.debian.org/modsecurity-packaging-team/modsecurity/-/commit/e9689ae96a2a93078c8df0e27d4b07c2a164bf2f

Sid:
https://salsa.debian.org/modsecurity-packaging-team/modsecurity/-/commit/de852112273289293d789fe2de559ccf5ca5b4f1

Regards,

a.



On Sun, Jul 12, 2026 at 10:27 PM Salvatore Bonaccorso <[email protected]>
wrote:

> Source: modsecurity
> Version: 3.0.15-1
> Severity: important
> Tags: upstream
> X-Debbugs-Cc: [email protected]
>
> Hi,
>
> The following vulnerabilities were published for modsecurity.
>
> CVE-2026-52747[0]:
> | ModSecurity is an open source, cross platform web application
> | firewall (WAF) engine for Apache, IIS and Nginx. Prior to 3.0.16,
> | the multipart/form-data request body parser in libmodsecurity
> | silently removes embedded line breaks from non-file form-field
> | values before exporting them to ARGS and ARGS_POST because
> | src/request_body_processor/multipart.cc overwrites reserved bytes in
> | m_reserve instead of appending the current buffer. This creates a
> | parser differential between ModSecurity and backend applications
> | that preserve line breaks in form fields, allowing rules that
> | inspect ARGS or ARGS_POST to miss payloads whose dangerous syntax
> | depends on a line break. This issue is fixed in version 3.0.16.
>
>
> CVE-2026-52761[1]:
> | ModSecurity is an open source, cross platform web application
> | firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 through
> | 3.0.15, the t:utf8toUnicode transformation in
> | src/actions/transformations/utf8_to_unicode.cc produces wrong output
> | on i386 architecture because snprintf uses sizeof on a char pointer
> | rather than the length of the unicode buffer, allowing rules that
> | use this transformation to be bypassed on i386 architecture. This
> | issue is fixed in version 3.0.16.
>
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2026-52747
>     https://www.cve.org/CVERecord?id=CVE-2026-52747
>
> https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-rcw9-2f5r-7p88
> [1] https://security-tracker.debian.org/tracker/CVE-2026-52761
>     https://www.cve.org/CVERecord?id=CVE-2026-52761
>
> https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qjgm-7gp4-f8qq
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>

Reply via email to