Your message dated Mon, 19 Jan 2026 20:42:09 +0000
with message-id <[email protected]>
and subject line Bug#1125084: fixed in modsecurity-crs 3.3.8-1
has caused the Debian Bug report #1125084,
regarding modsecurity-crs: CVE-2026-21876
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125084: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125084
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: modsecurity-crs
Version: 3.3.7-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for modsecurity-crs.
CVE-2026-21876[0]:
| The OWASP core rule set (CRS) is a set of generic attack detection
| rules for use with compatible web application firewalls. Prior to
| versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when
| processing multipart requests with multiple parts. When the first
| rule in a chain iterates over a collection (like
| `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`)
| get overwritten with each iteration. Only the last captured value is
| available to the chained rule, which means malicious charsets in
| earlier parts can be missed if a later part has a legitimate
| charset. Versions 4.22.0 and 3.3.8 patch the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21876
https://www.cve.org/CVERecord?id=CVE-2026-21876
[1]
https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5
[2]
https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: modsecurity-crs
Source-Version: 3.3.8-1
Done: Ervin Hegedus <[email protected]>
We believe that the bug you reported is fixed in the latest version of
modsecurity-crs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ervin Hegedus <[email protected]> (supplier of updated modsecurity-crs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 10 Jan 2026 10:34:26 +0100
Source: modsecurity-crs
Architecture: source
Version: 3.3.8-1
Distribution: unstable
Urgency: medium
Maintainer: Ervin Hegedus <[email protected]>
Changed-By: Ervin Hegedus <[email protected]>
Closes: 1125084
Changes:
modsecurity-crs (3.3.8-1) unstable; urgency=medium
.
* New upstream version 3.3.8
Fixes CVE-2026-21876 (Closes: #1125084)
Checksums-Sha1:
c224fd23f0b77c8c5d36eee0d764d4f4d5ab0cd4 1969 modsecurity-crs_3.3.8-1.dsc
b3a5f58fc10a8dcbc073b1cacf3b8b58e43ef6f4 304140
modsecurity-crs_3.3.8.orig.tar.gz
44c4ddbb462b4aa19c7ddf52f72b20d215eb00ef 4644
modsecurity-crs_3.3.8-1.debian.tar.xz
86c1f53efa800fcf57cf5b94a54c64630dab60ef 5775
modsecurity-crs_3.3.8-1_amd64.buildinfo
Checksums-Sha256:
d4522788f42b5c5388f3c0d743634e2500a7c6da088ce3e3344391863526c871 1969
modsecurity-crs_3.3.8-1.dsc
391998ce1c8b65dab459114560132cb35ba7fe88c315fdf4c147fe40a0b5c070 304140
modsecurity-crs_3.3.8.orig.tar.gz
df11fb37ee5d2ce6e56171e15b8cbf6378e4d97f6fdcea223d18f8683d7b9138 4644
modsecurity-crs_3.3.8-1.debian.tar.xz
17d60e5254df7072368ba99ac43f48436040190cd31188e4b1d533f41b9781dd 5775
modsecurity-crs_3.3.8-1_amd64.buildinfo
Files:
6fc03d277b5e023aaa51bd7c39759baa 1969 httpd optional
modsecurity-crs_3.3.8-1.dsc
9565f02e11fefab9be9621914b5a3c67 304140 httpd optional
modsecurity-crs_3.3.8.orig.tar.gz
426ab484cfcdd483b4c7e44359ed49bc 4644 httpd optional
modsecurity-crs_3.3.8-1.debian.tar.xz
04a8f0bd6fd6d23b10db22bcb1d38a2a 5775 httpd optional
modsecurity-crs_3.3.8-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAmlujqsQHGFnaUBpbml0
dGFiLm9yZwAKCRAAmzN1a5qqVf6OEACLy5TaUkbUfHQ06cLUg9kuju66I2Z/54oN
8h4glvu3OmJ5+OH4dXvCc7WjrvuOxTqCLljQJcSD+NGxcMF9KQyujk7ZhBlp60NA
63hlf1X6kI27Jx/BYwcOzfhAmHgIXraJTzVEoEON2U2FzjqZFUmsVdy1mZO/E6f8
0wFLcdVarWYno3KE5xuVedM5kHabXLBY64iRGL+quTvtiaMKI/jjcGy58OhM3lvV
+9OYAXBNyMzZBVhrWseMZanCWlk/D5lYCKjbAprFzaVkGL0plT0nzPllfiYb+j6U
vqpJh0OjUX5k+RFndK+LeOU20hDqxKCRdqePOqNivKW0/HN0jn664/uSnRd0WuKA
EMEsKSe7e98BT+EudlJ+papd3W0o4lSSKoSKswkKBN3jfGawMrtJG35w/zCxF2FZ
hE0Y5tn1RLUr9tkfqXpb10Q9FGvK+qiMdVP/wF+EA6M4+59PUwicalGNT9wb7ZWh
WWHzzGOhwllSt7lpgbdbJynqpZqVeqzTmTIHbDBQ+Ij3bODiloGkIOsvZI1NQiqm
238m4ycjr4U7XoGTsaAKkldEXJrtaHQlV1xTS7tv8d3GKqQWOl0RyUGucol/XLWK
fi5ZgF5rqL6MCjixGHfLACXPLwQaUlTwazvu0qWGu6/fGxJEUGqEl57NSiAdk9Dr
PFKrVXizLA==
=R2rd
-----END PGP SIGNATURE-----
pgpB5UB994FvG.pgp
Description: PGP signature
--- End Message ---
