Bug#992956: marked as done (bullseye-pu: package modsecurity-crs/3.3.0-1)

Debian Bug Tracking System Sat, 09 Oct 2021 04:14:05 -0700

Your message dated Sat, 09 Oct 2021 12:09:40 +0100
with message-id 
<81741a2f4e370c14a3bec08b7fe6e2b10c32267b.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 11.1
has caused the Debian Bug report #992956,
regarding bullseye-pu: package modsecurity-crs/3.3.0-1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
992956: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992956
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu

Hi, (again, see #992863)

This [1] security bug was found in modsecurity-crs.
As stated in #992863 by the security team, a DSA won't be issued
(security team on Cc:) so I'm targeting bullseye proposed updates
instead.

Here's the debdiff. Hope it's all OK.

I'll wait for your instructions before uploading.

Cheers,

Alberto


[1] https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000
-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: [email protected] | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

diff -Nru modsecurity-crs-3.3.0/debian/changelog 
modsecurity-crs-3.3.0/debian/changelog
--- modsecurity-crs-3.3.0/debian/changelog      2020-08-16 20:24:09.000000000 
+0200
+++ modsecurity-crs-3.3.0/debian/changelog      2021-08-24 17:40:57.000000000 
+0200
@@ -1,3 +1,10 @@
+modsecurity-crs (3.3.0-1+deb11u1) bullseye; urgency=medium
+
+  * Add upstream patch to fix request body bypass
+    CVE-2021-35368 (Closes: #992000)
+
+ -- Alberto Gonzalez Iniesta <[email protected]>  Tue, 24 Aug 2021 17:40:57 
+0200
+
 modsecurity-crs (3.3.0-1) unstable; urgency=medium
 
   * New upstream version 3.3.0
diff -Nru modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch 
modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch
--- modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch   1970-01-01 
01:00:00.000000000 +0100
+++ modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch   2021-08-24 
17:40:57.000000000 +0200
@@ -0,0 +1,136 @@
+From b05cd8569862ee9599edd153a09cbbca2c74600a Mon Sep 17 00:00:00 2001
+From: Walter Hop <[email protected]>
+Date: Wed, 30 Jun 2021 12:37:56 +0200
+Subject: [PATCH] Fix CVE-2021-35368 WAF bypass using pathinfo (Christian 
Folini)
+
+---
+diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf 
b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+index f29ab3e1..2e5ce88f 100644
+--- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
++++ b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+@@ -64,6 +64,15 @@
+ 
+ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
+     "id:9001000,\
++    phase:1,\
++    pass,\
++    t:none,\
++    nolog,\
++    ver:'OWASP_CRS/3.3.0',\
++    skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
++
++SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
++    "id:9001001,\
+     phase:2,\
+     pass,\
+     t:none,\
+@@ -267,55 +276,60 @@ SecRule REQUEST_FILENAME "@endsWith 
/admin/config/content/formats/manage/full_ht
+ #
+ # Extensive checks make sure these uploads are really legitimate.
+ #
+-SecRule REQUEST_METHOD "@streq POST" \
+-    "id:9001180,\
+-    phase:1,\
+-    pass,\
+-    t:none,\
+-    nolog,\
+-    noauditlog,\
+-    ver:'OWASP_CRS/3.3.0',\
+-    chain"
+-    SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
+-        "chain"
+-        SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
+-            "ctl:requestBodyAccess=Off"
+-
+-SecRule REQUEST_METHOD "@streq POST" \
+-    "id:9001182,\
+-    phase:1,\
+-    pass,\
+-    t:none,\
+-    nolog,\
+-    noauditlog,\
+-    ver:'OWASP_CRS/3.3.0',\
+-    chain"
+-    SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
+-        "chain"
+-        SecRule ARGS:destination "@streq admin/content/assets" \
+-            "chain"
+-            SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
+-                "chain"
+-                SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx 
^[a-zA-Z0-9_-]+" \
+-                    "ctl:requestBodyAccess=Off"
+-
+-SecRule REQUEST_METHOD "@streq POST" \
+-    "id:9001184,\
+-    phase:1,\
+-    pass,\
+-    t:none,\
+-    nolog,\
+-    noauditlog,\
+-    ver:'OWASP_CRS/3.3.0',\
+-    chain"
+-    SecRule REQUEST_FILENAME "@rx 
/file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
+-        "chain"
+-        SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
+-            "chain"
+-            SecRule REQUEST_HEADERS:Content-Type "@rx 
^(?i)multipart/form-data" \
+-                "chain"
+-                SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx 
^[a-zA-Z0-9_-]+" \
+-                    "ctl:requestBodyAccess=Off"
++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++#    "id:9001180,\
++#    phase:1,\
++#    pass,\ +#    t:none,\
++#    nolog,\
++#    noauditlog,\
++#    ver:'OWASP_CRS/3.3.0',\
++#    chain"
++#    SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
++#        "chain"
++#        SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
++#            "ctl:requestBodyAccess=Off"
++
++# Rule 9001182 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++#    "id:9001182,\
++#    phase:1,\
++#    pass,\
++#    t:none,\
++#    nolog,\
++#    noauditlog,\
++#    ver:'OWASP_CRS/3.3.0',\
++#    chain"
++#    SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
++#        "chain"
++#        SecRule ARGS:destination "@streq admin/content/assets" \
++#            "chain"
++#            SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
++#                "chain"
++#                SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx 
^[a-zA-Z0-9_-]+" \
++#                    "ctl:requestBodyAccess=Off"
++
++# Rule 9001184 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++#    "id:9001184,\
++#    phase:1,\
++#    pass,\
++#    t:none,\
++#    nolog,\
++#    noauditlog,\
++#    ver:'OWASP_CRS/3.3.0',\
++#    chain"
++#    SecRule REQUEST_FILENAME "@rx 
/file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
++#        "chain"
++#        SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
++#            "chain"
++#            SecRule REQUEST_HEADERS:Content-Type "@rx 
^(?i)multipart/form-data" \
++#                "chain"
++#                SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx 
^[a-zA-Z0-9_-]+" \
++#                    "ctl:requestBodyAccess=Off"
+ 
+ 
+ #
diff -Nru modsecurity-crs-3.3.0/debian/patches/series 
modsecurity-crs-3.3.0/debian/patches/series
--- modsecurity-crs-3.3.0/debian/patches/series 2020-08-16 20:12:36.000000000 
+0200
+++ modsecurity-crs-3.3.0/debian/patches/series 2021-08-24 17:40:57.000000000 
+0200
@@ -1 +1,2 @@
 fix_paths
+CVE-2021-35368.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 11.1

Hi,

The updates relating to these bugs were included in this morning's 11.1
point release for bullseye.

Regards,

Adam

--- End Message ---

Bug#992956: marked as done (bullseye-pu: package modsecurity-crs/3.3.0-1)

Reply via email to