On Mon, 2022-09-19 at 19:25 +0200, Alberto Gonzalez Iniesta wrote: > modsecurity-crs has been released today [1]. It fixes a security > issue, > here is the announcement: > -------- > CVE-2022-39956 - Content-Type or Content-Transfer-Encoding MIME > header fields > abuse > [...] > Important: The mitigation against these vulnerabilities depends on > the > installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an > updated > version with backports of the security fixes in these versions. > If you fail to update ModSecurity, the webserver / engine will refuse > to start > with the following error message: "Error creating rule: Unknown > variable: > MULTIPART_PART_HEADERS". > [...] > As you may see in [1] a newer modsecurity is needed in other to apply > this fix. We, modsecurity packaging team, are preparing a patched > version of both modsecurity-apache (this bug report) and > libmodsecurity3 > (coming up). After that we'll upload the updated modsecurity-crs. >
Apologies for the delay in getting back to you. It's not entirely clear to me from the above, but what happens if this modsecurity-apache update gets into a point release but the libmodsecurity3 update does not? You mention the latter as "coming up" above, but I can't see a request for it. Regards, Adam
