Hi SRM, I'd like to upload an update to the modsecurity-apache package to wheezy. The update fixes CVE-2013-2765, which was not important enough to justify a DSA, but would be nice to have in wheezy ASAP. The fix was uploaded to sid today, with priority=high.
I'm also preparing an update for Squeeze. Please let me know how should I proceed. Thanks, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
diff -Nru modsecurity-apache-2.6.6/debian/changelog modsecurity-apache-2.6.6/debian/changelog --- modsecurity-apache-2.6.6/debian/changelog 2013-04-06 16:00:51.000000000 +0000 +++ modsecurity-apache-2.6.6/debian/changelog 2013-06-04 09:43:19.000000000 +0000 @@ -1,3 +1,10 @@ +modsecurity-apache (2.6.6-6+deb7u1) wheezy; urgency=low + + * Applied upstream patch to fix NULL pointer dereference. + CVE-2013-2765. (Closes: #710217) + + -- Alberto Gonzalez Iniesta <[email protected]> Wed, 29 May 2013 09:40:00 +0000 + modsecurity-apache (2.6.6-6) unstable; urgency=high * Applied upstream patch to fix XXE attacks. CVE-2013-1915 diff -Nru modsecurity-apache-2.6.6/debian/patches/CVE-2013-2765.patch modsecurity-apache-2.6.6/debian/patches/CVE-2013-2765.patch --- modsecurity-apache-2.6.6/debian/patches/CVE-2013-2765.patch 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-apache-2.6.6/debian/patches/CVE-2013-2765.patch 2013-05-29 09:44:33.000000000 +0000 @@ -0,0 +1,12 @@ +Index: modsecurity-apache-2.6.6/apache2/msc_reqbody.c +=================================================================== +--- modsecurity-apache-2.6.6.orig/apache2/msc_reqbody.c 2012-06-14 13:39:00.000000000 +0000 ++++ modsecurity-apache-2.6.6/apache2/msc_reqbody.c 2013-05-29 09:44:28.886388876 +0000 +@@ -170,6 +170,7 @@ + + /* Would storing this chunk mean going over the limit? */ + if ((msr->msc_reqbody_spilltodisk) ++ && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON) + && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit)) + { + msc_data_chunk **chunks; diff -Nru modsecurity-apache-2.6.6/debian/patches/series modsecurity-apache-2.6.6/debian/patches/series --- modsecurity-apache-2.6.6/debian/patches/series 2013-04-06 09:08:52.000000000 +0000 +++ modsecurity-apache-2.6.6/debian/patches/series 2013-05-29 09:43:07.000000000 +0000 @@ -1,3 +1,4 @@ CVE-2013-1915.patch debian_log_dir.patch CVE-2012-4528.patch +CVE-2013-2765.patch
