Bug#992956: bullseye-pu: package modsecurity-crs/3.3.0-1

[Jonathan Wiltshire]

On Mon, Sep 06, 2021 at 11:40:08AM +0200, Alberto Gonzalez Iniesta wrote:
> On Sat, Sep 04, 2021 at 03:17:25PM +0100, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Wed, 2021-08-25 at 16:55 +0200, Alberto Gonzalez Iniesta wrote:
> > > This [1] security bug was found in modsecurity-crs.
> > > As stated in #992863 by the security team, a DSA won't be issued
> > > (security team on Cc:) so I'm targeting bullseye proposed updates
> > > instead.
> > > 
> > 
> > >From reading #992863 and checking the Security Tracker, it appears that
> > the issue is already fixed in unstable. However, that fact is not
> > reflected in the BTS. Assuming that I haven't missed anything, please
> > add an appropriate fixed version to #992863 and go ahead.
> > 
> 
> Ooops, sorry I messed the original bug number in my upload to unstable
> as Salvatore found out.
> 
> May I upload the packages for stable (#992956) and oldstable (#992863)?
> Only for stable and wait for an answer to #992863?

Just stable for now please; oldstable will be answered on the other
request when someone reaches it.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51



signature.asc
Description: PGP signature

Bug#992956: bullseye-pu: package modsecurity-crs/3.3.0-1

[Alberto Gonzalez Iniesta]

On Sat, Sep 04, 2021 at 03:17:25PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2021-08-25 at 16:55 +0200, Alberto Gonzalez Iniesta wrote:
> > This [1] security bug was found in modsecurity-crs.
> > As stated in #992863 by the security team, a DSA won't be issued
> > (security team on Cc:) so I'm targeting bullseye proposed updates
> > instead.
> > 
> 
> >From reading #992863 and checking the Security Tracker, it appears that
> the issue is already fixed in unstable. However, that fact is not
> reflected in the BTS. Assuming that I haven't missed anything, please
> add an appropriate fixed version to #992863 and go ahead.
> 

Ooops, sorry I messed the original bug number in my upload to unstable
as Salvatore found out.

May I upload the packages for stable (#992956) and oldstable (#992863)?
Only for stable and wait for an answer to #992863?

Thanks,

Alberto

-- 
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
mailto/sip: a...@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

Bug#992956: bullseye-pu: package modsecurity-crs/3.3.0-1

[Salvatore Bonaccorso]

Hi Adam,

On Sat, Sep 04, 2021 at 03:17:25PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2021-08-25 at 16:55 +0200, Alberto Gonzalez Iniesta wrote:
> > This [1] security bug was found in modsecurity-crs.
> > As stated in #992863 by the security team, a DSA won't be issued
> > (security team on Cc:) so I'm targeting bullseye proposed updates
> > instead.
> > 
> 
> >From reading #992863 and checking the Security Tracker, it appears that
> the issue is already fixed in unstable. However, that fact is not
> reflected in the BTS. Assuming that I haven't missed anything, please
> add an appropriate fixed version to #992863 and go ahead.

Looks that
https://tracker.debian.org/news/1251194/accepted-modsecurity-crs-332-1-source-into-unstable/
did contain a typo for the bug number so got not closed automatically,
I send a BTS command accordingly.

Regards,
Salvatore

Bug#992956: bullseye-pu: package modsecurity-crs/3.3.0-1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Wed, 2021-08-25 at 16:55 +0200, Alberto Gonzalez Iniesta wrote:
> This [1] security bug was found in modsecurity-crs.
> As stated in #992863 by the security team, a DSA won't be issued
> (security team on Cc:) so I'm targeting bullseye proposed updates
> instead.
> 

>From reading #992863 and checking the Security Tracker, it appears that
the issue is already fixed in unstable. However, that fact is not
reflected in the BTS. Assuming that I haven't missed anything, please
add an appropriate fixed version to #992863 and go ahead.

Regards,

Adam

Bug#992956: bullseye-pu: package modsecurity-crs/3.3.0-1

[Alberto Gonzalez Iniesta]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

Hi, (again, see #992863)

This [1] security bug was found in modsecurity-crs.
As stated in #992863 by the security team, a DSA won't be issued
(security team on Cc:) so I'm targeting bullseye proposed updates
instead.

Here's the debdiff. Hope it's all OK.

I'll wait for your instructions before uploading.

Cheers,

Alberto


[1] https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000
-- 
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
mailto/sip: a...@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55
diff -Nru modsecurity-crs-3.3.0/debian/changelog 
modsecurity-crs-3.3.0/debian/changelog
--- modsecurity-crs-3.3.0/debian/changelog  2020-08-16 20:24:09.0 
+0200
+++ modsecurity-crs-3.3.0/debian/changelog  2021-08-24 17:40:57.0 
+0200
@@ -1,3 +1,10 @@
+modsecurity-crs (3.3.0-1+deb11u1) bullseye; urgency=medium
+
+  * Add upstream patch to fix request body bypass
+CVE-2021-35368 (Closes: #992000)
+
+ -- Alberto Gonzalez Iniesta   Tue, 24 Aug 2021 17:40:57 
+0200
+
 modsecurity-crs (3.3.0-1) unstable; urgency=medium
 
   * New upstream version 3.3.0
diff -Nru modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch 
modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch
--- modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch   1970-01-01 
01:00:00.0 +0100
+++ modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch   2021-08-24 
17:40:57.0 +0200
@@ -0,0 +1,136 @@
+From b05cd8569862ee9599edd153a09cbbca2c74600a Mon Sep 17 00:00:00 2001
+From: Walter Hop 
+Date: Wed, 30 Jun 2021 12:37:56 +0200
+Subject: [PATCH] Fix CVE-2021-35368 WAF bypass using pathinfo (Christian 
Folini)
+
+---
+diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf 
b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+index f29ab3e1..2e5ce88f 100644
+--- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
 b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+@@ -64,6 +64,15 @@
+ 
+ SecRule :crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
+ "id:9001000,\
++phase:1,\
++pass,\
++t:none,\
++nolog,\
++ver:'OWASP_CRS/3.3.0',\
++skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
++
++SecRule :crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
++"id:9001001,\
+ phase:2,\
+ pass,\
+ t:none,\
+@@ -267,55 +276,60 @@ SecRule REQUEST_FILENAME "@endsWith 
/admin/config/content/formats/manage/full_ht
+ #
+ # Extensive checks make sure these uploads are really legitimate.
+ #
+-SecRule REQUEST_METHOD "@streq POST" \
+-"id:9001180,\
+-phase:1,\
+-pass,\
+-t:none,\
+-nolog,\
+-noauditlog,\
+-ver:'OWASP_CRS/3.3.0',\
+-chain"
+-SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
+-"chain"
+-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
+-"ctl:requestBodyAccess=Off"
+-
+-SecRule REQUEST_METHOD "@streq POST" \
+-"id:9001182,\
+-phase:1,\
+-pass,\
+-t:none,\
+-nolog,\
+-noauditlog,\
+-ver:'OWASP_CRS/3.3.0',\
+-chain"
+-SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
+-"chain"
+-SecRule ARGS:destination "@streq admin/content/assets" \
+-"chain"
+-SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
+-"chain"
+-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx 
^[a-zA-Z0-9_-]+" \
+-"ctl:requestBodyAccess=Off"
+-
+-SecRule REQUEST_METHOD "@streq POST" \
+-"id:9001184,\
+-phase:1,\
+-pass,\
+-t:none,\
+-nolog,\
+-noauditlog,\
+-ver:'OWASP_CRS/3.3.0',\
+-chain"
+-SecRule REQUEST_FILENAME "@rx 
/file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
+-"chain"
+-SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
+-"chain"
+-SecRule REQUEST_HEADERS:Content-Type "@rx 
^(?i)multipart/form-data" \
+-"chain"
+-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx 
^[a-zA-Z0-9_-]+" \
+-"ctl:requestBodyAccess=Off"
++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++#"id:9001180,\
++#phase:1,\
++#pass,\ +#t:none,\
++#nolog,\
++#noauditlog,\
++#ver:'OWASP_CRS/3.3.0',\
++#chain"
++#SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
++#"chain"
++#SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
++#"ctl:requestBodyAccess=Off"
++
++# Rule 9001182 was commented out in 2021 in order to fight