[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
The Precise Pangolin has reached end of life, so this bug will not be fixed for that release ** Changed in: modsecurity-apache (Ubuntu Precise) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
** Changed in: modsecurity-apache (Ubuntu Quantal) Status: Confirmed = Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
I guess this has gone off the radar, having been fixed in Saucy - so here's a reminder: This vulnerability is still present in Precise, current LTS release. As that release would be most often used in servers where this vulnerability is relevant, may I kindly ask that some attention is paid to this bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** Changed in: libapache-mod-security (Ubuntu) Status: Invalid = Incomplete ** Changed in: modsecurity-apache (Ubuntu) Status: Fix Released = Incomplete ** Changed in: libapache-mod-security (Ubuntu Saucy) Status: Incomplete = Invalid ** Changed in: modsecurity-apache (Ubuntu Saucy) Status: Incomplete = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
This was fixed for Raring Saucy with https://launchpad.net/ubuntu/+source/modsecurity-apache/2.6.6-6 ** Changed in: modsecurity-apache (Ubuntu Raring) Status: Confirmed = Fix Released ** Changed in: modsecurity-apache (Ubuntu Saucy) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
** Also affects: libapache-mod-security (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: modsecurity-apache (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: libapache-mod-security (Ubuntu Quantal) Importance: Undecided Status: New ** Also affects: modsecurity-apache (Ubuntu Quantal) Importance: Undecided Status: New ** Also affects: libapache-mod-security (Ubuntu Raring) Importance: Undecided Status: New ** Also affects: modsecurity-apache (Ubuntu Raring) Importance: Undecided Status: New ** Also affects: libapache-mod-security (Ubuntu Saucy) Importance: Undecided Status: Fix Released ** Also affects: modsecurity-apache (Ubuntu Saucy) Importance: Undecided Status: Triaged ** Changed in: modsecurity-apache (Ubuntu Precise) Importance: Undecided = Medium ** Changed in: modsecurity-apache (Ubuntu Precise) Status: New = Confirmed ** Changed in: modsecurity-apache (Ubuntu Quantal) Importance: Undecided = Medium ** Changed in: modsecurity-apache (Ubuntu Quantal) Status: New = Confirmed ** Changed in: modsecurity-apache (Ubuntu Raring) Importance: Undecided = Medium ** Changed in: modsecurity-apache (Ubuntu Raring) Status: New = Confirmed ** Changed in: modsecurity-apache (Ubuntu Saucy) Importance: Undecided = Medium ** Changed in: modsecurity-apache (Ubuntu Saucy) Status: Triaged = Confirmed ** Changed in: libapache-mod-security (Ubuntu Precise) Status: New = Invalid ** Changed in: libapache-mod-security (Ubuntu Quantal) Status: New = Invalid ** Also affects: libapache-mod-security (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: modsecurity-apache (Ubuntu Lucid) Importance: Undecided Status: New ** Changed in: libapache-mod-security (Ubuntu Lucid) Importance: Undecided = Medium ** Changed in: libapache-mod-security (Ubuntu Lucid) Status: New = Fix Released ** Changed in: libapache-mod-security (Ubuntu Raring) Status: New = Invalid ** Changed in: libapache-mod-security (Ubuntu Saucy) Status: Fix Released = Invalid ** Changed in: modsecurity-apache (Ubuntu Lucid) Status: New = Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
** Branch linked: lp:~ubuntu-branches/ubuntu/lucid/libapache-mod- security/lucid-security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
This bug was fixed in the package libapache-mod-security - 2.5.11-1ubuntu0.1 --- libapache-mod-security (2.5.11-1ubuntu0.1) lucid-security; urgency=low * SECURITY UPDATE: bypass multipart filtering using invalid quoting (LP: #1016909) - debian/patches/CVE-2012-2751: Fix detection of invalid quotes. Thanks to Alberto Gonzalez Iniesta for the backported patch - Patch taken from Oneiric package - CVE-2012-2751 * SECURITY UPDATE: disclosure of local files or denial of service by resource exhaustion via XML External Entity (XEE) attacks (LP: #1169030) - debian/patches/CVE-2013-1915.patch: Add an option to allow loading external entities (disabled by default). Backported from upstream patch - d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe - CVE-2013-1915 -- Evan Broder e...@stripe.com Tue, 16 Apr 2013 09:05:37 -0700 ** Changed in: libapache-mod-security (Ubuntu) Status: Triaged = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
Hi, Thanks for the debdiff. If you're going to fix that CVE in Lucid, could you also fix the two others that are currently open at the same time? See: http://people.canonical.com/~ubuntu-security/cve/pkg/libapache-mod-security.html Thanks! I'm unsubscribing ubuntu-security-sponsors now, please re-subscribe the group once you've attached an updated debdiff. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
I did look at those - the patch for CVE-2009-5031 seems to have been applied already. The link to the patch for CVE-2012-2751 (http://mod- security.svn.sourceforge.net/viewvc/mod- security?view=revisionsortby=logsortdir=downrevision=1918) appears to be dead, so I haven't been able to tell whether that patch has been applied or not. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2009-5031 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-2751 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
Here's an updated link for CVE-2012-2751: https://github.com/SpiderLabs/ModSecurity/commit/d3ad05e9c9ef9db05d683730719cb7ca63309389 Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
You can also get a more complete patch for CVE-2012-2751 in the libapache-mod-security package that's currently in oneiric. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
FYI, the patch in oneiric also contains this commit: https://github.com/SpiderLabs/ModSecurity/commit/988e78e9ab6c42d2dba8ce5b310e11282566daff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
Ok, here's a patch with the fix for CVE-2012-2751 rolled in. I kind of made up the DEP-3 fields, but I think they'll at least satisfy their purpose. I've tested that the resulting packages with this patch work at at least a basic level, but I still don't have POCs to test with or anything. ** Patch added: libapache-mod-security_2.5.11-1ubuntu0.1.debdiff https://bugs.launchpad.net/ubuntu/+source/modsecurity-apache/+bug/1169030/+attachment/3645690/+files/libapache-mod-security_2.5.11-1ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
As discussed on irc, the package has no patch system, so they're not being applied at build time. Could you please submit a new debdiff with the patches applied inline? Thanks. Also, the CVE-2013-1915 patch causes the package to FTBFS, so it's going to need some fixing. Thanks! ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-1915 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
Bleh, looks to have been a stupid copy/paste error (missing / for the start of a /* comment). Builds for me now, and still seems to install/work at a basic level. ** Patch added: libapache-mod-security_2.5.11-1ubuntu0.1.debdiff https://bugs.launchpad.net/ubuntu/+source/modsecurity-apache/+bug/1169030/+attachment/3645778/+files/libapache-mod-security_2.5.11-1ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/modsecurity-apache/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
And that, of course, is based off of completely the wrong version. I'm not even sure where I got that from. Here's a patch that's actually for the Lucid packaging. (Testing still forthcoming) ** Also affects: libapache-mod-security (Ubuntu) Importance: Undecided Status: New ** Patch added: libapache-mod-security_2.5.11-1ubuntu0.1.debdiff https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+attachment/3644987/+files/libapache-mod-security_2.5.11-1ubuntu0.1.debdiff ** Changed in: libapache-mod-security (Ubuntu) Status: New = In Progress ** Changed in: modsecurity-apache (Ubuntu) Status: In Progress = Triaged ** Changed in: modsecurity-apache (Ubuntu) Assignee: Evan Broder (broder) = (unassigned) ** Changed in: libapache-mod-security (Ubuntu) Assignee: (unassigned) = Evan Broder (broder) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
Ok, I've installed this on one of my Lucid servers, and it still seems to work at at least a basic level. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
By the way, feel free to ping me (broder) in #ubuntu-hardened if I can do anything to improve the debdiff. ** Changed in: libapache-mod-security (Ubuntu) Status: In Progress = Triaged ** Changed in: libapache-mod-security (Ubuntu) Assignee: Evan Broder (broder) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1169030] Re: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack
Here's a patch which I believe be a correct backport of the upstream patch to Lucid (it didn't apply cleanly due to other additions to modsecurity since Lucid's release). I've verified that it builds but not yet done any testing - I'll be doing so shortly. ** Patch added: modsecurity-apache_2.6.6-5ubuntu0.1.debdiff https://bugs.launchpad.net/ubuntu/+source/modsecurity-apache/+bug/1169030/+attachment/3644365/+files/modsecurity-apache_2.6.6-5ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1169030 Title: CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/modsecurity-apache/+bug/1169030/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs