subject:"Bug#992863\: buster\-pu\: package modsecurity\-crs\/3.1.0\-1"

Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1

2021-09-19 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Tue, 2021-08-24 at 13:57 +0200, Alberto Gonzalez Iniesta wrote:
> This [1] security bug was found in modsecurity-crs.
> As with the previous update (modsecurity-crs_3.1.0-1+deb10u1), a DSA
> does not seem necessary (security team on Cc:) so I'm targeting
> buster
> proposed updates instead.
> 

Please go ahead.

Regards,

Adam

Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1

2021-08-24 Thread Alberto Gonzalez Iniesta

Hi Salvatore!!

On Tue, Aug 24, 2021 at 03:17:36PM +0200, Salvatore Bonaccorso wrote:
> Hi Alberto,
> 
> On Tue, Aug 24, 2021 at 01:57:26PM +0200, Alberto Gonzalez Iniesta wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: buster
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > 
> > Hi,
> > 
> > This [1] security bug was found in modsecurity-crs.
> > As with the previous update (modsecurity-crs_3.1.0-1+deb10u1), a DSA
> > does not seem necessary (security team on Cc:) so I'm targeting buster
> > proposed updates instead.
> > 
> > Here's the debdiff. Hope it's all OK.
> > 
> > I'll wait for your instructions before uploading.
> 
> Correct, we marked the CVE as no-dsa for both buster an bullseye. I
> would suggest to first fix this in unstable, which is sort of
> aprerequisite to get the fix in stable and oldstable via the point
> releases.

Yes, updated package got in unstable today.

> Do you have an update as well pending for bullseye?

Yes, I'll open a new PU request for it too.

Thanks,

Alberto


-- 
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
mailto/sip: a...@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1

2021-08-24 Thread Alberto Gonzalez Iniesta

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

This [1] security bug was found in modsecurity-crs.
As with the previous update (modsecurity-crs_3.1.0-1+deb10u1), a DSA
does not seem necessary (security team on Cc:) so I'm targeting buster
proposed updates instead.

Here's the debdiff. Hope it's all OK.

I'll wait for your instructions before uploading.

Cheers,

Alberto


[1] https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000


-- 
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
mailto/sip: a...@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55
diff -Nru modsecurity-crs-3.1.0/debian/changelog 
modsecurity-crs-3.1.0/debian/changelog
--- modsecurity-crs-3.1.0/debian/changelog  2019-11-03 14:34:05.0 
+0100
+++ modsecurity-crs-3.1.0/debian/changelog  2021-08-24 12:37:59.0 
+0200
@@ -1,3 +1,10 @@
+modsecurity-crs (3.1.0-1+deb10u2) buster; urgency=medium
+
+  * Add upstream patch to fix request body bypass
+CVE-2021-35368 (Closes: #992000)
+
+ -- Alberto Gonzalez Iniesta   Tue, 24 Aug 2021 12:37:59 
+0200
+
 modsecurity-crs (3.1.0-1+deb10u1) buster; urgency=medium
 
   * Add upstream patch to fix php script upload rules.
diff -Nru modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch 
modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch
--- modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch   1970-01-01 
01:00:00.0 +0100
+++ modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch   2021-08-24 
12:32:08.0 +0200
@@ -0,0 +1,130 @@
+From d3b116fce6c0dc8c8f6e4fbb4e3304af312b4812 Mon Sep 17 00:00:00 2001
+From: Walter Hop 
+Date: Wed, 30 Jun 2021 12:56:51 +0200
+Subject: [PATCH] Fix CVE-2021-35368 WAF bypass using pathinfo (Christian 
Folini)
+
+---
+diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf 
b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+index 1f511c38..c9bb8693 100644
+--- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
 b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+@@ -64,6 +64,14 @@
+ 
+ SecRule :crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
+ "id:9001000,\
++phase:1,\
++pass,\
++t:none,\
++nolog,\
++skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
++
++SecRule :crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
++"id:9001001,\
+ phase:2,\
+ pass,\
+ t:none,\
+@@ -254,52 +262,58 @@
+ #
+ # Extensive checks make sure these uploads are really legitimate.
+ #
+-SecRule REQUEST_METHOD "@streq POST" \
+-"id:9001180,\
+-phase:1,\
+-pass,\
+-t:none,\
+-nolog,\
+-noauditlog,\
+-chain"
+-SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
+-"chain"
+-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
+-"ctl:requestBodyAccess=Off"
+-
+-SecRule REQUEST_METHOD "@streq POST" \
+-"id:9001182,\
+-phase:1,\
+-pass,\
+-t:none,\
+-nolog,\
+-noauditlog,\
+-chain"
+-SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
+-"chain"
+-SecRule ARGS:destination "@streq admin/content/assets" \
+-"chain"
+-SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
+-"chain"
+-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx 
^[a-zA-Z0-9_-]+" \
+-"ctl:requestBodyAccess=Off"
+-
+-SecRule REQUEST_METHOD "@streq POST" \
+-"id:9001184,\
+-phase:1,\
+-pass,\
+-t:none,\
+-nolog,\
+-noauditlog,\
+-chain"
+-SecRule REQUEST_FILENAME "@rx 
/file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
+-"chain"
+-SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
+-"chain"
+-SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" 
\
+-"chain"
+-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx 
^[a-zA-Z0-9_-]+" \
+-"ctl:requestBodyAccess=Off"
++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++#"id:9001180,\
++#phase:1,\
++#pass,\
++#t:none,\
++#nolog,\
++#noauditlog,\
++#chain"
++#SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
++#"chain"
++#SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
++#"ctl:requestBodyAccess=Off"
++
++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++#"id:9001182,\
++#phase:1,\
++#pass,\
++#t:none,\
++#nolog,\
++#noauditlog,\
++#chain"
++#SecRule

Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1

2021-08-24 Thread Salvatore Bonaccorso

Hi

On Tue, Aug 24, 2021 at 03:17:40PM +0200, Salvatore Bonaccorso wrote:
> Hi Alberto,
> 
> On Tue, Aug 24, 2021 at 01:57:26PM +0200, Alberto Gonzalez Iniesta wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: buster
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > 
> > Hi,
> > 
> > This [1] security bug was found in modsecurity-crs.
> > As with the previous update (modsecurity-crs_3.1.0-1+deb10u1), a DSA
> > does not seem necessary (security team on Cc:) so I'm targeting buster
> > proposed updates instead.
> > 
> > Here's the debdiff. Hope it's all OK.
> > 
> > I'll wait for your instructions before uploading.
> 
> Correct, we marked the CVE as no-dsa for both buster an bullseye. I
> would suggest to first fix this in unstable, which is sort of
> aprerequisite to get the fix in stable and oldstable via the point
> releases.
> 
> Do you have an update as well pending for bullseye?

This should have gone as well to the actual bug, #992863.

Apologies for the doubled message now.

Regards,
Salvatore

Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1

Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1

Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1

Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1

4 matches

Site Navigation

Mail list logo

Footer information