The Precise Pangolin has reached end of life, so this bug will not be
fixed for that release
** Changed in: modsecurity-apache (Ubuntu Precise)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: modsecurity-apache (Ubuntu Quantal)
Status: Confirmed = Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1169030
Title:
CVE 2013-1915: local files disclosure or
I guess this has gone off the radar, having been fixed in Saucy - so
here's a reminder:
This vulnerability is still present in Precise, current LTS release. As
that release would be most often used in servers where this
vulnerability is relevant, may I kindly ask that some attention is paid
to
Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is
This was fixed for Raring Saucy with
https://launchpad.net/ubuntu/+source/modsecurity-apache/2.6.6-6
** Changed in: modsecurity-apache (Ubuntu Raring)
Status: Confirmed = Fix Released
** Changed in: modsecurity-apache (Ubuntu Saucy)
Status: Confirmed = Fix Released
--
You
** Also affects: libapache-mod-security (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: modsecurity-apache (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: libapache-mod-security (Ubuntu Quantal)
Importance: Undecided
Status:
** Branch linked: lp:~ubuntu-branches/ubuntu/lucid/libapache-mod-
security/lucid-security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1169030
Title:
CVE 2013-1915: local files disclosure or
This bug was fixed in the package libapache-mod-security -
2.5.11-1ubuntu0.1
---
libapache-mod-security (2.5.11-1ubuntu0.1) lucid-security; urgency=low
* SECURITY UPDATE: bypass multipart filtering using invalid quoting
(LP: #1016909)
- debian/patches/CVE-2012-2751: Fix
Hi,
Thanks for the debdiff.
If you're going to fix that CVE in Lucid, could you also fix the two
others that are currently open at the same time?
See:
http://people.canonical.com/~ubuntu-security/cve/pkg/libapache-mod-security.html
Thanks!
I'm unsubscribing ubuntu-security-sponsors now,
I did look at those - the patch for CVE-2009-5031 seems to have been
applied already. The link to the patch for CVE-2012-2751 (http://mod-
security.svn.sourceforge.net/viewvc/mod-
security?view=revisionsortby=logsortdir=downrevision=1918) appears to
be dead, so I haven't been able to tell whether
Here's an updated link for CVE-2012-2751:
https://github.com/SpiderLabs/ModSecurity/commit/d3ad05e9c9ef9db05d683730719cb7ca63309389
Thanks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1169030
You can also get a more complete patch for CVE-2012-2751 in the
libapache-mod-security package that's currently in oneiric.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1169030
Title:
CVE
FYI, the patch in oneiric also contains this commit:
https://github.com/SpiderLabs/ModSecurity/commit/988e78e9ab6c42d2dba8ce5b310e11282566daff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1169030
Ok, here's a patch with the fix for CVE-2012-2751 rolled in. I kind of
made up the DEP-3 fields, but I think they'll at least satisfy their
purpose.
I've tested that the resulting packages with this patch work at at least
a basic level, but I still don't have POCs to test with or anything.
**
As discussed on irc, the package has no patch system, so they're not
being applied at build time. Could you please submit a new debdiff with
the patches applied inline? Thanks.
Also, the CVE-2013-1915 patch causes the package to FTBFS, so it's going
to need some fixing.
Thanks!
** CVE added:
Bleh, looks to have been a stupid copy/paste error (missing / for the
start of a /* comment). Builds for me now, and still seems to
install/work at a basic level.
** Patch added: libapache-mod-security_2.5.11-1ubuntu0.1.debdiff
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1169030
Title:
CVE 2013-1915: local files disclosure or resource exhaustion via XML
External Entity attack
To manage
And that, of course, is based off of completely the wrong version. I'm
not even sure where I got that from.
Here's a patch that's actually for the Lucid packaging. (Testing still
forthcoming)
** Also affects: libapache-mod-security (Ubuntu)
Importance: Undecided
Status: New
** Patch
Ok, I've installed this on one of my Lucid servers, and it still seems
to work at at least a basic level.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1169030
Title:
CVE 2013-1915: local files
By the way, feel free to ping me (broder) in #ubuntu-hardened if I can
do anything to improve the debdiff.
** Changed in: libapache-mod-security (Ubuntu)
Status: In Progress = Triaged
** Changed in: libapache-mod-security (Ubuntu)
Assignee: Evan Broder (broder) = (unassigned)
--
Here's a patch which I believe be a correct backport of the upstream
patch to Lucid (it didn't apply cleanly due to other additions to
modsecurity since Lucid's release). I've verified that it builds but not
yet done any testing - I'll be doing so shortly.
** Patch added:
21 matches
Mail list logo