Uploading modsecurity before next point release

To: debian-release@lists.debian.org
Cc: Salvatore Bonaccorso <carnil@debian.org>
Subject: Uploading modsecurity before next point release
From: Alberto Gonzalez Iniesta <agi@inittab.org>
Date: Tue, 4 Jun 2013 12:19:49 +0200
Message-id: <20130604101949.GE12437@lib.inittab.org>
Mail-followup-to: debian-release@lists.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Hi SRM,

I'd like to upload an update to the modsecurity-apache package to
wheezy. The update fixes CVE-2013-2765, which was not important enough
to justify a DSA, but would be nice to have in wheezy ASAP.
The fix was uploaded to sid today, with priority=high.

I'm also preparing an update for Squeeze.

Please let me know how should I proceed.


Thanks,

Alberto


-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

diff -Nru modsecurity-apache-2.6.6/debian/changelog modsecurity-apache-2.6.6/debian/changelog
--- modsecurity-apache-2.6.6/debian/changelog	2013-04-06 16:00:51.000000000 +0000
+++ modsecurity-apache-2.6.6/debian/changelog	2013-06-04 09:43:19.000000000 +0000
@@ -1,3 +1,10 @@
+modsecurity-apache (2.6.6-6+deb7u1) wheezy; urgency=low
+
+  * Applied upstream patch to fix NULL pointer dereference.
+    CVE-2013-2765. (Closes: #710217)
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 29 May 2013 09:40:00 +0000
+
 modsecurity-apache (2.6.6-6) unstable; urgency=high
 
   * Applied upstream patch to fix XXE attacks. CVE-2013-1915
diff -Nru modsecurity-apache-2.6.6/debian/patches/CVE-2013-2765.patch modsecurity-apache-2.6.6/debian/patches/CVE-2013-2765.patch
--- modsecurity-apache-2.6.6/debian/patches/CVE-2013-2765.patch	1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-apache-2.6.6/debian/patches/CVE-2013-2765.patch	2013-05-29 09:44:33.000000000 +0000
@@ -0,0 +1,12 @@
+Index: modsecurity-apache-2.6.6/apache2/msc_reqbody.c
+===================================================================
+--- modsecurity-apache-2.6.6.orig/apache2/msc_reqbody.c	2012-06-14 13:39:00.000000000 +0000
++++ modsecurity-apache-2.6.6/apache2/msc_reqbody.c	2013-05-29 09:44:28.886388876 +0000
+@@ -170,6 +170,7 @@
+ 
+     /* Would storing this chunk mean going over the limit? */
+     if ((msr->msc_reqbody_spilltodisk)
++        && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON)
+         && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit))
+     {
+         msc_data_chunk **chunks;
diff -Nru modsecurity-apache-2.6.6/debian/patches/series modsecurity-apache-2.6.6/debian/patches/series
--- modsecurity-apache-2.6.6/debian/patches/series	2013-04-06 09:08:52.000000000 +0000
+++ modsecurity-apache-2.6.6/debian/patches/series	2013-05-29 09:43:07.000000000 +0000
@@ -1,3 +1,4 @@
 CVE-2013-1915.patch
 debian_log_dir.patch
 CVE-2012-4528.patch
+CVE-2013-2765.patch

Reply to:

Follow-Ups:
- Re: Uploading modsecurity before next point release
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#699462: unblock (pre-approval): openblas/0.1.1-7
Next by Date: openvpn update in Wheezy
Previous by thread: Bug#699462: unblock (pre-approval): openblas/0.1.1-7
Next by thread: Re: Uploading modsecurity before next point release
Index(es):
- Date
- Thread