libapache-mod-security update in Squeeze

To: debian-release@lists.debian.org
Subject: libapache-mod-security update in Squeeze
From: Alberto Gonzalez Iniesta <agi@inittab.org>
Date: Wed, 5 Jun 2013 15:20:30 +0200
Message-id: <20130605132030.GA26448@lib.inittab.org>
Mail-followup-to: debian-release@lists.debian.org

Hi once more, hopefully the last time in a while.

An update for libapache-mod-security in Squeeze is also needed to fix
CVE-2013-2765.
Also attached the corresponding debdiff.

Thanks,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

diff -Nru libapache-mod-security-2.5.12/debian/changelog libapache-mod-security-2.5.12/debian/changelog
--- libapache-mod-security-2.5.12/debian/changelog	2012-07-02 14:47:51.000000000 +0000
+++ libapache-mod-security-2.5.12/debian/changelog	2013-06-04 10:15:00.000000000 +0000
@@ -1,3 +1,10 @@
+libapache-mod-security (2.5.12-1+squeeze2) squeeze; urgency=low
+
+  * Applied upstream patch to fix NULL pointer dereference.
+    CVE-2013-2765. (Closes: #710217)
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 04 Jun 2013 10:14:45 +0000
+
 libapache-mod-security (2.5.12-1+squeeze1) stable-security; urgency=high
 
   * CVE-2012-2751: Fix multi-part bypass due to wrong quoting.
diff -Nru libapache-mod-security-2.5.12/debian/patches/CVE-2013-2765.patch libapache-mod-security-2.5.12/debian/patches/CVE-2013-2765.patch
--- libapache-mod-security-2.5.12/debian/patches/CVE-2013-2765.patch	1970-01-01 00:00:00.000000000 +0000
+++ libapache-mod-security-2.5.12/debian/patches/CVE-2013-2765.patch	2013-06-04 10:16:27.000000000 +0000
@@ -0,0 +1,12 @@
+Index: libapache-mod-security-2.5.12/apache2/msc_reqbody.c
+===================================================================
+--- libapache-mod-security-2.5.12.orig/apache2/msc_reqbody.c	2013-06-04 10:16:16.319901192 +0000
++++ libapache-mod-security-2.5.12/apache2/msc_reqbody.c	2013-06-04 10:16:22.995934300 +0000
+@@ -139,6 +139,7 @@
+ 
+     /* Would storing this chunk mean going over the limit? */
+     if ((msr->msc_reqbody_spilltodisk)
++        && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON)
+         && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit))
+     {
+         msc_data_chunk **chunks;
diff -Nru libapache-mod-security-2.5.12/debian/patches/series libapache-mod-security-2.5.12/debian/patches/series
--- libapache-mod-security-2.5.12/debian/patches/series	2012-07-02 14:44:34.000000000 +0000
+++ libapache-mod-security-2.5.12/debian/patches/series	2013-06-04 10:15:47.000000000 +0000
@@ -1 +1,2 @@
 CVE-2012-2751.patch
+CVE-2013-2765.patch

Reply to:

Follow-Ups:
- Re: libapache-mod-security update in Squeeze
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: openvpn update in Squeeze
Next by Date: Bug#711211: pu: package lsb/4.1+Debian8+deb7u1
Previous by thread: Re: openvpn update in Squeeze
Next by thread: Re: libapache-mod-security update in Squeeze
Index(es):
- Date
- Thread