--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
This [1] security bug was found in modsecurity-crs.
After contacting the security team, they said a DSA was not necessary
and that I should proceed through p-u.
So here's the debdiff. Hope it's all OK.
I'll wait for your instructions before uploading.
Cheers,
Alberto
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943773
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru modsecurity-crs-3.1.0/debian/changelog modsecurity-crs-3.1.0/debian/changelog
--- modsecurity-crs-3.1.0/debian/changelog 2019-11-03 14:34:05.000000000 +0100
+++ modsecurity-crs-3.1.0/debian/changelog 2018-11-27 09:12:54.000000000 +0100
@@ -1,10 +1,3 @@
-modsecurity-crs (3.1.0-1+deb10u1) buster; urgency=medium
-
- * Add upstream patch to fix php script upload rules.
- CVE-2019-13464 (Closes: #943773)
-
- -- Alberto Gonzalez Iniesta <agi@inittab.org> Sun, 03 Nov 2019 14:34:05 +0100
-
modsecurity-crs (3.1.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch
--- modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch 2019-11-03 14:30:47.000000000 +0100
+++ modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,102 +0,0 @@
-From 6090d6b0a90417f1a60aa68a01eb777cef2e1184 Mon Sep 17 00:00:00 2001
-From: "Federico G. Schwindt" <fgsch@lodoss.net>
-Date: Sat, 4 May 2019 11:03:52 +0100
-Subject: [PATCH] Also handle dot variant of X_Filename
-
-PHP will transform dots to underscore in variable names since dot is
-invalid.
----
- rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf | 4 +-
- .../933110.yaml | 60 +++++++++++++++++++
- 2 files changed, 62 insertions(+), 2 deletions(-)
-
-Index: modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
-===================================================================
---- modsecurity-crs.orig/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf 2019-11-03 14:30:34.410293645 +0100
-+++ modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf 2019-11-03 14:30:34.406293506 +0100
-@@ -86,7 +86,7 @@
- # X_Filename, or X-File-Name to transmit the file name to the server;
- # scan these request headers as well as multipart/form-data file names.
- #
--SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
-+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
- "id:933110,\
- phase:2,\
- block,\
-@@ -601,7 +601,7 @@
- #
- # This rule is a stricter sibling of rule 933110.
- #
--SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
-+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
- "id:933111,\
- phase:2,\
- block,\
-Index: modsecurity-crs/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml
-===================================================================
---- modsecurity-crs.orig/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml 2019-11-03 14:30:34.410293645 +0100
-+++ modsecurity-crs/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml 2019-11-03 14:30:34.406293506 +0100
-@@ -288,3 +288,63 @@
- uri: /
- output:
- no_log_contains: id "933110"
-+ -
-+ test_title: 933110-20
-+ desc: PHP script uploads
-+ stages:
-+ - stage:
-+ input:
-+ dest_addr: 127.0.0.1
-+ headers:
-+ Host: localhost
-+ User-Agent: ModSecurity CRS 3 Tests
-+ X.Filename: a.php
-+ port: 80
-+ uri: /upload2
-+ output:
-+ log_contains: id "933110"
-+ -
-+ test_title: 933110-21
-+ desc: PHP script uploads
-+ stages:
-+ - stage:
-+ input:
-+ dest_addr: 127.0.0.1
-+ headers:
-+ Host: localhost
-+ User-Agent: ModSecurity CRS 3 Tests
-+ X.Filename: fda.php5...
-+ port: 80
-+ uri: /upload6
-+ output:
-+ log_contains: id "933110"
-+ -
-+ test_title: 933110-22
-+ desc: PHP script uploads
-+ stages:
-+ - stage:
-+ input:
-+ dest_addr: 127.0.0.1
-+ headers:
-+ Host: localhost
-+ User-Agent: ModSecurity CRS 3 Tests
-+ X.Filename: fthisfewfda.php.
-+ port: 80
-+ uri: /upload7
-+ output:
-+ log_contains: id "933110"
-+ -
-+ test_title: 933110-23
-+ desc: PHP script uploads
-+ stages:
-+ - stage:
-+ input:
-+ dest_addr: 127.0.0.1
-+ headers:
-+ Host: localhost
-+ User-Agent: ModSecurity CRS 3 Tests
-+ X.Filename: fthi/sfewfda.phtml987...
-+ port: 80
-+ uri: /
-+ output:
-+ no_log_contains: id "933110"
diff -Nru modsecurity-crs-3.1.0/debian/patches/series modsecurity-crs-3.1.0/debian/patches/series
--- modsecurity-crs-3.1.0/debian/patches/series 2019-11-03 14:30:28.000000000 +0100
+++ modsecurity-crs-3.1.0/debian/patches/series 2016-11-14 19:38:28.000000000 +0100
@@ -1,2 +1 @@
fix_paths
-CVE-2019-13464.patch
--- End Message ---