[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#944119: marked as done (buster-pu: package modsecurity-crs/3.1.0-1)

Your message dated Sat, 16 Nov 2019 10:08:47 +0000
with message-id <83c9ffab6f08361485f70dda4733a7a24aeec09b.camel@adam-barratt.org.uk>
and subject line Closing bugs for 10.2 point release fixes
has caused the Debian Bug report #944119,
regarding buster-pu: package modsecurity-crs/3.1.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
944119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944119
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

This [1] security bug was found in modsecurity-crs.
After contacting the security team, they said a DSA was not necessary
and that I should proceed through p-u.

So here's the debdiff. Hope it's all OK.

I'll wait for your instructions before uploading.

Cheers,

Alberto


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943773

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru modsecurity-crs-3.1.0/debian/changelog modsecurity-crs-3.1.0/debian/changelog
--- modsecurity-crs-3.1.0/debian/changelog	2019-11-03 14:34:05.000000000 +0100
+++ modsecurity-crs-3.1.0/debian/changelog	2018-11-27 09:12:54.000000000 +0100
@@ -1,10 +1,3 @@
-modsecurity-crs (3.1.0-1+deb10u1) buster; urgency=medium
-
-  * Add upstream patch to fix php script upload rules.
-    CVE-2019-13464 (Closes: #943773)
-
- -- Alberto Gonzalez Iniesta <agi@inittab.org>  Sun, 03 Nov 2019 14:34:05 +0100
-
 modsecurity-crs (3.1.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch
--- modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch	2019-11-03 14:30:47.000000000 +0100
+++ modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,102 +0,0 @@
-From 6090d6b0a90417f1a60aa68a01eb777cef2e1184 Mon Sep 17 00:00:00 2001
-From: "Federico G. Schwindt" <fgsch@lodoss.net>
-Date: Sat, 4 May 2019 11:03:52 +0100
-Subject: [PATCH] Also handle dot variant of X_Filename
-
-PHP will transform dots to underscore in variable names since dot is
-invalid.
----
- rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf |  4 +-
- .../933110.yaml                               | 60 +++++++++++++++++++
- 2 files changed, 62 insertions(+), 2 deletions(-)
-
-Index: modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
-===================================================================
---- modsecurity-crs.orig/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf	2019-11-03 14:30:34.410293645 +0100
-+++ modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf	2019-11-03 14:30:34.406293506 +0100
-@@ -86,7 +86,7 @@
- # X_Filename, or X-File-Name to transmit the file name to the server;
- # scan these request headers as well as multipart/form-data file names.
- #
--SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
-+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
-     "id:933110,\
-     phase:2,\
-     block,\
-@@ -601,7 +601,7 @@
- #
- # This rule is a stricter sibling of rule 933110.
- #
--SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
-+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
-     "id:933111,\
-     phase:2,\
-     block,\
-Index: modsecurity-crs/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml
-===================================================================
---- modsecurity-crs.orig/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml	2019-11-03 14:30:34.410293645 +0100
-+++ modsecurity-crs/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml	2019-11-03 14:30:34.406293506 +0100
-@@ -288,3 +288,63 @@
-           uri: /
-         output:
-           no_log_contains: id "933110"
-+  -
-+    test_title: 933110-20
-+    desc: PHP script uploads
-+    stages:
-+    - stage:
-+        input:
-+          dest_addr: 127.0.0.1
-+          headers:
-+            Host: localhost
-+            User-Agent: ModSecurity CRS 3 Tests
-+            X.Filename: a.php
-+          port: 80
-+          uri: /upload2
-+        output:
-+          log_contains: id "933110"
-+  -
-+    test_title: 933110-21
-+    desc: PHP script uploads
-+    stages:
-+    - stage:
-+        input:
-+          dest_addr: 127.0.0.1
-+          headers:
-+            Host: localhost
-+            User-Agent: ModSecurity CRS 3 Tests
-+            X.Filename: fda.php5...
-+          port: 80
-+          uri: /upload6
-+        output:
-+          log_contains: id "933110"
-+  -
-+    test_title: 933110-22
-+    desc: PHP script uploads
-+    stages:
-+    - stage:
-+        input:
-+          dest_addr: 127.0.0.1
-+          headers:
-+            Host: localhost
-+            User-Agent: ModSecurity CRS 3 Tests
-+            X.Filename: fthisfewfda.php.
-+          port: 80
-+          uri: /upload7
-+        output:
-+          log_contains: id "933110"
-+  -
-+    test_title: 933110-23
-+    desc: PHP script uploads
-+    stages:
-+    - stage:
-+        input:
-+          dest_addr: 127.0.0.1
-+          headers:
-+            Host: localhost
-+            User-Agent: ModSecurity CRS 3 Tests
-+            X.Filename: fthi/sfewfda.phtml987...
-+          port: 80
-+          uri: /
-+        output:
-+          no_log_contains: id "933110"
diff -Nru modsecurity-crs-3.1.0/debian/patches/series modsecurity-crs-3.1.0/debian/patches/series
--- modsecurity-crs-3.1.0/debian/patches/series	2019-11-03 14:30:28.000000000 +0100
+++ modsecurity-crs-3.1.0/debian/patches/series	2016-11-14 19:38:28.000000000 +0100
@@ -1,2 +1 @@
 fix_paths
-CVE-2019-13464.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.2

Hi,

The fixes referenced by these bugs were included in today's 10.2 stable
point release.

Regards,

Adam

--- End Message ---
Reply to: