Dear Debian Release team!
(Cc-d Christian Follini, co-leader of CRS team - please also Cc him to answers)
Couple
of months ago, the CRS team got an opportunity from a big IT company: a
Bug Bounty program for CoreRuleSet and ModSecurity.
The program produces tons of reactions from the elite hackers, so the rule set of the WAF has undergone a significant quality improvement in the last few weeks.
The plan is that we make a new release of CRS (4.0 - the current version is 3.3.2), but we make a patch for 3.3 too.
We need to know if we could add this patch to the existing packages (3.3 in both Debian 10 and Debian 11) without CVE or not.
Alberto (Cc-ed package maintainer) pointed to the reference [1], which describes the conditions. I think we can meet them.
We can make a CVE (it's not
necessarily justified), but the Bug Bounty program affected the
ModSecurity itself too (that's the engine, what uses the rules). The
vendor of ModSecuriy (TrustWave Inc.) declared they won't release any
CVE - but the engine also got some new features, which made it more
robust. We can apply those patches too for libapache2-mod-security2 and
libmodsecurity3 packages, but there will not be any CVE.
If you have any idea, what is the easiest way to add these features to the existing Debian releases, please let me know.
Thanks for your help.
a.