Bug#1020303: bullseye-pu: package modsecurity-apache/2.9.3-3+deb11u2

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On Mon, 2022-09-19 at 19:25 +0200, Alberto Gonzalez Iniesta wrote:
> modsecurity-crs has been released today [1]. It fixes a security
> issue,
> here is the announcement:
> --------
> CVE-2022-39956 - Content-Type or Content-Transfer-Encoding MIME
> header fields
> abuse
> 
[...]
> Important: The mitigation against these vulnerabilities depends on
> the
> installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an
> updated
> version with backports of the security fixes in these versions.
> If you fail to update ModSecurity, the webserver / engine will refuse
> to start
> with the following error message: "Error creating rule: Unknown
> variable:
> MULTIPART_PART_HEADERS".
> 
[...]
> As you may see in [1] a newer modsecurity is needed in other to apply
> this fix. We, modsecurity packaging team, are preparing a patched
> version of both modsecurity-apache (this bug report) and
> libmodsecurity3
> (coming up). After that we'll upload the updated modsecurity-crs.
> 

Apologies for the delay in getting back to you.

It's not entirely clear to me from the above, but what happens if this
modsecurity-apache update gets into a point release but the
libmodsecurity3 update does not? You mention the latter as "coming up"
above, but I can't see a request for it.

Regards,

Adam