Bug#1035748: unblock: modsecurity/3.0.9-1

To: Paul Gevers <elbrus@debian.org>
Cc: Alberto Gonzalez Iniesta <agi@inittab.org>, 1035748@bugs.debian.org, Ervin Hegedüs <airween@gmail.com>
Subject: Bug#1035748: unblock: modsecurity/3.0.9-1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 1 Jun 2023 22:24:28 +0200
Message-id: <[🔎] ZHj+fOUwufn5+HGV@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1035748@bugs.debian.org
In-reply-to: <[🔎] d611f386-9c5a-2694-ae78-6404f501a16a@debian.org>
References: <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <3faeb882-55b5-f5b0-4f36-6501eb68234a@debian.org> <ZHJpFwGfHEwsHKv8@eldamar.lan> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <ZHOr75P4ENeOgO9P@var.inittab.org> <[🔎] d611f386-9c5a-2694-ae78-6404f501a16a@debian.org> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org>

Hi Paul,

On Thu, Jun 01, 2023 at 09:52:06PM +0200, Paul Gevers wrote:
> control: tags -1 moreinfo
> 
> Hi,
> 
> On 28-05-2023 21:30, Alberto Gonzalez Iniesta wrote:
> > 2) The risks on the release quality are almost zero. Only
> > libnginx-mod-http-modsecurity depends on it (being modsecurity a
> > library).
> 
> That's not the only part that we mean here. We also mean, how big is the
> risk we introduce new *unknown* issues.
> 
> > 4) No idea
> 
> Then I don't think so. If your upstream would have a decent stable update
> policy, they wouldn't introduce so many gratuitous changes (e.g. white space
> only).
> 
> > 6) Yes
> 
> I fail to spot it. Can you please point which version?
> 
> > 7) Its too long but mainly because of line numbers being updated in code
> > comments, like:
> > -#line 1459 "seclang-parser.yy"
> > +#line 1461 "seclang-parser.yy"
> > 8) Not that many code changes
> 
> Yet there is a huge amount of white space changes and other changes that
> look gratuitous. This is really not looking like a targeted fix. @Salvatore,
> can we do a targeted security upload via security?

The targeted should be (Alberto, Ervin can you confirm)
https://github.com/SpiderLabs/ModSecurity/commit/db84d8cf771d39db578707cd03ec2b60f74c9785
. While it would have been nice to start with modsecurity without
(known) security issues open in bookworm, I guess at this point of the
release preparation and soon entering  the last week, skip it and the
CVE can be fixed in the first bookworm point release.

Regards,
Salvatore

p.s.: The PCRE to PCRE2 switch is one other aspect why it would have
      been nice to have 3.0.9 in bookworm.

Reply to:

Follow-Ups:
- Bug#1035748: unblock: modsecurity/3.0.9-1
  - From: Ervin Hegedüs <airween@gmail.com>

References:
- Bug#1035748: unblock: modsecurity/3.0.9-1
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Bug#1035748: unblock: modsecurity/3.0.9-1
Next by Date: Bug#1035748: unblock: modsecurity/3.0.9-1
Previous by thread: Processed: Re: Bug#1035748: unblock: modsecurity/3.0.9-1
Next by thread: Bug#1035748: unblock: modsecurity/3.0.9-1
Index(es):
- Date
- Thread