[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1035748: unblock: modsecurity/3.0.9-1



Hi Salvatore,

On Thu, Jun 01, 2023 at 10:24:28PM +0200, Salvatore Bonaccorso wrote:
> Hi Paul,
> 
> > Yet there is a huge amount of white space changes and other changes that
> > look gratuitous. This is really not looking like a targeted fix. @Salvatore,
> > can we do a targeted security upload via security?
> 
> The targeted should be (Alberto, Ervin can you confirm)
> https://github.com/SpiderLabs/ModSecurity/commit/db84d8cf771d39db578707cd03ec2b60f74c9785
> . While it would have been nice to start with modsecurity without
> (known) security issues open in bookworm, I guess at this point of the
> release preparation and soon entering  the last week, skip it and the
> CVE can be fixed in the first bookworm point release.

yes, this is a critical bug, which leads to an unexpected
behavior (the attacker can DOS-ed the whole Nginx).

But - as I explained in my other e-mail - libmodsecurity3 has a
complex codebase, with a language (grammar) parser. This can
cause a huge diff's, unfortunately.

> Regards,
> Salvatore
> 
> p.s.: The PCRE to PCRE2 switch is one other aspect why it would have
>       been nice to have 3.0.9 in bookworm.

Exactly.

We upload this library earlier, but meanwhile Nginx bumped the
PCRE version (finally!) to PCRE2. We *MUST* to update this
package too to ingore the other unexpected behaviors.



Thanks,


a.


Reply to: