Bug#1035748: unblock: modsecurity/3.0.9-1

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: Paul Gevers <elbrus@debian.org>, Alberto Gonzalez Iniesta <agi@inittab.org>, 1035748@bugs.debian.org
Subject: Bug#1035748: unblock: modsecurity/3.0.9-1
From: Ervin Hegedüs <airween@gmail.com>
Date: Thu, 1 Jun 2023 22:45:00 +0200
Message-id: <[🔎] 20230601204500.mcfvtxeett5mq5u3@arxnet.hu>
Reply-to: Ervin Hegedüs <airween@gmail.com>, 1035748@bugs.debian.org
In-reply-to: <[🔎] ZHj+fOUwufn5+HGV@eldamar.lan>
References: <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <3faeb882-55b5-f5b0-4f36-6501eb68234a@debian.org> <ZHJpFwGfHEwsHKv8@eldamar.lan> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <ZHOr75P4ENeOgO9P@var.inittab.org> <[🔎] d611f386-9c5a-2694-ae78-6404f501a16a@debian.org> <[🔎] ZHj+fOUwufn5+HGV@eldamar.lan> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org>

Hi Salvatore,

On Thu, Jun 01, 2023 at 10:24:28PM +0200, Salvatore Bonaccorso wrote:
> Hi Paul,
> 
> > Yet there is a huge amount of white space changes and other changes that
> > look gratuitous. This is really not looking like a targeted fix. @Salvatore,
> > can we do a targeted security upload via security?
> 
> The targeted should be (Alberto, Ervin can you confirm)
> https://github.com/SpiderLabs/ModSecurity/commit/db84d8cf771d39db578707cd03ec2b60f74c9785
> . While it would have been nice to start with modsecurity without
> (known) security issues open in bookworm, I guess at this point of the
> release preparation and soon entering  the last week, skip it and the
> CVE can be fixed in the first bookworm point release.

yes, this is a critical bug, which leads to an unexpected
behavior (the attacker can DOS-ed the whole Nginx).

But - as I explained in my other e-mail - libmodsecurity3 has a
complex codebase, with a language (grammar) parser. This can
cause a huge diff's, unfortunately.

> Regards,
> Salvatore
> 
> p.s.: The PCRE to PCRE2 switch is one other aspect why it would have
>       been nice to have 3.0.9 in bookworm.

Exactly.

We upload this library earlier, but meanwhile Nginx bumped the
PCRE version (finally!) to PCRE2. We *MUST* to update this
package too to ingore the other unexpected behaviors.

Thanks,

a.

Reply to:

References:
- Bug#1035748: unblock: modsecurity/3.0.9-1
  - From: Paul Gevers <elbrus@debian.org>
- Bug#1035748: unblock: modsecurity/3.0.9-1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1035748: unblock: modsecurity/3.0.9-1
Next by Date: Bug#1037024: nmu: modsecurity-apache_2.9.7-1
Previous by thread: Bug#1035748: unblock: modsecurity/3.0.9-1
Next by thread: Bug#1035748: unblock: modsecurity/3.0.9-1
Index(es):
- Date
- Thread