Bug#1035748: unblock: modsecurity/3.0.9-1
Hi Salvatore,
On Thu, Jun 01, 2023 at 10:24:28PM +0200, Salvatore Bonaccorso wrote:
> Hi Paul,
>
> > Yet there is a huge amount of white space changes and other changes that
> > look gratuitous. This is really not looking like a targeted fix. @Salvatore,
> > can we do a targeted security upload via security?
>
> The targeted should be (Alberto, Ervin can you confirm)
> https://github.com/SpiderLabs/ModSecurity/commit/db84d8cf771d39db578707cd03ec2b60f74c9785
> . While it would have been nice to start with modsecurity without
> (known) security issues open in bookworm, I guess at this point of the
> release preparation and soon entering the last week, skip it and the
> CVE can be fixed in the first bookworm point release.
yes, this is a critical bug, which leads to an unexpected
behavior (the attacker can DOS-ed the whole Nginx).
But - as I explained in my other e-mail - libmodsecurity3 has a
complex codebase, with a language (grammar) parser. This can
cause a huge diff's, unfortunately.
> Regards,
> Salvatore
>
> p.s.: The PCRE to PCRE2 switch is one other aspect why it would have
> been nice to have 3.0.9 in bookworm.
Exactly.
We upload this library earlier, but meanwhile Nginx bumped the
PCRE version (finally!) to PCRE2. We *MUST* to update this
package too to ingore the other unexpected behaviors.
Thanks,
a.
Reply to: