RE: [SECURITY] [DSA 2991-1] modsecurity-apache security update
Ryan,
Can you tell me if we use the below module?
Thanks,
Mike Gronbach
Tech Support
402-332-2265
This communication, along with any attachments, is covered by federal and state law governing electronic communications and may contain confidential and legally privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, use or copying of this message is strictly prohibited. If you have received this in error, please reply immediately to the sender and delete this message. Thank you.
-----Original Message-----
From: Salvatore Bonaccorso [mailto:carnil@master.debian.org] On Behalf Of Salvatore Bonaccorso
Sent: Sunday, July 27, 2014 12:54 PM
To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 2991-1] modsecurity-apache security update
Importance: High
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2991-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
July 27, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : modsecurity-apache
CVE ID : CVE-2013-5705
Martin Holst Swende discovered a flaw in the way chunked requests are handled in ModSecurity, an Apache module whose purpose is to tighten the Web application security. A remote attacker could use this flaw to bypass intended mod_security restrictions by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header, allowing to send requests containing content that should have been removed by mod_security.
For the stable distribution (wheezy), this problem has been fixed in version 2.6.6-6+deb7u2.
For the testing distribution (jessie), this problem has been fixed in version 2.7.7-1.
For the unstable distribution (sid), this problem has been fixed in version 2.7.7-1.
We recommend that you upgrade your modsecurity-apache packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJT1TyJAAoJEAVMuPMTQ89EPbcP/3Wp/A51dg7AEfLFAyJfm8lG
5/8GAIU/UuFtZfigv9yRi1d7ZkFWbihSKlAxFju2yzHP7dlFG8jawLDYT3kB0HP4
DPxDbsCXr/hxnE13sSdKOUnb2Geonpkxj9XOMoWlRy73fcBvURd/8hee1ecznP5M
5ShIh1ycKtbobFPszuohmeX02Hihgyhv1pcDM33kJhn+khHLwA8Qp3LZPdRqkxZr
jn1mczla0U1mAB+ABh2/aHtIRWj5NEfaNNu5KBPzFSbYVtmtp/HfR3wh6Y/CQiNw
TcYv4vXDrr0EKLQbTfdlbsnS1z1ljSUnzZXzL9dqMuJul19wyqitVQHfyKcW09Qd
eXDnPO1ugTpc6OVXKwDsHYge5z5G/0oJrb+TAhwkm7OAWtRpQ9ACIq1l/Zd4y3L+
fbcrBQ70sJXnv3G9kmH/EqpRs6EfwCkoS5TQxJdqF5uagXC6t+DVrPID3/deVyoJ
Rdb39EnwdLjOJQG3D2I9RBAVNyc+V92A+8LjBLBe6py0GpHaF/xza1gOtNOeDXaU
sVIWovygVXS1bkTtoaTt5I8K38b3scm1CY+SrEDVbpEgmSSn/SAo+6EmSEzwuBFe
dhVciIc5M1e8iUmsI3b/CKyB9BnFenEcgfUAXUT8N/hGZtNgwoMDZkGjaAMI5ZtV
m9gyPKh1q8m5/qhuiXm4
=PvWw
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/E1XBSdm-00016H-FH@master.debian.org
Reply to: