Bug 563455

Summary: ModSecurity: Multiple security fixes in version v2.5.12
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: mfleming+rpm, rcvalle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://sourceforge.net/projects/mod-security/files/modsecurity-apache/2.5.12/CHANGES_2.5.12.txt/download
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-02 14:40:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 563576    
Bug Blocks:    

Description Jan Lieskovsky 2010-02-10 10:03:52 UTC 
Multiple security flaws, which might lead to bypass of intended
security restrictions and denial of service, have been reported
and fixed in ModSecurity:

  http://www.modsecurity.org/

of version v2.5.12:
  http://sourceforge.net/projects/mod-security/files/modsecurity-apache/2.5.12/CHANGES_2.5.12.txt/download

More details from the SVN log:
  * r1488 | b1v1r | 2010-02-05 19:38:56 +0100 (Fri, 05 Feb 2010) | 1 line
    Cleanup path nomalization routine and add some further regression tests    
    (MODSEC-123).

  * r1487 | b1v1r | 2010-02-05 19:26:43 +0100 (Fri, 05 Feb 2010) | 1 line
    Fixed SecUploadFileMode to set the correct mode (MODSEC-129).

  * r1486 | b1v1r | 2010-02-05 19:24:44 +0100 (Fri, 05 Feb 2010) | 1 line
    Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions   
    (MODSEC-78, MODSEC-130)

  * r1479 | b1v1r | 2010-02-05 19:15:31 +0100 (Fri, 05 Feb 2010) | 1 line
    Added SecUploadFileLimit (MODSEC-116).

  * r1478 | b1v1r | 2010-02-05 19:14:08 +0100 (Fri, 05 Feb 2010) | 1 line
    Rewrote path normalization routine (MODSEC-123).

  * r1476 | b1v1r | 2010-02-05 19:12:53 +0100 (Fri, 05 Feb 2010) | 1 line
    Trim whitespace around phrases used with @pmFromFile and allow for
    both LF and CRLF terminated lines (MODSEC-126).

  * r1474 | b1v1r | 2010-02-05 19:11:36 +0100 (Fri, 05 Feb 2010) | 1 line
    Allow for more robust parsing for multipart header folding. Reported
    by Sogeti/ESEC R&D (MODSEC-118). Added additional multipart regression
    tests.

  * r1472 | b1v1r | 2010-02-05 19:09:19 +0100 (Fri, 05 Feb 2010) | 1 line
    Added PCRE limits and studying by default to help alleviate REDoS
    reported by Sogeti/ESEC R&D (MODSEC-119).

  * r1471 | b1v1r | 2010-02-05 19:07:56 +0100 (Fri, 05 Feb 2010) | 1 line
    Fixed memory leak in v1 cookie parser reported by Sogeti/ESEC R&D 
    (MODSEC-121).

Further references:
  http://secunia.com/advisories/38460/
  http://freshmeat.net/projects/modsecurity/releases/312017

CVE Request:
  http://www.openwall.com/lists/oss-security/2010/02/10/2
Comment 1 Jan Lieskovsky 2010-02-10 10:10:17 UTC 
Above list maps to following patches:
  http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1488 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1487 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1486 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1479 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1478 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1476 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1474 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1472
http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1471
Comment 2 Jan Lieskovsky 2010-02-10 10:39:27 UTC 
These issues affect the versions of the mod_security package, 
as shipped with Fedora release of 11 and 12.

These issues affect the versions of the mod_security package,
as shipped with EPEL-4 and EPEL-5 projects.

Please fix / rebase to newest version.
Comment 4 Michael Fleming 2010-02-13 11:04:13 UTC 
I've pushed 2.5.12 to all currently supported branches (EPEL 4 currently in progress)
Comment 5 Fedora Update System 2010-02-16 13:09:51 UTC 
mod_security-2.5.12-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2010-02-16 13:16:45 UTC 
mod_security-2.5.12-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2010-02-17 16:58:48 UTC 
mod_security-2.5.12-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-02-27 15:48:42 UTC 
mod_security-2.5.12-2.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/mod_security-2.5.12-2.el4
Comment 9 Fedora Update System 2010-03-03 00:17:12 UTC 
mod_security-2.5.12-2.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.