Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2013-1915 mod_security: Vulnerable to XXE attacks|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Fixed In Version:||ModSecurity 2.7.3||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||947845, 947846|
Description Jan Lieskovsky 2013-04-03 08:14:24 EDT
It was reported that the XML files parser of ModSecurity, a security module for the Apache HTTP Server, was vulnerable to XML External Entity attacks. A remote attacker could provide a specially-crafted XML file that, when processed might lead to local files disclosure or, potentially, excessive resources (memory, CPU) consumption. References:  https://bugs.gentoo.org/show_bug.cgi?id=464188  https://secunia.com/advisories/52847/  https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES Relevant upstream patch:  https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
Comment 1 Jan Lieskovsky 2013-04-03 08:16:36 EDT
This issue affects the versions of the mod_security package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update. -- This issue (possibly [*]) affects the version of the mod_security package, as shipped with Fedora EPEL-5. Please schedule an update. [*] Possibly because particular upstream patch  wouldn't be applicable directly without backport. But basically it's applicable to this version too.
Comment 2 Jan Lieskovsky 2013-04-03 08:17:45 EDT
Created mod_security tracking bugs for this issue Affects: fedora-all [bug 947845] Affects: epel-all [bug 947846]
Comment 3 Jan Lieskovsky 2013-04-03 08:24:44 EDT
Comment 4 Athmane Madjoudj 2013-04-03 11:09:53 EDT
Update are mostly done, note that F19 is also affected.
Comment 5 Jan Lieskovsky 2013-04-03 11:11:48 EDT
The CVE identifier of CVE-2013-1915 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2013/04/03/7
Comment 6 Jan Lieskovsky 2013-04-03 11:13:37 EDT
(In reply to comment #4) > Update are mostly done, note that F19 is also affected. Thank you for those, Athmane. Ad Fedora-19 sure / it's possible. But since it has not been officially released yet, we aren't referring to it (it's kinda automa[t,g]ically expected that version to be updated too though). Thank you for making those again. Jan.
Comment 7 Jan Lieskovsky 2013-04-09 10:57:11 EDT
Created attachment 733267 [details] Backported upstream patch against 2.5.12 from Breno Silva Patch shared via: http://www.openwall.com/lists/oss-security/2013/04/09/9
Comment 8 Athmane Madjoudj 2013-04-09 12:54:58 EDT
Note that I didn't mention CVE ID in pkgs changelog because I updated/committed the spec/files before CVE was assigned, sorry about that.
Comment 9 Fedora Update System 2013-04-13 20:26:48 EDT
mod_security-2.7.3-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-04-13 20:29:46 EDT
mod_security-2.7.3-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-04-20 15:30:43 EDT
mod_security-2.7.3-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-04-21 14:46:38 EDT
mod_security-2.7.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-04-24 12:47:33 EDT
mod_security-2.6.8-3.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.