|Summary:||CVE-2013-1915 mod_security: Vulnerable to XXE attacks|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED UPSTREAM||QA Contact:|
|Fixed In Version:||ModSecurity 2.7.3||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2019-06-10 11:00:26 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||947845, 947846|
Description Jan Lieskovsky 2013-04-03 12:14:24 UTC
It was reported that the XML files parser of ModSecurity, a security module for the Apache HTTP Server, was vulnerable to XML External Entity attacks. A remote attacker could provide a specially-crafted XML file that, when processed might lead to local files disclosure or, potentially, excessive resources (memory, CPU) consumption. References:  https://bugs.gentoo.org/show_bug.cgi?id=464188  https://secunia.com/advisories/52847/  https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES Relevant upstream patch:  https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
Comment 1 Jan Lieskovsky 2013-04-03 12:16:36 UTC
This issue affects the versions of the mod_security package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update. -- This issue (possibly [*]) affects the version of the mod_security package, as shipped with Fedora EPEL-5. Please schedule an update. [*] Possibly because particular upstream patch  wouldn't be applicable directly without backport. But basically it's applicable to this version too.
Comment 2 Jan Lieskovsky 2013-04-03 12:17:45 UTC
Created mod_security tracking bugs for this issue Affects: fedora-all [bug 947845] Affects: epel-all [bug 947846]
Comment 3 Jan Lieskovsky 2013-04-03 12:24:44 UTC
Comment 4 Othman Madjoudj 2013-04-03 15:09:53 UTC
Update are mostly done, note that F19 is also affected.
Comment 5 Jan Lieskovsky 2013-04-03 15:11:48 UTC
The CVE identifier of CVE-2013-1915 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2013/04/03/7
Comment 6 Jan Lieskovsky 2013-04-03 15:13:37 UTC
(In reply to comment #4) > Update are mostly done, note that F19 is also affected. Thank you for those, Athmane. Ad Fedora-19 sure / it's possible. But since it has not been officially released yet, we aren't referring to it (it's kinda automa[t,g]ically expected that version to be updated too though). Thank you for making those again. Jan.
Comment 7 Jan Lieskovsky 2013-04-09 14:57:11 UTC
Created attachment 733267 [details] Backported upstream patch against 2.5.12 from Breno Silva Patch shared via: http://www.openwall.com/lists/oss-security/2013/04/09/9
Comment 8 Othman Madjoudj 2013-04-09 16:54:58 UTC
Note that I didn't mention CVE ID in pkgs changelog because I updated/committed the spec/files before CVE was assigned, sorry about that.
Comment 9 Fedora Update System 2013-04-14 00:26:48 UTC
mod_security-2.7.3-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-04-14 00:29:46 UTC
mod_security-2.7.3-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-04-20 19:30:43 UTC
mod_security-2.7.3-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-04-21 18:46:38 UTC
mod_security-2.7.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-04-24 16:47:33 UTC
mod_security-2.6.8-3.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Product Security DevOps Team 2019-06-10 11:00:26 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.