Bug 947842 (CVE-2013-1915)

Summary: CVE-2013-1915 mod_security: Vulnerable to XXE attacks
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, pvrabec
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ModSecurity 2.7.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 11:00:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 947845, 947846    
Bug Blocks:    
Attachments:
Description Flags
Backported upstream patch against 2.5.12 from Breno Silva none

Description Jan Lieskovsky 2013-04-03 12:14:24 UTC
It was reported that the XML files parser of ModSecurity, a security module for the Apache HTTP Server, was vulnerable to XML External Entity attacks. A remote attacker could provide a specially-crafted XML file that, when processed might lead to local files disclosure or, potentially, excessive resources (memory, CPU) consumption.

References:
[1] https://bugs.gentoo.org/show_bug.cgi?id=464188
[2] https://secunia.com/advisories/52847/
[3] https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES

Relevant upstream patch:
[4] https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe

Comment 1 Jan Lieskovsky 2013-04-03 12:16:36 UTC
This issue affects the versions of the mod_security package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update.

--

This issue (possibly [*]) affects the version of the mod_security package, as shipped with Fedora EPEL-5. Please schedule an update.

[*] Possibly because particular upstream patch [4] wouldn't be applicable directly without backport. But basically it's applicable to this version too.

Comment 2 Jan Lieskovsky 2013-04-03 12:17:45 UTC
Created mod_security tracking bugs for this issue

Affects: fedora-all [bug 947845]
Affects: epel-all [bug 947846]

Comment 3 Jan Lieskovsky 2013-04-03 12:24:44 UTC
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/04/03/3

Comment 4 Othman Madjoudj 2013-04-03 15:09:53 UTC
Update are mostly done, note that F19 is also affected.

Comment 5 Jan Lieskovsky 2013-04-03 15:11:48 UTC
The CVE identifier of CVE-2013-1915 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/04/03/7

Comment 6 Jan Lieskovsky 2013-04-03 15:13:37 UTC
(In reply to comment #4)
> Update are mostly done, note that F19 is also affected.

Thank you for those, Athmane. Ad Fedora-19 sure / it's possible. But since it has not been officially released yet, we aren't referring to it (it's kinda automa[t,g]ically expected that version to be updated too though).

Thank you for making those again.

Jan.

Comment 7 Jan Lieskovsky 2013-04-09 14:57:11 UTC
Created attachment 733267 [details]
Backported upstream patch against 2.5.12 from Breno Silva

Patch shared via:
  http://www.openwall.com/lists/oss-security/2013/04/09/9

Comment 8 Othman Madjoudj 2013-04-09 16:54:58 UTC
Note that I didn't mention CVE ID in pkgs changelog because I updated/committed the spec/files before CVE was assigned, sorry about that.

Comment 9 Fedora Update System 2013-04-14 00:26:48 UTC
mod_security-2.7.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2013-04-14 00:29:46 UTC
mod_security-2.7.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2013-04-20 19:30:43 UTC
mod_security-2.7.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2013-04-21 18:46:38 UTC
mod_security-2.7.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2013-04-24 16:47:33 UTC
mod_security-2.6.8-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Product Security DevOps Team 2019-06-10 11:00:26 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.