Bug 947842 (CVE-2013-1915)
| Summary: | CVE-2013-1915 mod_security: Vulnerable to XXE attacks | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED UPSTREAM | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | athmanem, pvrabec | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ModSecurity 2.7.3 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-06-10 11:00:26 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 947845, 947846 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Jan Lieskovsky
2013-04-03 12:14:24 UTC
This issue affects the versions of the mod_security package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update. -- This issue (possibly [*]) affects the version of the mod_security package, as shipped with Fedora EPEL-5. Please schedule an update. [*] Possibly because particular upstream patch [4] wouldn't be applicable directly without backport. But basically it's applicable to this version too. Created mod_security tracking bugs for this issue Affects: fedora-all [bug 947845] Affects: epel-all [bug 947846] Update are mostly done, note that F19 is also affected. The CVE identifier of CVE-2013-1915 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2013/04/03/7 (In reply to comment #4) > Update are mostly done, note that F19 is also affected. Thank you for those, Athmane. Ad Fedora-19 sure / it's possible. But since it has not been officially released yet, we aren't referring to it (it's kinda automa[t,g]ically expected that version to be updated too though). Thank you for making those again. Jan. Created attachment 733267 [details] Backported upstream patch against 2.5.12 from Breno Silva Patch shared via: http://www.openwall.com/lists/oss-security/2013/04/09/9 Note that I didn't mention CVE ID in pkgs changelog because I updated/committed the spec/files before CVE was assigned, sorry about that. mod_security-2.7.3-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. mod_security-2.7.3-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. mod_security-2.7.3-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. mod_security-2.7.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. mod_security-2.6.8-3.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. |