Bug 947842 (CVE-2013-1915)

Summary: CVE-2013-1915 mod_security: Vulnerable to XXE attacks
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, pvrabec
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130328,reported=20130402,source=gentoo,cvss2=6.4/AV:N/AC:L/Au:N/C:P/I:N/A:P,fedora-all/mod_security=affected,epel-all/mod_security=affected
Fixed In Version: ModSecurity 2.7.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 947845, 947846    
Bug Blocks:    
Attachments:
Description Flags
Backported upstream patch against 2.5.12 from Breno Silva none

Description Jan Lieskovsky 2013-04-03 08:14:24 EDT
It was reported that the XML files parser of ModSecurity, a security module for the Apache HTTP Server, was vulnerable to XML External Entity attacks. A remote attacker could provide a specially-crafted XML file that, when processed might lead to local files disclosure or, potentially, excessive resources (memory, CPU) consumption.

References:
[1] https://bugs.gentoo.org/show_bug.cgi?id=464188
[2] https://secunia.com/advisories/52847/
[3] https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES

Relevant upstream patch:
[4] https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
Comment 1 Jan Lieskovsky 2013-04-03 08:16:36 EDT
This issue affects the versions of the mod_security package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update.

--

This issue (possibly [*]) affects the version of the mod_security package, as shipped with Fedora EPEL-5. Please schedule an update.

[*] Possibly because particular upstream patch [4] wouldn't be applicable directly without backport. But basically it's applicable to this version too.
Comment 2 Jan Lieskovsky 2013-04-03 08:17:45 EDT
Created mod_security tracking bugs for this issue

Affects: fedora-all [bug 947845]
Affects: epel-all [bug 947846]
Comment 3 Jan Lieskovsky 2013-04-03 08:24:44 EDT
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/04/03/3
Comment 4 Athmane Madjoudj 2013-04-03 11:09:53 EDT
Update are mostly done, note that F19 is also affected.
Comment 5 Jan Lieskovsky 2013-04-03 11:11:48 EDT
The CVE identifier of CVE-2013-1915 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/04/03/7
Comment 6 Jan Lieskovsky 2013-04-03 11:13:37 EDT
(In reply to comment #4)
> Update are mostly done, note that F19 is also affected.

Thank you for those, Athmane. Ad Fedora-19 sure / it's possible. But since it has not been officially released yet, we aren't referring to it (it's kinda automa[t,g]ically expected that version to be updated too though).

Thank you for making those again.

Jan.
Comment 7 Jan Lieskovsky 2013-04-09 10:57:11 EDT
Created attachment 733267 [details]
Backported upstream patch against 2.5.12 from Breno Silva

Patch shared via:
  http://www.openwall.com/lists/oss-security/2013/04/09/9
Comment 8 Athmane Madjoudj 2013-04-09 12:54:58 EDT
Note that I didn't mention CVE ID in pkgs changelog because I updated/committed the spec/files before CVE was assigned, sorry about that.
Comment 9 Fedora Update System 2013-04-13 20:26:48 EDT
mod_security-2.7.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-04-13 20:29:46 EDT
mod_security-2.7.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-04-20 15:30:43 EDT
mod_security-2.7.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-04-21 14:46:38 EDT
mod_security-2.7.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-04-24 12:47:33 EDT
mod_security-2.6.8-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.