Multiple security flaws, which might lead to bypass of intended security restrictions and denial of service, have been reported and fixed in ModSecurity: http://www.modsecurity.org/ of version v2.5.12: http://sourceforge.net/projects/mod-security/files/modsecurity-apache/2.5.12/CHANGES_2.5.12.txt/download More details from the SVN log: * r1488 | b1v1r | 2010-02-05 19:38:56 +0100 (Fri, 05 Feb 2010) | 1 line Cleanup path nomalization routine and add some further regression tests (MODSEC-123). * r1487 | b1v1r | 2010-02-05 19:26:43 +0100 (Fri, 05 Feb 2010) | 1 line Fixed SecUploadFileMode to set the correct mode (MODSEC-129). * r1486 | b1v1r | 2010-02-05 19:24:44 +0100 (Fri, 05 Feb 2010) | 1 line Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions (MODSEC-78, MODSEC-130) * r1479 | b1v1r | 2010-02-05 19:15:31 +0100 (Fri, 05 Feb 2010) | 1 line Added SecUploadFileLimit (MODSEC-116). * r1478 | b1v1r | 2010-02-05 19:14:08 +0100 (Fri, 05 Feb 2010) | 1 line Rewrote path normalization routine (MODSEC-123). * r1476 | b1v1r | 2010-02-05 19:12:53 +0100 (Fri, 05 Feb 2010) | 1 line Trim whitespace around phrases used with @pmFromFile and allow for both LF and CRLF terminated lines (MODSEC-126). * r1474 | b1v1r | 2010-02-05 19:11:36 +0100 (Fri, 05 Feb 2010) | 1 line Allow for more robust parsing for multipart header folding. Reported by Sogeti/ESEC R&D (MODSEC-118). Added additional multipart regression tests. * r1472 | b1v1r | 2010-02-05 19:09:19 +0100 (Fri, 05 Feb 2010) | 1 line Added PCRE limits and studying by default to help alleviate REDoS reported by Sogeti/ESEC R&D (MODSEC-119). * r1471 | b1v1r | 2010-02-05 19:07:56 +0100 (Fri, 05 Feb 2010) | 1 line Fixed memory leak in v1 cookie parser reported by Sogeti/ESEC R&D (MODSEC-121). Further references: http://secunia.com/advisories/38460/ http://freshmeat.net/projects/modsecurity/releases/312017 CVE Request: http://www.openwall.com/lists/oss-security/2010/02/10/2
Above list maps to following patches: http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1488 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1487 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1486 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1479 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1478 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1476 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1474 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1472 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1471
These issues affect the versions of the mod_security package, as shipped with Fedora release of 11 and 12. These issues affect the versions of the mod_security package, as shipped with EPEL-4 and EPEL-5 projects. Please fix / rebase to newest version.
I've pushed 2.5.12 to all currently supported branches (EPEL 4 currently in progress)
mod_security-2.5.12-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
mod_security-2.5.12-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
mod_security-2.5.12-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
mod_security-2.5.12-2.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/mod_security-2.5.12-2.el4
mod_security-2.5.12-2.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.