Fedora Account System
Red Hat Associate
Red Hat Customer
Multiple security flaws, which might lead to bypass of intended security restrictions and denial of service, have been reported and fixed in ModSecurity: http://www.modsecurity.org/ of version v2.5.12: http://sourceforge.net/projects/mod-security/files/modsecurity-apache/2.5.12/CHANGES_2.5.12.txt/download More details from the SVN log: * r1488 | b1v1r | 2010-02-05 19:38:56 +0100 (Fri, 05 Feb 2010) | 1 line Cleanup path nomalization routine and add some further regression tests (MODSEC-123). * r1487 | b1v1r | 2010-02-05 19:26:43 +0100 (Fri, 05 Feb 2010) | 1 line Fixed SecUploadFileMode to set the correct mode (MODSEC-129). * r1486 | b1v1r | 2010-02-05 19:24:44 +0100 (Fri, 05 Feb 2010) | 1 line Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions (MODSEC-78, MODSEC-130) * r1479 | b1v1r | 2010-02-05 19:15:31 +0100 (Fri, 05 Feb 2010) | 1 line Added SecUploadFileLimit (MODSEC-116). * r1478 | b1v1r | 2010-02-05 19:14:08 +0100 (Fri, 05 Feb 2010) | 1 line Rewrote path normalization routine (MODSEC-123). * r1476 | b1v1r | 2010-02-05 19:12:53 +0100 (Fri, 05 Feb 2010) | 1 line Trim whitespace around phrases used with @pmFromFile and allow for both LF and CRLF terminated lines (MODSEC-126). * r1474 | b1v1r | 2010-02-05 19:11:36 +0100 (Fri, 05 Feb 2010) | 1 line Allow for more robust parsing for multipart header folding. Reported by Sogeti/ESEC R&D (MODSEC-118). Added additional multipart regression tests. * r1472 | b1v1r | 2010-02-05 19:09:19 +0100 (Fri, 05 Feb 2010) | 1 line Added PCRE limits and studying by default to help alleviate REDoS reported by Sogeti/ESEC R&D (MODSEC-119). * r1471 | b1v1r | 2010-02-05 19:07:56 +0100 (Fri, 05 Feb 2010) | 1 line Fixed memory leak in v1 cookie parser reported by Sogeti/ESEC R&D (MODSEC-121). Further references: http://secunia.com/advisories/38460/ http://freshmeat.net/projects/modsecurity/releases/312017 CVE Request: http://www.openwall.com/lists/oss-security/2010/02/10/2
Above list maps to following patches: http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1488 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1487 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1486 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1479 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1478 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1476 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1474 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1472 http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1471
These issues affect the versions of the mod_security package, as shipped with Fedora release of 11 and 12. These issues affect the versions of the mod_security package, as shipped with EPEL-4 and EPEL-5 projects. Please fix / rebase to newest version.
I've pushed 2.5.12 to all currently supported branches (EPEL 4 currently in progress)
mod_security-2.5.12-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
mod_security-2.5.12-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
mod_security-2.5.12-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
mod_security-2.5.12-2.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/mod_security-2.5.12-2.el4
mod_security-2.5.12-2.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.