It was reported that the XML files parser of ModSecurity, a security module for the Apache HTTP Server, was vulnerable to XML External Entity attacks. A remote attacker could provide a specially-crafted XML file that, when processed might lead to local files disclosure or, potentially, excessive resources (memory, CPU) consumption. References: [1] https://bugs.gentoo.org/show_bug.cgi?id=464188 [2] https://secunia.com/advisories/52847/ [3] https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES Relevant upstream patch: [4] https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
This issue affects the versions of the mod_security package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update. -- This issue (possibly [*]) affects the version of the mod_security package, as shipped with Fedora EPEL-5. Please schedule an update. [*] Possibly because particular upstream patch [4] wouldn't be applicable directly without backport. But basically it's applicable to this version too.
Created mod_security tracking bugs for this issue Affects: fedora-all [bug 947845] Affects: epel-all [bug 947846]
CVE Request: http://www.openwall.com/lists/oss-security/2013/04/03/3
Update are mostly done, note that F19 is also affected.
The CVE identifier of CVE-2013-1915 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2013/04/03/7
(In reply to comment #4) > Update are mostly done, note that F19 is also affected. Thank you for those, Athmane. Ad Fedora-19 sure / it's possible. But since it has not been officially released yet, we aren't referring to it (it's kinda automa[t,g]ically expected that version to be updated too though). Thank you for making those again. Jan.
Created attachment 733267 [details] Backported upstream patch against 2.5.12 from Breno Silva Patch shared via: http://www.openwall.com/lists/oss-security/2013/04/09/9
Note that I didn't mention CVE ID in pkgs changelog because I updated/committed the spec/files before CVE was assigned, sorry about that.
mod_security-2.7.3-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
mod_security-2.7.3-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
mod_security-2.7.3-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mod_security-2.7.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
mod_security-2.6.8-3.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.