Bug 867424 (CVE-2012-4528) - CVE-2012-4528 mod_security: multipart/invalid part ruleset bypass
Summary: CVE-2012-4528 mod_security: multipart/invalid part ruleset bypass
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2012-4528
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 867773 867774
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-17 13:35 UTC by Othman Madjoudj
Modified: 2019-09-29 12:56 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:59:30 UTC

Attachments (Terms of Use)

Description Othman Madjoudj 2012-10-17 13:35:35 UTC 
ModSecurity <= 2.6.8 is vulnerable to multipart/invalid part ruleset bypass, this was fixed in 2.7.0 (released on2012-10-16)

http://seclists.org/fulldisclosure/2012/Oct/113

CVE request: http://www.openwall.com/lists/oss-security/2012/10/17/1

Packages in EPEL and Fedora are affected, update will be released today.
Comment 1 Jan Lieskovsky 2012-10-18 09:01:19 UTC 
Thank you for your report, Athmane.
Comment 2 Jan Lieskovsky 2012-10-18 09:02:41 UTC 
Relevant upstream patch seems to be this one:
[1] http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&sortby=date&revision=2081

but checking with Breno Silva yet:
[2] http://www.openwall.com/lists/oss-security/2012/10/18/7

to confirm / disprove it.
Comment 3 Jan Lieskovsky 2012-10-18 09:27:16 UTC 
References:
[3] http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.7.x/CHANGES
Comment 4 Jan Lieskovsky 2012-10-18 09:28:28 UTC 
This issue affects the versions of the mod_security package, as shipped with Fedora release of 16 and 17. Please schedule an update.

--

This issue affects the versions of the mod_security package, as shipped with Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update.
Comment 5 Jan Lieskovsky 2012-10-18 09:29:57 UTC 
Created mod_security tracking bugs for this issue

Affects: fedora-all [bug 867773]
Affects: epel-all [bug 867774]
Comment 6 Jan Lieskovsky 2012-10-18 13:04:51 UTC 
Above patch confirmed by Breno Silva (that reply doesn't look to be able to make it to OSS list yet, inlining below):
--
Hello Jan,

Yes i can confirm the issue and the patch.

Thanks

Breno
--

Please schedule the updates.
Comment 7 Vincent Danen 2012-10-18 20:42:50 UTC 
This was assigned CVE-2012-4528:

http://www.openwall.com/lists/oss-security/2012/10/18/14
Comment 8 Fedora Update System 2012-11-23 08:07:51 UTC 
mod_security_crs-2.2.6-3.fc18, mod_security-2.7.1-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-12-01 08:36:15 UTC 
mod_security_crs-2.2.6-3.fc17, mod_security-2.7.1-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-12-03 20:36:06 UTC 
mod_security-2.6.8-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-12-13 20:05:43 UTC 
mod_security-2.7.1-3.el6, mod_security_crs-2.2.6-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Product Security DevOps Team 2019-06-10 10:59:30 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Note You need to log in before you can comment on or make changes to this bug.