Martin Holst Swende discovered a flaw in the way mod_security handled chunked requests. A remote attacker could use this flaw to bypass intended mod_security restrictions, allowing them to send requests containing content that should have been removed by mod_security. This issue was corrected in mod_security version 2.7.6. Upstream patch: https://github.com/SpiderLabs/ModSecurity/commit/f8d441cd25172fdfe5b613442fedfc0da3cc333d References: http://martin.swende.se/blog/HTTPChunked.html
Created mod_security tracking bugs for this issue: Affects: fedora-all [bug 1082905] Affects: epel-all [bug 1082906]
mod_security-2.7.5-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mod_security-2.7.5-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mod_security-2.6.8-5.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
mod_security-2.7.3-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.