Re: [mod-security-users] CVE-2013-2765
Brought to you by:
victorhora,
zimmerletw
From: Alberto G. I. <ag...@in...> - 2013-07-16 09:50:27
|
Sorry, that points to the wrong DSA (fixing CVE-2013-1915). CVE-2013-2765 was fixed in Debian Wheezy (2.6.6), IIRC we couldn't reproduce it in 2.5.12 (present in Squeeze). I'll check that again. Regards, Alberto On Tue, Jul 16, 2013 at 11:41:02AM +0200, Alberto Gonzalez Iniesta wrote: > Unless you're running Debian's package, which was patched [1]. > > [1] http://www.debian.org/security/2013/dsa-2659 > > On Tue, Jul 16, 2013 at 11:34:27AM +0200, Younes JAAIDI wrote: > > Hi Thomas, > > > > You are probably vulnerable. There are details and an exploit of this > > vulnerability on http://www.shookalabs.com/. > > > > Regards, > > > > Younes JAAIDI > > Shookalabs - Agile Web Development And Security Consulting > > > > On Tue, Jul 16, 2013 at 11:15 AM, Thomas Eckert <tho...@gm... > > > wrote: > > > > > Hi folks, > > > > > > CVE-2013-2765 just caught my attention and I want to assure my > > > mod_security instances are "safe". I took a look at > > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2765 > > > and > > > https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES > > > as well as searched the users and dev mailing lists for "CVE-2013-2765" > > > but I don't think I understand just how exactly I can reproduce the crash. > > > Can you please supply me with steps on how to cause the crash ? > > > > > > The instances I am worried about are running mod_security 2.5.12 with a > > > custom rule set (yes, I know, old version). > > > > > > Cheers, > > > Thomas > > > > > > > > > ------------------------------------------------------------------------------ > > > See everything from the browser to the database with AppDynamics > > > Get end-to-end visibility with application monitoring from AppDynamics > > > Isolate bottlenecks and diagnose root cause in seconds. > > > Start your free trial of AppDynamics Pro today! > > > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > ------------------------------------------------------------------------------ > > See everything from the browser to the database with AppDynamics > > Get end-to-end visibility with application monitoring from AppDynamics > > Isolate bottlenecks and diagnose root cause in seconds. > > Start your free trial of AppDynamics Pro today! > > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 |