Re: [mod-security-users] CRS security releases covering several CVEs

[Peter K. <lo...@kr...>]

Hi,

May I ask why Debian rates them as

"[bullseye] - modsecurity-crs <no-dsa> (Minor issues; will be fixed in point release)"

see for example https://security-tracker.debian.org/tracker/CVE-2022-39958 

No updates so far available.... @Ervin Hegedues???

Best regards

Peter

> Am 21.09.2022 um 07:59 schrieb Christian Folini <chr...@ne...>:
> 
> Dear all,
> 
> Following ModSecurity's security releases earlier this month, we have followed
> suite and updated the stable CRS v3.2 and CRS v3.3 release branches as well.
> 
> https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
> 
> (Unfortunately, we also released a bug, so we had to followup with 3.3.4 and
> 3.2.3 immediately. Details in the blog.)
> 
> These two updates cover for several partial rule set bypasses:
> 
> CVE-2022-39955 – Multiple charsets defined in Content-Type header
> CVE-2022-39956 – Content-Type or Content-Transfer-Encoding MIME header abuse
> CVE-2022-39957 – Charset accept header field resulting in resp rule set bypass
> CVE-2022-39958 – Small range header leading to response rule set bypass
> 
> Outside of these CVE-worthy fixes, there are a handful of security fixes that
> are of slightly lower severity.
> 
> Please be aware that the fix to CVE-2022-39956 depends on the update of
> ModSecurity to the versions 2.9.6 or 3.0.8.
> 
> Best regards,
> 
> Christian Folini, OWASP ModSecurity Core Rule Set co-lead
> 
> 
> -- 
> Ultimately, motivation gets us started, 
> but discipline and habit are what enable us to finish.
> -- Matthew Helmke
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/