Re: [mod-security-users] CRS security releases covering several CVEs
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] CRS security releases covering several CVEs
|
From: Ervin H. <ai...@gm...> - 2022-09-27 13:03:35
|
On Tue, Sep 27, 2022 at 09:54:32AM +0200, Peter Kreuser wrote: > Hi, > > May I ask why Debian rates them as > > "[bullseye] - modsecurity-crs <no-dsa> (Minor issues; will be fixed in point release)" > > see for example https://security-tracker.debian.org/tracker/CVE-2022-39958 > > No updates so far available.... @Ervin Hegedues??? Unfortunatelly I can't answer for this question. I'm waiting for two things before I upload the new package: * which version can I upload (3.3.0 + patch OR 3.3.3, which mentioned in CVE as fixed version, OR the 3.3.4) into Debian * which version is the stable (3.3.4, or may be CRS will release a new one soon, 3.3.5) Btw if you want to use the last version of CRS, you can use Digitalwave's repository: https://modsecurity.digitalwave.hu/ a. ps: I will let you know (on this list), if I can upload the new packages to Debian mirrors. > > Am 21.09.2022 um 07:59 schrieb Christian Folini <chr...@ne...>: > > > > Dear all, > > > > Following ModSecurity's security releases earlier this month, we have followed > > suite and updated the stable CRS v3.2 and CRS v3.3 release branches as well. > > > > https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ > > > > (Unfortunately, we also released a bug, so we had to followup with 3.3.4 and > > 3.2.3 immediately. Details in the blog.) > > > > These two updates cover for several partial rule set bypasses: > > > > CVE-2022-39955 – Multiple charsets defined in Content-Type header > > CVE-2022-39956 – Content-Type or Content-Transfer-Encoding MIME header abuse > > CVE-2022-39957 – Charset accept header field resulting in resp rule set bypass > > CVE-2022-39958 – Small range header leading to response rule set bypass > > > > Outside of these CVE-worthy fixes, there are a handful of security fixes that > > are of slightly lower severity. > > > > Please be aware that the fix to CVE-2022-39956 depends on the update of > > ModSecurity to the versions 2.9.6 or 3.0.8. > > > > Best regards, > > > > Christian Folini, OWASP ModSecurity Core Rule Set co-lead > > > > > > -- > > Ultimately, motivation gets us started, > > but discipline and habit are what enable us to finish. > > -- Matthew Helmke > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
