Re: [mod-security-users] CRS security releases covering several CVEs
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] CRS security releases covering several CVEs
|
From: <lo...@kr...> - 2022-09-27 13:38:36
|
Ervin, Thank you for your fast reply. > Am 27.09.2022 um 15:03 schrieb Ervin Hegedüs <ai...@gm...>: > > > On Tue, Sep 27, 2022 at 09:54:32AM +0200, Peter Kreuser wrote: >> Hi, >> >> May I ask why Debian rates them as >> >> "[bullseye] - modsecurity-crs <no-dsa> (Minor issues; will be fixed in point release)" >> >> see for example https://security-tracker.debian.org/tracker/CVE-2022-39958 >> >> No updates so far available.... @Ervin Hegedues??? > > Unfortunatelly I can't answer for this question. > > I'm waiting for two things before I upload the new package: > > * which version can I upload (3.3.0 + patch OR 3.3.3, which > mentioned in CVE as fixed version, OR the 3.3.4) into Debian > * which version is the stable (3.3.4, or may be CRS will release > a new one soon, 3.3.5) > Who will have to decide? CRS-Team or debian? Given the fact that this has been out for almost a week now, and Christian's and Walter's messages concerning the ModSecurity release, can this be sped up? > Btw if you want to use the last version of CRS, you can use > Digitalwave's repository: > > https://modsecurity.digitalwave.hu/ > > I'm aware of this, however the binaries are only amd64 and I'm running part of my infrastructure on Mac M1. This should work for CRS, though! Thanks for the reminder. Peter > > a. > > > ps: I will let you know (on this list), if I can upload the new > packages to Debian mirrors. > > >>> Am 21.09.2022 um 07:59 schrieb Christian Folini <chr...@ne...>: >>> >>> Dear all, >>> >>> Following ModSecurity's security releases earlier this month, we have followed >>> suite and updated the stable CRS v3.2 and CRS v3.3 release branches as well. >>> >>> https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ >>> >>> (Unfortunately, we also released a bug, so we had to followup with 3.3.4 and >>> 3.2.3 immediately. Details in the blog.) >>> >>> These two updates cover for several partial rule set bypasses: >>> >>> CVE-2022-39955 – Multiple charsets defined in Content-Type header >>> CVE-2022-39956 – Content-Type or Content-Transfer-Encoding MIME header abuse >>> CVE-2022-39957 – Charset accept header field resulting in resp rule set bypass >>> CVE-2022-39958 – Small range header leading to response rule set bypass >>> >>> Outside of these CVE-worthy fixes, there are a handful of security fixes that >>> are of slightly lower severity. >>> >>> Please be aware that the fix to CVE-2022-39956 depends on the update of >>> ModSecurity to the versions 2.9.6 or 3.0.8. >>> >>> Best regards, >>> >>> Christian Folini, OWASP ModSecurity Core Rule Set co-lead >>> >>> >>> -- >>> Ultimately, motivation gets us started, >>> but discipline and habit are what enable us to finish. >>> -- Matthew Helmke >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ > > >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
