Re: [mod-security-users] CRS security releases covering several CVEs

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Peter,

On Tue, Sep 27, 2022 at 03:38:20PM +0200, lo...@kr... wrote:
> Thank you for your fast reply.

yw,

> > * which version can I upload (3.3.0 + patch OR 3.3.3, which
> >   mentioned in CVE as fixed version, OR the 3.3.4) into Debian
> > * which version is the stable (3.3.4, or may be CRS will release
> >   a new one soon, 3.3.5)
> > 
> 
> Who will have to decide? CRS-Team or debian?

1st: Debian
2nd: CRS team

> Given the fact that this has been out for almost a week now, and Christian's and Walter's messages concerning the ModSecurity release, can this be sped up?

I'm really sorry, I had written an e-mail to Debian Release team
*before* the new CRS and ModSec versions has released, but got
the answer only last week. ModSecurity patches are done (see
Debian's Salsa), but still couldn't uploaded them.

I ask them again, and try to urge it.

> > Btw if you want to use the last version of CRS, you can use
> > Digitalwave's repository:
> > 
> > https://modsecurity.digitalwave.hu/
> > 
> 
> I'm aware of this, however the binaries are only amd64 and I'm running part of my infrastructure on Mac M1.

oh, I see, sorry - and thanks for info.

> This should work for CRS, though!

yes, CRS would work,

> Thanks for the reminder.

yw,

a.