Debian Package Tracker
Register | Log in
Subscribe

modsecurity-apache

Tighten web applications security for Apache

Choose email to subscribe with

general
  • source: modsecurity-apache (main)
  • version: 2.9.9-1
  • maintainer: Ervin Hegedus (DMD)
  • uploaders: Alberto Gonzalez Iniesta [DMD]
  • arch: any
  • std-ver: 4.6.1
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.9.3-1+deb10u1
  • o-o-sec: 2.9.3-1+deb10u2
  • oldstable: 2.9.3-3+deb11u2
  • old-sec: 2.9.3-3+deb11u3
  • stable: 2.9.7-1
  • testing: 2.9.8-1.1
  • unstable: 2.9.9-1
versioned links
  • 2.9.3-1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.9.3-1+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.9.3-3+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.9.3-3+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.9.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.9.8-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.9.9-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • libapache2-mod-security2 (2 bugs: 0, 1, 1, 0)
action needed
Marked for autoremoval on 15 June: #1106286 high
Version 2.9.8-1.1 of modsecurity-apache is marked for autoremoval from testing on Sun 15 Jun 2025. It is affected by #1106286. You should try to prevent the removal by fixing these RC bugs.
Created: 2025-05-29 Last update: 2025-05-31 04:57
1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:
  • CVE-2025-47947: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.
Created: 2025-05-22 Last update: 2025-05-29 22:02
1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:
  • CVE-2025-47947: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.
Created: 2025-05-22 Last update: 2025-05-29 22:02
1 bug tagged patch in the BTS normal
The BTS contains patches fixing 1 bug, consider including or untagging them.
Created: 2025-01-06 Last update: 2025-05-31 05:01
lintian reports 3 warnings normal
Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2025-05-23 Last update: 2025-05-23 18:32
debian/patches: 3 patches to forward upstream low

Among the 3 debian patches available in version 2.9.9-1 of the package, we noticed the following issues:

  • 3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2025-05-23 18:01
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.1).
Created: 2022-12-17 Last update: 2025-05-23 14:06
testing migrations
  • This package will soon be part of the auto-libxml2 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
  • excuses:
    • Migration status for modsecurity-apache (2.9.8-1.1 to 2.9.9-1): BLOCKED: Needs an approval (either due to a freeze, the source suite or a manual hint)
    • Issues preventing migration:
    • ∙ ∙ blocked by freeze: does not have autopkgtest (Follow the freeze policy when applying for an unblock)
    • ∙ ∙ Too young, only 8 of 20 days old
    • Additional info:
    • ∙ ∙ Updating modsecurity-apache will fix bugs in testing: #1106286
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/m/modsecurity-apache.html
    • ∙ ∙ Reproducible on amd64 - info ♻
    • ∙ ∙ Reproducible on arm64 - info ♻
    • ∙ ∙ Waiting for reproducibility test results on armhf - info ♻
    • ∙ ∙ Waiting for reproducibility test results on i386 - info ♻
    • Not considered
news
[rss feed]
  • [2025-05-29] Accepted modsecurity-apache 2.9.3-3+deb11u3 (source) into oldstable-security (Ervin Hegedüs) (signed by: Adrian Bunk)
  • [2025-05-23] Accepted modsecurity-apache 2.9.9-1 (source) into unstable (Ervin Hegedüs) (signed by: Alberto Gonzalez Iniesta)
  • [2025-01-15] modsecurity-apache 2.9.8-1.1 MIGRATED to testing (Debian testing watch)
  • [2025-01-10] Accepted modsecurity-apache 2.9.8-1.1 (source) into unstable (Niels Thykier)
  • [2024-09-14] modsecurity-apache 2.9.8-1 MIGRATED to testing (Debian testing watch)
  • [2024-09-09] Accepted modsecurity-apache 2.9.8-1 (source) into unstable (Ervin Hegedüs) (signed by: Alberto Gonzalez Iniesta)
  • [2023-11-12] Accepted modsecurity-apache 2.9.3-3+deb11u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Alberto Gonzalez Iniesta)
  • [2023-01-29] modsecurity-apache 2.9.7-1 MIGRATED to testing (Debian testing watch)
  • [2023-01-29] modsecurity-apache 2.9.7-1 MIGRATED to testing (Debian testing watch)
  • [2023-01-26] Accepted modsecurity-apache 2.9.3-1+deb10u2 (source) into oldstable (Tobias Frost)
  • [2023-01-23] Accepted modsecurity-apache 2.9.7-1 (source) into unstable (Ervin Hegedüs) (signed by: Alberto Gonzalez Iniesta)
  • [2022-09-15] modsecurity-apache 2.9.6-1 MIGRATED to testing (Debian testing watch)
  • [2022-09-10] Accepted modsecurity-apache 2.9.6-1 (source) into unstable (Ervin Hegedus) (signed by: Alberto Gonzalez Iniesta)
  • [2022-05-28] Accepted modsecurity-apache 2.9.1-2+deb9u1 (source amd64 all) into oldoldstable (Chris Lamb)
  • [2021-12-24] Accepted modsecurity-apache 2.9.3-1+deb10u1 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Alberto Gonzalez Iniesta)
  • [2021-12-24] Accepted modsecurity-apache 2.9.3-3+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Alberto Gonzalez Iniesta)
  • [2021-12-18] Accepted modsecurity-apache 2.9.3-1+deb10u1 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Alberto Gonzalez Iniesta)
  • [2021-12-18] Accepted modsecurity-apache 2.9.3-3+deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Alberto Gonzalez Iniesta)
  • [2021-11-30] modsecurity-apache 2.9.5-1 MIGRATED to testing (Debian testing watch)
  • [2021-11-30] modsecurity-apache 2.9.5-1 MIGRATED to testing (Debian testing watch)
  • [2021-11-25] Accepted modsecurity-apache 2.9.5-1 (source) into unstable (Ervin Hegedus) (signed by: Alberto Gonzalez Iniesta)
  • [2020-12-16] modsecurity-apache 2.9.3-3 MIGRATED to testing (Debian testing watch)
  • [2020-12-10] Accepted modsecurity-apache 2.9.3-3 (source) into unstable (Alberto Gonzalez Iniesta)
  • [2020-05-26] modsecurity-apache 2.9.3-2 MIGRATED to testing (Debian testing watch)
  • [2020-05-20] Accepted modsecurity-apache 2.9.3-2 (source) into unstable (Ervin Hegedus) (signed by: Alberto Gonzalez Iniesta)
  • [2018-12-17] modsecurity-apache 2.9.3-1 MIGRATED to testing (Debian testing watch)
  • [2018-12-11] Accepted modsecurity-apache 2.9.3-1 (source amd64) into unstable (Alberto Gonzalez Iniesta)
  • [2018-09-22] modsecurity-apache 2.9.2-2 MIGRATED to testing (Debian testing watch)
  • [2018-09-17] Accepted modsecurity-apache 2.9.2-2 (source amd64) into unstable (Alberto Gonzalez Iniesta)
  • [2017-11-11] Accepted modsecurity-apache 2.9.2-1~bpo8+1 (source amd64) into jessie-backports-sloppy, jessie-backports-sloppy (Alberto Gonzalez Iniesta)
  • 1
  • 2
bugs [bug history graph]
  • all: 11
  • RC: 0
  • I&N: 7
  • M&W: 1
  • F&P: 3
  • patch: 1
links
  • homepage
  • lintian (0, 3)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • debian patches
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2.9.9-1ubuntu1
  • 7 bugs
  • patches for 2.9.9-1ubuntu1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing