modsecurity - Debian Package Tracker

general

versioned links

3.0.3-1+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.0.4-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.0.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

action needed

lintian reports 7 warnings normal

Lintian reports 7 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-07-29 Last update: 2022-01-01 04:33

2 low-priority security issues in buster low

2 issues left for the package maintainer to handle:

CVE-2019-25043: (needs triaging) ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.
CVE-2021-42717: (needs triaging) ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-05-07 Last update: 2021-12-18 14:34

1 low-priority security issue in bullseye low

There is 1 open security issue in bullseye.

1 issue left for the package maintainer to handle:

CVE-2021-42717: (needs triaging) ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

You can find information about how to handle this issue in the security team's documentation.

Created: 2021-11-24 Last update: 2021-12-18 14:34

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2018-12-12 Last update: 2018-12-12 18:09

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.6.0).

Created: 2022-05-11 Last update: 2022-05-11 23:24

[2021-11-30] modsecurity 3.0.6-1 MIGRATED to testing (Debian testing watch)
[2021-11-25] Accepted modsecurity 3.0.6-1 (source) into unstable (Ervin Hegedus) (signed by: Alberto Gonzalez Iniesta)
[2020-09-19] Accepted modsecurity 3.0.3-1+deb10u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Alberto Gonzalez Iniesta)
[2020-09-18] Accepted modsecurity 3.0.3-1+deb10u2 (source) into stable->embargoed, stable (Debian FTP Masters) (signed by: Alberto Gonzalez Iniesta)
[2020-09-18] modsecurity 3.0.4-2 MIGRATED to testing (Debian testing watch)
[2020-09-16] Accepted modsecurity 3.0.4-2 (source) into unstable (Ervin Hegedüs) (signed by: Alberto Gonzalez Iniesta)
[2020-01-27] modsecurity 3.0.4-1 MIGRATED to testing (Debian testing watch)
[2020-01-25] Accepted modsecurity 3.0.3-1+deb10u1 (source amd64) into proposed-updates->stable-new, proposed-updates (Ervin Hegedus) (signed by: Alberto Gonzalez Iniesta)
[2020-01-21] Accepted modsecurity 3.0.4-1 (source) into unstable (Ervin Hegedus) (signed by: Alberto Gonzalez Iniesta)
[2018-12-18] modsecurity 3.0.3-1 MIGRATED to testing (Debian testing watch)
[2018-12-13] modsecurity 3.0.2-1 MIGRATED to testing (Debian testing watch)
[2018-12-12] Accepted modsecurity 3.0.3-1 (source amd64) into unstable (Alberto Gonzalez Iniesta)
[2018-10-16] Accepted modsecurity 3.0.2-1 (source amd64) into unstable, unstable (Alberto Gonzalez Iniesta)

bugs [bug history graph]

links

ubuntu