modsecurity-crs - Debian Package Tracker

general

source: modsecurity-crs (main)
version: 3.3.5-1
maintainer: Alberto Gonzalez Iniesta (DMD)
uploaders: Ervin Hegedus [DMD]
arch: all
std-ver: 4.4.1.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.1.0-1+deb10u2
o-o-sec: 3.2.3-0+deb10u3
o-o-bpo: 3.3.0-1~bpo10+1
oldstable: 3.3.0-1+deb11u1
stable: 3.3.4-1
testing: 3.3.5-1
unstable: 3.3.5-1

versioned links

3.1.0-1+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.2.3-0+deb10u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.3.0-1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.3.0-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.3.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.3.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

modsecurity-crs

action needed

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

In debian/watch no matching files for watch line
  https://github.com/coreruleset/coreruleset/releases .*/v?(\d[\d\.]+)\.tar\.gz

Created: 2022-09-21 Last update: 2023-10-08 02:40

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2023-09-13 Last update: 2023-10-08 02:33

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 3.3.5-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 58ec39dd17a05795ae3e9dc2b0ef68b6d9a915a0
Author: Hegedüs Ervin <airween@gmail.com>
Date:   Sun Oct 1 20:21:08 2023 +0200

    Merge PR2 from Janitor by manually, avoid the conflicts

commit 8e864324bf3d1923482702b4161ed97ec66c7a67
Merge: 5244890 012f05c
Author: Ervin Hegedüs <airween@gmail.com>
Date:   Wed Sep 27 09:53:35 2023 +0000

    Merge branch 'multiarch-fixes' into 'master'
    
    Apply multi-arch hints
    
    See merge request modsecurity-packaging-team/modsecurity-crs!4

commit 5244890d3634c032b81d29b4804bb50ee98a0a5b
Merge: 18127f0 c63e314
Author: Ervin Hegedüs <airween@gmail.com>
Date:   Sat Jul 29 17:04:09 2023 +0200

    Update upstream source from tag 'upstream/3.3.5'
    
    Update to upstream version '3.3.5'
    with Debian dir f8ab8fa1eea87b605f8f18568226f40d17b7a919

commit c63e314e1dabcd8d5e3b364855360b2a1524f06c
Author: Hegedüs Ervin <airween@gmail.com>
Date:   Sat Jul 29 17:04:09 2023 +0200

    New upstream version 3.3.5

commit 012f05c9f7edeb71a3de2ac7a315d2c0205dd326
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Thu Oct 27 00:24:17 2022 +0000

    Apply multi-arch hints.
    + modsecurity-crs: Add Multi-Arch: foreign.
    
    Changes-By: apply-multiarch-hints

https://salsa.debian.org/api/v4/projects/debian%2Fmodsecurity-crs API request failed: 404 Not Found at /srv/qa.debian.org/data/vcswatch/vcswatch line 405.

Created: 2023-07-31 Last update: 2023-10-07 08:26

lintian reports 4 warnings normal

Lintian reports 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-10-03 Last update: 2023-08-01 09:37

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

modsecurity-crs could be marked Multi-Arch: foreign

Created: 2016-12-22 Last update: 2023-10-08 02:43

6 low-priority security issues in bullseye low

There are 6 open security issues in bullseye.

6 issues left for the package maintainer to handle:

CVE-2020-22669: (needs triaging) Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.
CVE-2022-39955: (needs triaging) The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
CVE-2022-39956: (needs triaging) The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).
CVE-2022-39957: (needs triaging) The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
CVE-2022-39958: (needs triaging) The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.
CVE-2023-38199: (needs triaging) coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-09-03 Last update: 2023-09-06 04:30

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2023-38199: (needs triaging) coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.

You can find information about how to handle this issue in the security team's documentation.

Created: 2023-07-14 Last update: 2023-09-06 04:30

debian/patches: 1 patch to forward upstream low

Among the 1 debian patch available in version 3.3.5-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-08-01 07:34

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.4.1.1).

Created: 2020-01-21 Last update: 2023-08-01 00:14

news

[rss feed]

[2023-08-06] modsecurity-crs 3.3.5-1 MIGRATED to testing (Debian testing watch)
[2023-07-31] Accepted modsecurity-crs 3.3.5-1 (source) into unstable (Ervin Hegedüs) (signed by: Alberto Gonzalez Iniesta)
[2023-01-30] Accepted modsecurity-crs 3.2.3-0+deb10u3 (source) into oldstable (Tobias Frost)
[2022-10-08] modsecurity-crs 3.3.4-1 MIGRATED to testing (Debian testing watch)
[2022-10-03] Accepted modsecurity-crs 3.3.4-1 (source) into unstable (Ervin Hegedüs) (signed by: Alberto Gonzalez Iniesta)
[2021-09-25] Accepted modsecurity-crs 3.1.0-1+deb10u2 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Alberto Gonzalez Iniesta)
[2021-09-09] Accepted modsecurity-crs 3.3.0-1+deb11u1 (source all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Alberto Gonzalez Iniesta)
[2021-08-29] modsecurity-crs 3.3.2-1 MIGRATED to testing (Debian testing watch)
[2021-08-24] Accepted modsecurity-crs 3.3.2-1 (source) into unstable (Alberto Gonzalez Iniesta)
[2020-09-22] Accepted modsecurity-crs 3.3.0-1~bpo10+1 (source all) into buster-backports, buster-backports (Debian FTP Masters) (signed by: Alberto Gonzalez Iniesta)
[2020-08-22] modsecurity-crs 3.3.0-1 MIGRATED to testing (Debian testing watch)
[2020-08-16] Accepted modsecurity-crs 3.3.0-1 (source) into unstable (Alberto Gonzalez Iniesta)
[2019-11-09] Accepted modsecurity-crs 3.1.0-1+deb10u1 (source all) into proposed-updates->stable-new, proposed-updates (Alberto Gonzalez Iniesta)
[2019-11-08] modsecurity-crs 3.2.0-1 MIGRATED to testing (Debian testing watch)
[2019-11-03] Accepted modsecurity-crs 3.2.0-1 (source) into unstable (Ervin Hegedus) (signed by: Alberto Gonzalez Iniesta)
[2019-06-26] Accepted modsecurity-crs 3.1.1-1 (source all) into unstable (Alberto Gonzalez Iniesta)
[2018-12-02] modsecurity-crs 3.1.0-1 MIGRATED to testing (Debian testing watch)
[2018-11-27] Accepted modsecurity-crs 3.1.0-1 (source all) into unstable (Alberto Gonzalez Iniesta)
[2017-11-11] Accepted modsecurity-crs 3.0.2-1~bpo8+1 (source all) into jessie-backports-sloppy, jessie-backports-sloppy (Alberto Gonzalez Iniesta)
[2017-10-25] Accepted modsecurity-crs 3.0.2-1~bpo9+1 (source all) into stretch-backports, stretch-backports (Alberto Gonzalez Iniesta)
[2017-10-15] modsecurity-crs 3.0.2-1 MIGRATED to testing (Debian testing watch)
[2017-10-10] Accepted modsecurity-crs 3.0.2-1 (source all) into unstable (Alberto Gonzalez Iniesta)
[2017-01-28] Accepted modsecurity-crs 2.2.9-1+deb8u1 (source all) into proposed-updates->stable-new, proposed-updates (Alberto Gonzalez Iniesta)
[2017-01-12] Accepted modsecurity-crs 3.0.0-3~bpo8+1 (source all) into jessie-backports (Alberto Gonzalez Iniesta)
[2017-01-02] modsecurity-crs 3.0.0-3 MIGRATED to testing (Debian testing watch)
[2016-12-22] Accepted modsecurity-crs 3.0.0-3 (source all) into unstable (Alberto Gonzalez Iniesta)
[2016-11-29] Accepted modsecurity-crs 3.0.0-2~bpo8+1 (source all) into jessie-backports, jessie-backports (Alberto Gonzalez Iniesta)
[2016-11-23] modsecurity-crs 3.0.0-2 MIGRATED to testing (Debian testing watch)
[2016-11-17] Accepted modsecurity-crs 3.0.0-2 (source all) into unstable (Alberto Gonzalez Iniesta)
[2016-11-17] Accepted modsecurity-crs 3.0.0-1 (source all) into unstable (Alberto Gonzalez Iniesta)

bugs [bug history graph]

all: 2
RC: 0
I&N: 1
M&W: 1
F&P: 0
patch: 1

links

homepage
lintian (0, 4)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.3.5-1