On Wed, Dec 07, 2022 at 08:14:50PM +0000, Adam D. Barratt wrote: > On Mon, 2022-09-19 at 19:25 +0200, Alberto Gonzalez Iniesta wrote: > > modsecurity-crs has been released today [1]. It fixes a security > > issue, > > here is the announcement: > > -------- > > CVE-2022-39956 - Content-Type or Content-Transfer-Encoding MIME > > header fields > > abuse > > > [...] > > Important: The mitigation against these vulnerabilities depends on > > the > > installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an > > updated > > version with backports of the security fixes in these versions. > > If you fail to update ModSecurity, the webserver / engine will refuse > > to start > > with the following error message: "Error creating rule: Unknown > > variable: > > MULTIPART_PART_HEADERS". > > > [...] > > As you may see in [1] a newer modsecurity is needed in other to apply > > this fix. We, modsecurity packaging team, are preparing a patched > > version of both modsecurity-apache (this bug report) and > > libmodsecurity3 > > (coming up). After that we'll upload the updated modsecurity-crs. > > > > Apologies for the delay in getting back to you. > > It's not entirely clear to me from the above, but what happens if this > modsecurity-apache update gets into a point release but the > libmodsecurity3 update does not? You mention the latter as "coming up" > above, but I can't see a request for it.
Hi, Adam. We (mod-security packaging team) have decided to skip the update to libmodsecurity3. No package depends on it as of today and the patch to add this feature to the version in bullseye would be huge. We think the user base is probably close to zero which makes the effort worthless. Thoghts? Regards, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55