On Mon, Dec 12, 2022 at 01:37:02PM +0100, Alberto Gonzalez Iniesta wrote: > On Wed, Dec 07, 2022 at 08:14:50PM +0000, Adam D. Barratt wrote: > > On Mon, 2022-09-19 at 19:25 +0200, Alberto Gonzalez Iniesta wrote: > > > modsecurity-crs has been released today [1]. It fixes a security > > > issue, > > > here is the announcement: > > > -------- > > > CVE-2022-39956 - Content-Type or Content-Transfer-Encoding MIME > > > header fields > > > abuse > > > > > [...] > > > Important: The mitigation against these vulnerabilities depends on > > > the > > > installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an > > > updated > > > version with backports of the security fixes in these versions. > > > If you fail to update ModSecurity, the webserver / engine will refuse > > > to start > > > with the following error message: "Error creating rule: Unknown > > > variable: > > > MULTIPART_PART_HEADERS". > > > > > [...] > > > As you may see in [1] a newer modsecurity is needed in other to apply > > > this fix. We, modsecurity packaging team, are preparing a patched > > > version of both modsecurity-apache (this bug report) and > > > libmodsecurity3 > > > (coming up). After that we'll upload the updated modsecurity-crs. > > > > > > > Apologies for the delay in getting back to you. > > > > It's not entirely clear to me from the above, but what happens if this > > modsecurity-apache update gets into a point release but the > > libmodsecurity3 update does not? You mention the latter as "coming up" > > above, but I can't see a request for it. > > Hi, Adam. > > We (mod-security packaging team) have decided to skip the update to > libmodsecurity3. No package depends on it as of today and the patch to > add this feature to the version in bullseye would be huge. We think the > user base is probably close to zero which makes the effort worthless. > > Thoghts? >
Hi, Adam. Any updates on this front? Thanks, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
