Hi Salvatore, just for the record: patches and new releases are already uploaded to salsa.
Bookworm: https://salsa.debian.org/modsecurity-packaging-team/modsecurity/-/commit/3c59f9a64930170b9fbd8def0cf2b25afe4dd1f0 Trixie: https://salsa.debian.org/modsecurity-packaging-team/modsecurity/-/commit/e9689ae96a2a93078c8df0e27d4b07c2a164bf2f Sid: https://salsa.debian.org/modsecurity-packaging-team/modsecurity/-/commit/de852112273289293d789fe2de559ccf5ca5b4f1 Regards, a. On Sun, Jul 12, 2026 at 10:27 PM Salvatore Bonaccorso <[email protected]> wrote: > Source: modsecurity > Version: 3.0.15-1 > Severity: important > Tags: upstream > X-Debbugs-Cc: [email protected] > > Hi, > > The following vulnerabilities were published for modsecurity. > > CVE-2026-52747[0]: > | ModSecurity is an open source, cross platform web application > | firewall (WAF) engine for Apache, IIS and Nginx. Prior to 3.0.16, > | the multipart/form-data request body parser in libmodsecurity > | silently removes embedded line breaks from non-file form-field > | values before exporting them to ARGS and ARGS_POST because > | src/request_body_processor/multipart.cc overwrites reserved bytes in > | m_reserve instead of appending the current buffer. This creates a > | parser differential between ModSecurity and backend applications > | that preserve line breaks in form fields, allowing rules that > | inspect ARGS or ARGS_POST to miss payloads whose dangerous syntax > | depends on a line break. This issue is fixed in version 3.0.16. > > > CVE-2026-52761[1]: > | ModSecurity is an open source, cross platform web application > | firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 through > | 3.0.15, the t:utf8toUnicode transformation in > | src/actions/transformations/utf8_to_unicode.cc produces wrong output > | on i386 architecture because snprintf uses sizeof on a char pointer > | rather than the length of the unicode buffer, allowing rules that > | use this transformation to be bypassed on i386 architecture. This > | issue is fixed in version 3.0.16. > > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2026-52747 > https://www.cve.org/CVERecord?id=CVE-2026-52747 > > https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-rcw9-2f5r-7p88 > [1] https://security-tracker.debian.org/tracker/CVE-2026-52761 > https://www.cve.org/CVERecord?id=CVE-2026-52761 > > https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qjgm-7gp4-f8qq > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore >

