Package: release.debian.org Severity: normal Tags: security X-Debbugs-Cc: [email protected], [email protected], Debian Security Team <[email protected]> Control: affects -1 + src:modsecurity-crs User: [email protected] Usertags: pu
[ Reason ] Fix for CVE-2026-33691 [ Impact ] Bypass security rules allowing upload of files with dangerous extensions by inserting whitespace padding in the filename. [ Tests ] Fixed and tested by upstream. [ Risks ] Low risk, simple patch. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Remove whitespaces in uploaded file names before checking its file extension.
diff -Nru modsecurity-crs-3.3.7/debian/changelog modsecurity-crs-3.3.7/debian/changelog --- modsecurity-crs-3.3.7/debian/changelog 2026-01-10 17:00:48.000000000 +0100 +++ modsecurity-crs-3.3.7/debian/changelog 2026-03-29 18:29:12.000000000 +0200 @@ -1,3 +1,9 @@ +modsecurity-crs (3.3.7-1+deb13u2) trixie-security; urgency=medium + + * Fixes CVE-2026-33691 + + -- Ervin Hegedüs <[email protected]> Sun, 29 Mar 2026 18:29:12 +0200 + modsecurity-crs (3.3.7-1+deb13u1) trixie-security; urgency=medium * Fixes CVE-2026-21876 (Closes: #1125084) diff -Nru modsecurity-crs-3.3.7/debian/patches/cve-2026-33691.patch modsecurity-crs-3.3.7/debian/patches/cve-2026-33691.patch --- modsecurity-crs-3.3.7/debian/patches/cve-2026-33691.patch 1970-01-01 01:00:00.000000000 +0100 +++ modsecurity-crs-3.3.7/debian/patches/cve-2026-33691.patch 2026-03-29 18:29:12.000000000 +0200 @@ -0,0 +1,44 @@ +From: Ervin Hegedus <[email protected]> +Date: Sun, 29 Mar 2026 18:23:55 +0200 +Subject: Add patch from upstream to fix CVE-2026-33691 + +--- + rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf | 2 +- + rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +index 002088a..aca6301 100644 +--- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf ++++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +@@ -573,7 +573,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD + phase:2,\ + block,\ + capture,\ +- t:none,t:lowercase,\ ++ t:none,t:lowercase,t:removeWhitespace,\ + msg:'Restricted File Upload Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ +diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +index 707ed45..666643e 100644 +--- a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf ++++ b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +@@ -91,7 +91,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD + phase:2,\ + block,\ + capture,\ +- t:none,t:lowercase,\ ++ t:none,t:lowercase,t:removeWhitespace,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ +@@ -673,7 +673,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD + phase:2,\ + block,\ + capture,\ +- t:none,t:lowercase,\ ++ t:none,t:lowercase,t:removeWhitespace,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ diff -Nru modsecurity-crs-3.3.7/debian/patches/series modsecurity-crs-3.3.7/debian/patches/series --- modsecurity-crs-3.3.7/debian/patches/series 2026-01-10 17:00:48.000000000 +0100 +++ modsecurity-crs-3.3.7/debian/patches/series 2026-03-29 18:29:12.000000000 +0200 @@ -1,2 +1,3 @@ fix_paths cve-2026-21876.patch +cve-2026-33691.patch \ No newline at end of file
