Hi, Please find attached a fixed debdiff (targeting trixie instead of trixie-security).
Thanks, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico [email protected] | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.org Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
diff -Nru modsecurity-crs-3.3.7/debian/changelog modsecurity-crs-3.3.7/debian/changelog --- modsecurity-crs-3.3.7/debian/changelog 2026-01-10 17:00:48.000000000 +0100 +++ modsecurity-crs-3.3.7/debian/changelog 2026-03-29 18:29:12.000000000 +0200 @@ -1,3 +1,9 @@ +modsecurity-crs (3.3.7-1+deb13u2) trixie; urgency=medium + + * Fixes CVE-2026-33691 + + -- Ervin Hegedüs <[email protected]> Sun, 29 Mar 2026 18:29:12 +0200 + modsecurity-crs (3.3.7-1+deb13u1) trixie-security; urgency=medium * Fixes CVE-2026-21876 (Closes: #1125084) diff -Nru modsecurity-crs-3.3.7/debian/patches/cve-2026-33691.patch modsecurity-crs-3.3.7/debian/patches/cve-2026-33691.patch --- modsecurity-crs-3.3.7/debian/patches/cve-2026-33691.patch 1970-01-01 01:00:00.000000000 +0100 +++ modsecurity-crs-3.3.7/debian/patches/cve-2026-33691.patch 2026-03-29 18:29:12.000000000 +0200 @@ -0,0 +1,44 @@ +From: Ervin Hegedus <[email protected]> +Date: Sun, 29 Mar 2026 18:23:55 +0200 +Subject: Add patch from upstream to fix CVE-2026-33691 + +--- + rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf | 2 +- + rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +index 002088a..aca6301 100644 +--- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf ++++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +@@ -573,7 +573,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD + phase:2,\ + block,\ + capture,\ +- t:none,t:lowercase,\ ++ t:none,t:lowercase,t:removeWhitespace,\ + msg:'Restricted File Upload Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ +diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +index 707ed45..666643e 100644 +--- a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf ++++ b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +@@ -91,7 +91,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD + phase:2,\ + block,\ + capture,\ +- t:none,t:lowercase,\ ++ t:none,t:lowercase,t:removeWhitespace,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ +@@ -673,7 +673,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD + phase:2,\ + block,\ + capture,\ +- t:none,t:lowercase,\ ++ t:none,t:lowercase,t:removeWhitespace,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ diff -Nru modsecurity-crs-3.3.7/debian/patches/series modsecurity-crs-3.3.7/debian/patches/series --- modsecurity-crs-3.3.7/debian/patches/series 2026-01-10 17:00:48.000000000 +0100 +++ modsecurity-crs-3.3.7/debian/patches/series 2026-03-29 18:29:12.000000000 +0200 @@ -1,2 +1,3 @@ fix_paths cve-2026-21876.patch +cve-2026-33691.patch \ No newline at end of file
