modsecurity-apache: CVE-2013-1915: Vulnerable to XXE attacks

Debian Bug report logs - #704625
modsecurity-apache: CVE-2013-1915: Vulnerable to XXE attacks

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: modsecurity-apache: CVE-2013-1915: Vulnerable to XXE attacks

Date: Wed, 03 Apr 2013 20:35:28 +0200

Package: modsecurity-apache
Severity: grave
Tags: security upstream

Hi,

the following vulnerability was published for modsecurity-apache.

CVE-2013-1915[0]:
Vulnerable to XXE attacks

Patches where added upstream for 2.7.3[1,2] but might need some
adjustments for current versions in Debian.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915
    http://security-tracker.debian.org/tracker/CVE-2013-1915
[1] https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
[2] https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 704625@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 704625@bugs.debian.org

Subject: Patch for this bug

Date: Sat, 06 Apr 2013 14:32:24 +0800

[Message part 1 (text/plain, inline)]

Hi,

I have done the work of backporting the upstream patch which Salvatore
Bonaccorso pointed at. The patch is attached to this email.

Please note that I have *not* tested this patch, I just applied manually
(because otherwise it would fail) what I could find upstream, and
checked that the package was still building (which it does).

So the current maintainer of the mod_security package *must* (before
upload or requesting for sponsorship):
1/ Check that this patch really addresses CVE-2013-1915 as expected
2/ Check that there is no regression and that mod_security continues to
work as expected

Note that this work should be done asap, considering how close we are
from releasing Wheezy. If nothing is done by the current maintainer,
then I hope to find the time to do the above 1/ and 2/, then upload to
the delayed queue (though, do not take it as fact, I might be busy doing
something else).

Please do take care of it, mod_security is a nice software, and it would
be a shame not to release Wheezy with it.

Cheers,

Thomas Goirand (zigo)

[CVE-2013-1915.patch (text/x-diff, attachment)]

Message #15 received at 704625@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <thomas@goirand.fr>

To: 704625@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Tested a bit further the mod_security patch I backported

Date: Sat, 06 Apr 2013 14:43:39 +0800

Hi,

I installed mod_security with the patch I backported, made sure the
module was loaded by Apache, and tested to query "http://localhost",
then I could see the "It works!" default Debian Apache page.

So, I'd say: so far so good, Apache doesn't crash.

Salvatore, could you tell how you find out about this CVE, and are you
sure that the commit you linked is fixing the problem (which I do not
understand fully...)? If you confirm that you are sure it fixes the CVE,
then I believe I could NMU the fixed package in the delayed queue.

Thoughts?

Cheers,

Thomas Goirand (zigo)

Message #24 received at 704625@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: Thomas Goirand <thomas@goirand.fr>, 704625@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#704625: Tested a bit further the mod_security patch I backported

Date: Sat, 6 Apr 2013 10:50:43 +0200

On Sat, Apr 06, 2013 at 02:43:39PM +0800, Thomas Goirand wrote:
> Hi,
> 
> I installed mod_security with the patch I backported, made sure the
> module was loaded by Apache, and tested to query "http://localhost",
> then I could see the "It works!" default Debian Apache page.
> 
> So, I'd say: so far so good, Apache doesn't crash.
> 
> Salvatore, could you tell how you find out about this CVE, and are you
> sure that the commit you linked is fixing the problem (which I do not
> understand fully...)? If you confirm that you are sure it fixes the CVE,
> then I believe I could NMU the fixed package in the delayed queue.

Hi Thomas and Salvatore,

Thanks for the heads-up. Strangely I didn't get the first mail (the bug
report), but luckily got Thomas' mails. I'll check this ASAP and make an
upload accordingly.


Cheers,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

Message #29 received at 704625@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 704625@bugs.debian.org

Subject: Re: Bug#704625: Tested a bit further the mod_security patch I backported

Date: Sat, 06 Apr 2013 17:55:59 +0800

On 04/06/2013 04:50 PM, Alberto Gonzalez Iniesta wrote:
> On Sat, Apr 06, 2013 at 02:43:39PM +0800, Thomas Goirand wrote:
>> Hi,
>>
>> I installed mod_security with the patch I backported, made sure the
>> module was loaded by Apache, and tested to query "http://localhost",
>> then I could see the "It works!" default Debian Apache page.
>>
>> So, I'd say: so far so good, Apache doesn't crash.
>>
>> Salvatore, could you tell how you find out about this CVE, and are you
>> sure that the commit you linked is fixing the problem (which I do not
>> understand fully...)? If you confirm that you are sure it fixes the CVE,
>> then I believe I could NMU the fixed package in the delayed queue.
> 
> Hi Thomas and Salvatore,
> 
> Thanks for the heads-up. Strangely I didn't get the first mail (the bug
> report), but luckily got Thomas' mails. I'll check this ASAP and make an
> upload accordingly.
> 
> 
> Cheers,
> 
> Alberto

Cool. I just thought I could help, since I knew a bit about Apache
module programing. I hope my patch will help to have this RC solved
faster, so we can think about something else for the release.

Cheers,

Thomas

Message #34 received at 704625@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Alberto Gonzalez Iniesta <agi@inittab.org>

Cc: Thomas Goirand <thomas@goirand.fr>, 704625@bugs.debian.org

Subject: Re: Bug#704625: Tested a bit further the mod_security patch I backported

Date: Sat, 6 Apr 2013 12:08:41 +0200

Hi Alberto, hi Thomas

On Sat, Apr 06, 2013 at 10:50:43AM +0200, Alberto Gonzalez Iniesta wrote:
> On Sat, Apr 06, 2013 at 02:43:39PM +0800, Thomas Goirand wrote:
> > Hi,
> > 
> > I installed mod_security with the patch I backported, made sure the
> > module was loaded by Apache, and tested to query "http://localhost",
> > then I could see the "It works!" default Debian Apache page.
> > 
> > So, I'd say: so far so good, Apache doesn't crash.
> > 
> > Salvatore, could you tell how you find out about this CVE, and are you
> > sure that the commit you linked is fixing the problem (which I do not
> > understand fully...)? If you confirm that you are sure it fixes the CVE,
> > then I believe I could NMU the fixed package in the delayed queue.
> 
> Hi Thomas and Salvatore,
> 
> Thanks for the heads-up. Strangely I didn't get the first mail (the bug
> report), but luckily got Thomas' mails. I'll check this ASAP and make an
> upload accordingly.

Bad you have not got the inital mail trough the BTS. :( Thank you for
preparing the update. For the new option the default value is Off, if
I understand it correctly, but configurable to On/Off. Could you also
add a bit of Documentation for it?

Could you also prepare an update for squeeze-security for ? Please
target there squeeze-security (instead of stable-security) in case the
update will happen just when wheezy get's released ;-) to prepare for
an update to security-master?

Regards,
Salvatore

Message #39 received at 704625@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 704625@bugs.debian.org

Cc: Thomas Goirand <thomas@goirand.fr>

Subject: Re: Bug#704625: Tested a bit further the mod_security patch I backported

Date: Sat, 6 Apr 2013 18:13:13 +0200

On Sat, Apr 06, 2013 at 12:08:41PM +0200, Salvatore Bonaccorso wrote:
> Hi Alberto, hi Thomas
> 
> On Sat, Apr 06, 2013 at 10:50:43AM +0200, Alberto Gonzalez Iniesta wrote:
> > On Sat, Apr 06, 2013 at 02:43:39PM +0800, Thomas Goirand wrote:
> > > Hi,
> > > 
> > > I installed mod_security with the patch I backported, made sure the
> > > module was loaded by Apache, and tested to query "http://localhost",
> > > then I could see the "It works!" default Debian Apache page.
> > > 
> > > So, I'd say: so far so good, Apache doesn't crash.
> > > 
> > > Salvatore, could you tell how you find out about this CVE, and are you
> > > sure that the commit you linked is fixing the problem (which I do not
> > > understand fully...)? If you confirm that you are sure it fixes the CVE,
> > > then I believe I could NMU the fixed package in the delayed queue.
> > 
> > Hi Thomas and Salvatore,
> > 
> > Thanks for the heads-up. Strangely I didn't get the first mail (the bug
> > report), but luckily got Thomas' mails. I'll check this ASAP and make an
> > upload accordingly.
> 
> Bad you have not got the inital mail trough the BTS. :( Thank you for
> preparing the update. For the new option the default value is Off, if
> I understand it correctly, but configurable to On/Off. Could you also
> add a bit of Documentation for it?
> 
> Could you also prepare an update for squeeze-security for ? Please
> target there squeeze-security (instead of stable-security) in case the
> update will happen just when wheezy get's released ;-) to prepare for
> an update to security-master?

Hi again,

I've packages ready for sid/wheezy and squeeze. I'm waiting upstream
blessing on them before uploading.

Regards,

Alberto


-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

Message #44 received at 704625-close@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: 704625-close@bugs.debian.org

Subject: Bug#704625: fixed in modsecurity-apache 2.6.6-6

Date: Mon, 08 Apr 2013 15:03:37 +0000

Source: modsecurity-apache
Source-Version: 2.6.6-6

We believe that the bug you reported is fixed in the latest version of
modsecurity-apache, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 704625@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated modsecurity-apache package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 06 Apr 2013 11:09:12 +0200
Source: modsecurity-apache
Binary: libapache2-modsecurity libapache-mod-security
Architecture: source amd64 all
Version: 2.6.6-6
Distribution: unstable
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description: 
 libapache-mod-security - Dummy transitional package
 libapache2-modsecurity - Tighten web applications security for Apache
Closes: 704625
Changes: 
 modsecurity-apache (2.6.6-6) unstable; urgency=high
 .
   * Applied upstream patch to fix XXE attacks. CVE-2013-1915
     Thanks Thomas Goirand for backporting the patch.
     (Closes: #704625)
     Adds new SecXmlExternalEntity option which by default (Off) disables
     the external entity load task executed by libxml2.
Checksums-Sha1: 
 42c962dc35e7ab8d6d51420f2c3039d564b57e50 1352 modsecurity-apache_2.6.6-6.dsc
 14a6b15da1ab45a7abac1ae2aa05a206f8110931 10483 modsecurity-apache_2.6.6-6.debian.tar.gz
 848321a59e5610c9474b1f9ff46eb89c925241bd 303562 libapache2-modsecurity_2.6.6-6_amd64.deb
 53e6bd53fbed99d0ca1c0ad07a9c8c189f95e244 18274 libapache-mod-security_2.6.6-6_all.deb
Checksums-Sha256: 
 a04c2c992aa1120cb4845c9d4dfadaa20cf3e147fef74e2686735382de652227 1352 modsecurity-apache_2.6.6-6.dsc
 92085c49da450a40dd37bcb619ba17a2f1a79ae75a73b824c7c50d53a47f0371 10483 modsecurity-apache_2.6.6-6.debian.tar.gz
 28ffc2201cf284572147a47e32c03c71a5d2b4fddd1a8924cfd865fcb58f96dc 303562 libapache2-modsecurity_2.6.6-6_amd64.deb
 96dacadf7035ec4ca21514f3dad2a195095765703b32d78cfd68656cfc3df48d 18274 libapache-mod-security_2.6.6-6_all.deb
Files: 
 63939d541b57a5726fc642f7b32d67ae 1352 httpd optional modsecurity-apache_2.6.6-6.dsc
 44691d634ba2ac42642146c29e8573f0 10483 httpd optional modsecurity-apache_2.6.6-6.debian.tar.gz
 8981a018a555e165306718da6a27b8d6 303562 httpd optional libapache2-modsecurity_2.6.6-6_amd64.deb
 400fd267e4389712a816ad521bfd90e8 18274 oldlibs extra libapache-mod-security_2.6.6-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlFi0RQACgkQxRSvjkukAcPB9QCgzR8v8SKpXx494XZTH2srMzmU
3fMAoJ7d9Pn2ox8WELsjylBOWBqe3eMn
=69Oh
-----END PGP SIGNATURE-----

Message #53 received at 704625-close@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: 704625-close@bugs.debian.org

Subject: Bug#704625: fixed in libapache-mod-security 2.5.12-1+squeeze2

Date: Fri, 12 Apr 2013 18:02:04 +0000

Source: libapache-mod-security
Source-Version: 2.5.12-1+squeeze2

We believe that the bug you reported is fixed in the latest version of
libapache-mod-security, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 704625@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated libapache-mod-security package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 02 Jul 2012 14:47:33 +0000
Source: libapache-mod-security
Binary: libapache-mod-security mod-security-common
Architecture: source all i386
Version: 2.5.12-1+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description: 
 libapache-mod-security - Tighten web applications security for Apache
 mod-security-common - Tighten web applications security - common files
Closes: 704625
Changes: 
 libapache-mod-security (2.5.12-1+squeeze2) stable-security; urgency=high
 .
   * CVE-2013-1915: Fix for XXE attacks.
     Applied backported patch from 2.7.3. (Closes: #704625)
     Adds new SecXmlExternalEntity option which by default (Off) disables
     the external entity load task executed by libxml2.
Checksums-Sha1: 
 4472feb1aeec57eff2308b03fbee27b6f78cc124 1283 libapache-mod-security_2.5.12-1+squeeze2.dsc
 768f5ff29abaeb71c43280a9808550c17e1440e7 10769 libapache-mod-security_2.5.12-1+squeeze2.debian.tar.gz
 d123776838f467d2f676133d8a93e02797541da0 961526 mod-security-common_2.5.12-1+squeeze2_all.deb
 e10feb33b9eb39fe98dd14c880e8512d70c17f63 114430 libapache-mod-security_2.5.12-1+squeeze2_i386.deb
Checksums-Sha256: 
 654ab7973fcbd79c6fc10438bbc995f06b1f66ef8bb03894339e7895a4105a0e 1283 libapache-mod-security_2.5.12-1+squeeze2.dsc
 7b958e8f695e0fefe16fda2c34731aaa1c57a9a5a50dae9cafd649495cb6cdff 10769 libapache-mod-security_2.5.12-1+squeeze2.debian.tar.gz
 323145d8068e972e84014052a61fee54b81089ba6c716d2542904eaa94106d6b 961526 mod-security-common_2.5.12-1+squeeze2_all.deb
 bf54cd81663fb11934e0f91a4781cbf635870b70a9512f97793b5cd819de4d3b 114430 libapache-mod-security_2.5.12-1+squeeze2_i386.deb
Files: 
 19655d5c5c65857e2a7c271db29133a3 1283 httpd optional libapache-mod-security_2.5.12-1+squeeze2.dsc
 e90fb879eb247a782eabca20395757e8 10769 httpd optional libapache-mod-security_2.5.12-1+squeeze2.debian.tar.gz
 f2352b44ee9e3ff1a6af0b2e5b518a35 961526 httpd optional mod-security-common_2.5.12-1+squeeze2_all.deb
 461c539be94a4eb33692e7061ff98903 114430 httpd optional libapache-mod-security_2.5.12-1+squeeze2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlFi4zgACgkQxRSvjkukAcNb0QCfe13uxOQbiHNw76trXYjfL1ZZ
fngAoKmoalP/SdXgYiq6qnG54smYW4+J
=PO0x
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.