Debian Bug report logs -
#992000
modsecurity-crs: Needs update to 3.3.2 for CVE-2021-35368
Reported by: Frederik Himpe <frederik@frehi.be>
Date: Sun, 8 Aug 2021 10:12:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version modsecurity-crs/3.3.0-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#992000; Package modsecurity-crs.
(Sun, 08 Aug 2021 10:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Frederik Himpe <frederik@frehi.be>:
New Bug report received and forwarded. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>.
(Sun, 08 Aug 2021 10:12:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: modsecurity-crs
Version: 3.3.0-1
Severity: normal
Dear Maintainer,
The version of modsecurity-crs contains a vulnerability and needs to be
updated to 3.3.2 to get the security fix:
https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
-- System Information:
Debian Release: 11.0
APT prefers testing
APT policy: (800, 'testing'), (750, 'proposed-updates'), (700, 'stable'), (600, 'oldstable'), (200, 'unstable'), (160, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-7-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
modsecurity-crs depends on no packages.
Versions of packages modsecurity-crs recommends:
ii libapache2-mod-security2 2.9.3-3
Versions of packages modsecurity-crs suggests:
pn geoip-database-contrib <none>
pn lua <none>
pn python <none>
ii ruby 1:2.7+2
-- Configuration Files:
/etc/modsecurity/crs/crs-setup.conf changed [not included]
-- no debconf information
-- debsums errors found:
debsums: changed file /usr/share/modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf (from modsecurity-crs package)
Added tag(s) fixed-upstream, upstream, and security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 08 Aug 2021 10:45:02 GMT) (full text, mbox, link).
Severity set to 'important' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 08 Aug 2021 10:45:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Aug 8 16:17:56 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon