Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
This [1] security bug was found in modsecurity-crs.
As with the previous update (modsecurity-crs_3.1.0-1+deb10u1), a DSA
does not seem necessary (security team on Cc:) so I'm targeting buster
proposed updates instead.
Here's the debdiff. Hope it's all OK.
I'll wait for your instructions before uploading.
Cheers,
Alberto
[1] https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000
--
Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
diff -Nru modsecurity-crs-3.1.0/debian/changelog modsecurity-crs-3.1.0/debian/changelog
--- modsecurity-crs-3.1.0/debian/changelog 2019-11-03 14:34:05.000000000 +0100
+++ modsecurity-crs-3.1.0/debian/changelog 2021-08-24 12:37:59.000000000 +0200
@@ -1,3 +1,10 @@
+modsecurity-crs (3.1.0-1+deb10u2) buster; urgency=medium
+
+ * Add upstream patch to fix request body bypass
+ CVE-2021-35368 (Closes: #992000)
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 24 Aug 2021 12:37:59 +0200
+
modsecurity-crs (3.1.0-1+deb10u1) buster; urgency=medium
* Add upstream patch to fix php script upload rules.
diff -Nru modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch
--- modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch 1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch 2021-08-24 12:32:08.000000000 +0200
@@ -0,0 +1,130 @@
+From d3b116fce6c0dc8c8f6e4fbb4e3304af312b4812 Mon Sep 17 00:00:00 2001
+From: Walter Hop <walter@lifeforms.nl>
+Date: Wed, 30 Jun 2021 12:56:51 +0200
+Subject: [PATCH] Fix CVE-2021-35368 WAF bypass using pathinfo (Christian Folini)
+
+---
+diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+index 1f511c38..c9bb8693 100644
+--- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
++++ b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+@@ -64,6 +64,14 @@
+
+ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
+ "id:9001000,\
++ phase:1,\
++ pass,\
++ t:none,\
++ nolog,\
++ skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
++
++SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
++ "id:9001001,\
+ phase:2,\
+ pass,\
+ t:none,\
+@@ -254,52 +262,58 @@
+ #
+ # Extensive checks make sure these uploads are really legitimate.
+ #
+-SecRule REQUEST_METHOD "@streq POST" \
+- "id:9001180,\
+- phase:1,\
+- pass,\
+- t:none,\
+- nolog,\
+- noauditlog,\
+- chain"
+- SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
+- "chain"
+- SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
+- "ctl:requestBodyAccess=Off"
+-
+-SecRule REQUEST_METHOD "@streq POST" \
+- "id:9001182,\
+- phase:1,\
+- pass,\
+- t:none,\
+- nolog,\
+- noauditlog,\
+- chain"
+- SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
+- "chain"
+- SecRule ARGS:destination "@streq admin/content/assets" \
+- "chain"
+- SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
+- "chain"
+- SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
+- "ctl:requestBodyAccess=Off"
+-
+-SecRule REQUEST_METHOD "@streq POST" \
+- "id:9001184,\
+- phase:1,\
+- pass,\
+- t:none,\
+- nolog,\
+- noauditlog,\
+- chain"
+- SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
+- "chain"
+- SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
+- "chain"
+- SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \
+- "chain"
+- SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
+- "ctl:requestBodyAccess=Off"
++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++# "id:9001180,\
++# phase:1,\
++# pass,\
++# t:none,\
++# nolog,\
++# noauditlog,\
++# chain"
++# SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
++# "chain"
++# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
++# "ctl:requestBodyAccess=Off"
++
++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++# "id:9001182,\
++# phase:1,\
++# pass,\
++# t:none,\
++# nolog,\
++# noauditlog,\
++# chain"
++# SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
++# "chain"
++# SecRule ARGS:destination "@streq admin/content/assets" \
++# "chain"
++# SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
++# "chain"
++# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
++# "ctl:requestBodyAccess=Off"
++
++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++# "id:9001184,\
++# phase:1,\
++# pass,\
++# t:none,\
++# nolog,\
++# noauditlog,\
++# chain"
++# SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
++# "chain"
++# SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
++# "chain"
++# SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \
++# "chain"
++# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
++# "ctl:requestBodyAccess=Off"
+
+
+ #
diff -Nru modsecurity-crs-3.1.0/debian/patches/series modsecurity-crs-3.1.0/debian/patches/series
--- modsecurity-crs-3.1.0/debian/patches/series 2019-11-03 14:34:05.000000000 +0100
+++ modsecurity-crs-3.1.0/debian/patches/series 2021-08-24 12:33:36.000000000 +0200
@@ -1,2 +1,3 @@
fix_paths
CVE-2019-13464.patch
+CVE-2021-35368.patch
Reply to: