--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
Hi, (again, see #992863)
This [1] security bug was found in modsecurity-crs.
As stated in #992863 by the security team, a DSA won't be issued
(security team on Cc:) so I'm targeting bullseye proposed updates
instead.
Here's the debdiff. Hope it's all OK.
I'll wait for your instructions before uploading.
Cheers,
Alberto
[1] https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000
--
Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
diff -Nru modsecurity-crs-3.3.0/debian/changelog modsecurity-crs-3.3.0/debian/changelog
--- modsecurity-crs-3.3.0/debian/changelog 2020-08-16 20:24:09.000000000 +0200
+++ modsecurity-crs-3.3.0/debian/changelog 2021-08-24 17:40:57.000000000 +0200
@@ -1,3 +1,10 @@
+modsecurity-crs (3.3.0-1+deb11u1) bullseye; urgency=medium
+
+ * Add upstream patch to fix request body bypass
+ CVE-2021-35368 (Closes: #992000)
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 24 Aug 2021 17:40:57 +0200
+
modsecurity-crs (3.3.0-1) unstable; urgency=medium
* New upstream version 3.3.0
diff -Nru modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch
--- modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch 1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch 2021-08-24 17:40:57.000000000 +0200
@@ -0,0 +1,136 @@
+From b05cd8569862ee9599edd153a09cbbca2c74600a Mon Sep 17 00:00:00 2001
+From: Walter Hop <walter@lifeforms.nl>
+Date: Wed, 30 Jun 2021 12:37:56 +0200
+Subject: [PATCH] Fix CVE-2021-35368 WAF bypass using pathinfo (Christian Folini)
+
+---
+diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+index f29ab3e1..2e5ce88f 100644
+--- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
++++ b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+@@ -64,6 +64,15 @@
+
+ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
+ "id:9001000,\
++ phase:1,\
++ pass,\
++ t:none,\
++ nolog,\
++ ver:'OWASP_CRS/3.3.0',\
++ skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
++
++SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
++ "id:9001001,\
+ phase:2,\
+ pass,\
+ t:none,\
+@@ -267,55 +276,60 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_ht
+ #
+ # Extensive checks make sure these uploads are really legitimate.
+ #
+-SecRule REQUEST_METHOD "@streq POST" \
+- "id:9001180,\
+- phase:1,\
+- pass,\
+- t:none,\
+- nolog,\
+- noauditlog,\
+- ver:'OWASP_CRS/3.3.0',\
+- chain"
+- SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
+- "chain"
+- SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
+- "ctl:requestBodyAccess=Off"
+-
+-SecRule REQUEST_METHOD "@streq POST" \
+- "id:9001182,\
+- phase:1,\
+- pass,\
+- t:none,\
+- nolog,\
+- noauditlog,\
+- ver:'OWASP_CRS/3.3.0',\
+- chain"
+- SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
+- "chain"
+- SecRule ARGS:destination "@streq admin/content/assets" \
+- "chain"
+- SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
+- "chain"
+- SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
+- "ctl:requestBodyAccess=Off"
+-
+-SecRule REQUEST_METHOD "@streq POST" \
+- "id:9001184,\
+- phase:1,\
+- pass,\
+- t:none,\
+- nolog,\
+- noauditlog,\
+- ver:'OWASP_CRS/3.3.0',\
+- chain"
+- SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
+- "chain"
+- SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
+- "chain"
+- SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
+- "chain"
+- SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
+- "ctl:requestBodyAccess=Off"
++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++# "id:9001180,\
++# phase:1,\
++# pass,\ +# t:none,\
++# nolog,\
++# noauditlog,\
++# ver:'OWASP_CRS/3.3.0',\
++# chain"
++# SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
++# "chain"
++# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
++# "ctl:requestBodyAccess=Off"
++
++# Rule 9001182 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++# "id:9001182,\
++# phase:1,\
++# pass,\
++# t:none,\
++# nolog,\
++# noauditlog,\
++# ver:'OWASP_CRS/3.3.0',\
++# chain"
++# SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
++# "chain"
++# SecRule ARGS:destination "@streq admin/content/assets" \
++# "chain"
++# SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
++# "chain"
++# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
++# "ctl:requestBodyAccess=Off"
++
++# Rule 9001184 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++# "id:9001184,\
++# phase:1,\
++# pass,\
++# t:none,\
++# nolog,\
++# noauditlog,\
++# ver:'OWASP_CRS/3.3.0',\
++# chain"
++# SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
++# "chain"
++# SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
++# "chain"
++# SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
++# "chain"
++# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
++# "ctl:requestBodyAccess=Off"
+
+
+ #
diff -Nru modsecurity-crs-3.3.0/debian/patches/series modsecurity-crs-3.3.0/debian/patches/series
--- modsecurity-crs-3.3.0/debian/patches/series 2020-08-16 20:12:36.000000000 +0200
+++ modsecurity-crs-3.3.0/debian/patches/series 2021-08-24 17:40:57.000000000 +0200
@@ -1 +1,2 @@
fix_paths
+CVE-2021-35368.patch
--- End Message ---