[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#992863: marked as done (buster-pu: package modsecurity-crs/3.1.0-1)

Your message dated Sat, 09 Oct 2021 12:11:43 +0100
with message-id <896b7609401ceb0e1c537222e26587ea2351415d.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in the 10.11 point release
has caused the Debian Bug report #992863,
regarding buster-pu: package modsecurity-crs/3.1.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
992863: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992863
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

This [1] security bug was found in modsecurity-crs.
As with the previous update (modsecurity-crs_3.1.0-1+deb10u1), a DSA
does not seem necessary (security team on Cc:) so I'm targeting buster
proposed updates instead.

Here's the debdiff. Hope it's all OK.

I'll wait for your instructions before uploading.

Cheers,

Alberto


[1] https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000


-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

diff -Nru modsecurity-crs-3.1.0/debian/changelog modsecurity-crs-3.1.0/debian/changelog
--- modsecurity-crs-3.1.0/debian/changelog	2019-11-03 14:34:05.000000000 +0100
+++ modsecurity-crs-3.1.0/debian/changelog	2021-08-24 12:37:59.000000000 +0200
@@ -1,3 +1,10 @@
+modsecurity-crs (3.1.0-1+deb10u2) buster; urgency=medium
+
+  * Add upstream patch to fix request body bypass
+    CVE-2021-35368 (Closes: #992000)
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 24 Aug 2021 12:37:59 +0200
+
 modsecurity-crs (3.1.0-1+deb10u1) buster; urgency=medium
 
   * Add upstream patch to fix php script upload rules.
diff -Nru modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch
--- modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch	1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch	2021-08-24 12:32:08.000000000 +0200
@@ -0,0 +1,130 @@
+From d3b116fce6c0dc8c8f6e4fbb4e3304af312b4812 Mon Sep 17 00:00:00 2001
+From: Walter Hop <walter@lifeforms.nl>
+Date: Wed, 30 Jun 2021 12:56:51 +0200
+Subject: [PATCH] Fix CVE-2021-35368 WAF bypass using pathinfo (Christian Folini)
+
+---
+diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+index 1f511c38..c9bb8693 100644
+--- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
++++ b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+@@ -64,6 +64,14 @@
+ 
+ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
+     "id:9001000,\
++    phase:1,\
++    pass,\
++    t:none,\
++    nolog,\
++    skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
++
++SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
++    "id:9001001,\
+     phase:2,\
+     pass,\
+     t:none,\
+@@ -254,52 +262,58 @@
+ #
+ # Extensive checks make sure these uploads are really legitimate.
+ #
+-SecRule REQUEST_METHOD "@streq POST" \
+-    "id:9001180,\
+-    phase:1,\
+-    pass,\
+-    t:none,\
+-    nolog,\
+-    noauditlog,\
+-    chain"
+-    SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
+-        "chain"
+-        SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
+-            "ctl:requestBodyAccess=Off"
+-
+-SecRule REQUEST_METHOD "@streq POST" \
+-    "id:9001182,\
+-    phase:1,\
+-    pass,\
+-    t:none,\
+-    nolog,\
+-    noauditlog,\
+-    chain"
+-    SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
+-        "chain"
+-        SecRule ARGS:destination "@streq admin/content/assets" \
+-            "chain"
+-            SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
+-                "chain"
+-                SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
+-                    "ctl:requestBodyAccess=Off"
+-
+-SecRule REQUEST_METHOD "@streq POST" \
+-    "id:9001184,\
+-    phase:1,\
+-    pass,\
+-    t:none,\
+-    nolog,\
+-    noauditlog,\
+-    chain"
+-    SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
+-        "chain"
+-        SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
+-            "chain"
+-            SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \
+-                "chain"
+-                SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
+-                    "ctl:requestBodyAccess=Off"
++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++#    "id:9001180,\
++#    phase:1,\
++#    pass,\
++#    t:none,\
++#    nolog,\
++#    noauditlog,\
++#    chain"
++#    SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
++#        "chain"
++#        SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
++#            "ctl:requestBodyAccess=Off"
++
++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++#    "id:9001182,\
++#    phase:1,\
++#    pass,\
++#    t:none,\
++#    nolog,\
++#    noauditlog,\
++#    chain"
++#    SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
++#        "chain"
++#        SecRule ARGS:destination "@streq admin/content/assets" \
++#            "chain"
++#            SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
++#                "chain"
++#                SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
++#                    "ctl:requestBodyAccess=Off"
++
++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368.
++#
++#SecRule REQUEST_METHOD "@streq POST" \
++#    "id:9001184,\
++#    phase:1,\
++#    pass,\
++#    t:none,\
++#    nolog,\
++#    noauditlog,\
++#    chain"
++#    SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
++#        "chain"
++#        SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
++#            "chain"
++#            SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \
++#                "chain"
++#                SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
++#                    "ctl:requestBodyAccess=Off"
+ 
+ 
+ #
diff -Nru modsecurity-crs-3.1.0/debian/patches/series modsecurity-crs-3.1.0/debian/patches/series
--- modsecurity-crs-3.1.0/debian/patches/series	2019-11-03 14:34:05.000000000 +0100
+++ modsecurity-crs-3.1.0/debian/patches/series	2021-08-24 12:33:36.000000000 +0200
@@ -1,2 +1,3 @@
 fix_paths
 CVE-2019-13464.patch
+CVE-2021-35368.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.11

Hi,

The updates relating to these bugs were included in this morning's
10.11 point release for buster.

Regards,

Adam

--- End Message ---
Reply to: