Your message dated Fri, 23 May 2025 07:04:22 +0000
with message-id <e1uims6-009tdg...@fasolo.debian.org>
and subject line Bug#1106286: fixed in modsecurity-apache 2.9.9-1
has caused the Debian Bug report #1106286,
regarding modsecurity-apache: CVE-2025-47947
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1106286: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106286
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: modsecurity-apache
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for modsecurity-apache.
CVE-2025-47947[0]:
| ModSecurity is an open source, cross platform web application
| firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and
| including 2.9.8 are vulnerable to denial of service in one special
| case (in stable released versions): when the payload's content type
| is `application/json`, and there is at least one rule which does a
| `sanitiseMatchedBytes` action. A patch is available at pull request
| 3389 and expected to be part of version 2.9.9. No known workarounds
| are available.
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-47947
https://www.cve.org/CVERecord?id=CVE-2025-47947
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: modsecurity-apache
Source-Version: 2.9.9-1
Done: Ervin Hegedüs <airw...@gmail.com>
We believe that the bug you reported is fixed in the latest version of
modsecurity-apache, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1106...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ervin Hegedüs <airw...@gmail.com> (supplier of updated modsecurity-apache
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 22 May 2025 19:46:46 +0200
Source: modsecurity-apache
Architecture: source
Version: 2.9.9-1
Distribution: unstable
Urgency: medium
Maintainer: Ervin Hegedus <airw...@gmail.com>
Changed-By: Ervin Hegedüs <airw...@gmail.com>
Closes: 1089390 1106286
Changes:
modsecurity-apache (2.9.9-1) unstable; urgency=medium
.
[ Alberto Gonzalez Iniesta ]
* d/control: Update Maintainer/Uploaders
.
[ Niels Thykier ]
* Mark modsecurity-apache as requiring root (Closes: #1089390)
.
[ Ervin Hegedüs ]
* New upstream version 2.9.9
* Remove --with-pcre2; PCRE2 is the default from this release
* Fixes CVE-2025-47947 (Closes: #1106286)
* Removed d/patches/recliteral.patch; upstream contains it
* add d/patches/aclocal.patch; upstream source depends on aclocal-1.16
Checksums-Sha1:
5fc9129fe7cb261225fbcd0cfcceab23c7a59b24 2204 modsecurity-apache_2.9.9-1.dsc
ff60b04060458d760765083c02c61c30107f3715 4342820
modsecurity-apache_2.9.9.orig.tar.gz
3131c2f269c401ddf05fd290583acd6d674a90b0 9104
modsecurity-apache_2.9.9-1.debian.tar.xz
38fcc42b9a58ac4b54c7993cff8568018e1ef012 8956
modsecurity-apache_2.9.9-1_amd64.buildinfo
Checksums-Sha256:
eee9edaed49f94ad2168ce1ee40157cbd0e150d36744b3c34c20d8fef5320b7c 2204
modsecurity-apache_2.9.9-1.dsc
520e8658d12a2151fbe3f8ea7bbf0ff92d5b2d481589a9e7c5b2722bd62975cb 4342820
modsecurity-apache_2.9.9.orig.tar.gz
f9886041769e903603f139a7174d8e02fdd11fadb3ca2da5ae48c56d9c6c082c 9104
modsecurity-apache_2.9.9-1.debian.tar.xz
bd167285898cc7845fdd6834368dd4d489799ba8de6a0ece25c68ce26cab1c4f 8956
modsecurity-apache_2.9.9-1_amd64.buildinfo
Files:
46f57baf3ae03f6e6eb3748a881de56f 2204 httpd optional
modsecurity-apache_2.9.9-1.dsc
8e35498ecbba9b66c7e3737dc5a5ebe5 4342820 httpd optional
modsecurity-apache_2.9.9.orig.tar.gz
121cf5627f79c30a2a66e8e302f63534 9104 httpd optional
modsecurity-apache_2.9.9-1.debian.tar.xz
2cec36377621434afae069b97c26d84f 8956 httpd optional
modsecurity-apache_2.9.9-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAmgwGNUQHGFnaUBpbml0
dGFiLm9yZwAKCRAAmzN1a5qqVUV4D/9l21EiwUeXK7RQ+jqfC0KVx0fHWlB0ZzMO
fRuj/7kmBXen0aMYkyOM/Ttn7ZgiMKaAtcoRNcwSVxYFDANxmExDM6xj99FDpcSr
gX/Ziuu/NhDN7PlKI2FnC43mPeb7BeehqADpjqZ7GKSDJImIlsQwCb2oihen2R8c
CHffVVUWyE6XdoH2kFWodU5006un7XdBDRo+KwWo4rqi1hHu9pQb9/9PHr3bDkAh
xkCjgvplvQN4bTHhAFwGcWXpWDK4xW2HG4GqDFc5ePbQwpc0oT6KQhhKabadOfcO
EUGi2pVY/a8rrAXZ88/w2/q50XSVFQQ3XPPdhU8xCb6USF1yalOxyjeSpeneTrYF
lhHdnYXp8WvRtm9xZjE2JF92XMvbZc8u+/UyLFKHEzI8CAr9um0dmx3qXP32rPDS
+RJU6BE+dbXrPUQoGGNDbHIKIs6+M6e0xEBfd5MVw+j94akTWj0468Nr89HYVO1F
WKhtIuHR2FGjURAv+qzK0Y2eqYrV4x4lc+bBf1qlsoivZkLWvSWyldfDCxTTTJda
iCvU+XogpV9lY7/AZTPi1zChjizP1dMW9FwmDIYVMtIk+za9e+r1145oEujU+k55
TT+YDT7dirGvS7/fOE9lGLR9RAvDROokbkaIDAPf51eZ8YBAR5sUy66/YM2YR82W
3z2cynAx7g==
=R07s
-----END PGP SIGNATURE-----
pgp9NRKtOiDl7.pgp
Description: PGP signature
--- End Message ---
