Your message dated Tue, 3 Jun 2025 17:58:57 +0200
with message-id <ad8bwus-gryzz...@eldamar.lan>
and subject line Re: Accepted modsecurity-apache 2.9.10-1 (source) into unstable
has caused the Debian Bug report #1107196,
regarding modsecurity-apache: CVE-2025-48866
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1107196: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107196
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: modsecurity-apache
Version: 2.9.9-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 2.9.7-1
The following vulnerability was published for modsecurity-apache.
CVE-2025-48866[0]:
| ModSecurity is an open source, cross platform web application
| firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to
| 2.9.10 contain a denial of service vulnerability similar to
| GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and
| `sanitizeArg` - this is the same action but an alias) is vulnerable
| to adding an excessive number of arguments, thereby leading to
| denial of service. Version 2.9.10 fixes the issue. As a workaround,
| avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`)
| action.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48866
https://www.cve.org/CVERecord?id=CVE-2025-48866
[1]
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2w
[2]
https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: modsecurity-apache
Source-Version: 2.9.10-1
On Tue, Jun 03, 2025 at 03:18:27PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Mon, 02 Jun 2025 21:43:53 +0200
> Source: modsecurity-apache
> Architecture: source
> Version: 2.9.10-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Ervin Hegedus <airw...@gmail.com>
> Changed-By: Ervin Hegedüs <airw...@gmail.com>
> Changes:
> modsecurity-apache (2.9.10-1) unstable; urgency=medium
> .
> [ Ervin Hegedüs ]
> * New upstream version 2.9.10
> * Fixes CVE-2025-48866
> Checksums-Sha1:
> d099237dfc35231fbeb8718fdfaeb6c1037d7c6d 2211 modsecurity-apache_2.9.10-1.dsc
> 52475bab06539714a0021f0ebb432ab34a80762e 4342790
> modsecurity-apache_2.9.10.orig.tar.gz
> 8bec5eb5b019442e135639c389b02f50723acb1c 9136
> modsecurity-apache_2.9.10-1.debian.tar.xz
> 3c0bd140221421fb1c82e1472e87f8d809e17814 8967
> modsecurity-apache_2.9.10-1_amd64.buildinfo
> Checksums-Sha256:
> 661c9f2923d4f42100876bf2f0e58a4cc9f5e89cf639d5ef363aa6c9fceb1e28 2211
> modsecurity-apache_2.9.10-1.dsc
> 1341108b21a4c29f5f187539b003ba07af8354c9e13cfd0f1ad8d489b23a409b 4342790
> modsecurity-apache_2.9.10.orig.tar.gz
> b20421f91e27757e36dbf15e325c018a42413d80ee15c06121cd672262ed4ee5 9136
> modsecurity-apache_2.9.10-1.debian.tar.xz
> 1c626367c512f88df764825583aaceb9d6803bfbf3abc65d5b913f8d9bc887a7 8967
> modsecurity-apache_2.9.10-1_amd64.buildinfo
> Files:
> 974c1c6d03423ec8807977ebd7478609 2211 httpd optional
> modsecurity-apache_2.9.10-1.dsc
> 9d4deb01f23dd673e4b185880c9ee927 4342790 httpd optional
> modsecurity-apache_2.9.10.orig.tar.gz
> b5e6376f110f8f115e74a4fdde3b1575 9136 httpd optional
> modsecurity-apache_2.9.10-1.debian.tar.xz
> 58abeef35a3643bca5c08faa78e3a838 8967 httpd optional
> modsecurity-apache_2.9.10-1_amd64.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJEBAEBCgAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAmg/CVwQHGFnaUBpbml0
> dGFiLm9yZwAKCRAAmzN1a5qqVUV+EACmm6B5IPjaf4Oad40j76NcQR0TH5Bzqh0h
> rh+2XbFUxYJkw4wrFszvb6mJaZrNFVYEFgR0EeH+0xquIfa5MJKKVujAIBpMB9cS
> Zc62nWwD6LOm4JFgltkIh+vuauvH//MD3Sb7s7d6uDF9SUgpGcYXHgiaqUccfVTe
> lkiwNf7s3uq7ivBhxztK4VRUs9qP6Bu0VbyZH/HjdwS/eWXaOhKzy9BdfEiBJcbR
> 62B86R2ahfi8P7icG5wxak22QJQynXD53pbchK3vL5M4Ddx1/2S8EVP8Nh7vGCz4
> ESOTLbUrUmI8g+3vMDic/2zRj4ylI+jbnN+KODOAT55IpOa9YNF0WklDj//aW8SQ
> IUh0gjXL+FiZkxw7sdjEu0g41hJETlpjAl4ES69xJ/OM49coGcNrLoVB3kZgdt2r
> KvBd+acdPp4FNukC9TrjegpTt9eLgScK/DdL9grumBIVXCNQvVvYzEvteYsfb9CJ
> oN5Sfwi/qaikpWLPyaiZ5LGLSzMterNPcn7DRZRznD2zvTA8VD6WS+RMzJr9GgkP
> mwdTXUCHkxlgmMTCq+IZ4+DR4FHYKgGShZV8RKysF0S+nn+UK0AXoi/MWC1xCrgd
> 3pcORoa/csnWDIVMfth66YYYpFrbzGiw9splMEncPsP//clc970VJ0W9OU1APA0o
> ggkkeADcqw==
> =Kba7
> -----END PGP SIGNATURE-----
>
--- End Message ---
