Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, This [1] security bug was found in modsecurity-crs. As with the previous update (modsecurity-crs_3.1.0-1+deb10u1), a DSA does not seem necessary (security team on Cc:) so I'm targeting buster proposed updates instead. Here's the debdiff. Hope it's all OK. I'll wait for your instructions before uploading. Cheers, Alberto [1] https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000 -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
diff -Nru modsecurity-crs-3.1.0/debian/changelog modsecurity-crs-3.1.0/debian/changelog --- modsecurity-crs-3.1.0/debian/changelog 2019-11-03 14:34:05.000000000 +0100 +++ modsecurity-crs-3.1.0/debian/changelog 2021-08-24 12:37:59.000000000 +0200 @@ -1,3 +1,10 @@ +modsecurity-crs (3.1.0-1+deb10u2) buster; urgency=medium + + * Add upstream patch to fix request body bypass + CVE-2021-35368 (Closes: #992000) + + -- Alberto Gonzalez Iniesta <a...@inittab.org> Tue, 24 Aug 2021 12:37:59 +0200 + modsecurity-crs (3.1.0-1+deb10u1) buster; urgency=medium * Add upstream patch to fix php script upload rules. diff -Nru modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch --- modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch 1970-01-01 01:00:00.000000000 +0100 +++ modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch 2021-08-24 12:32:08.000000000 +0200 @@ -0,0 +1,130 @@ +From d3b116fce6c0dc8c8f6e4fbb4e3304af312b4812 Mon Sep 17 00:00:00 2001 +From: Walter Hop <wal...@lifeforms.nl> +Date: Wed, 30 Jun 2021 12:56:51 +0200 +Subject: [PATCH] Fix CVE-2021-35368 WAF bypass using pathinfo (Christian Folini) + +--- +diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +index 1f511c38..c9bb8693 100644 +--- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf ++++ b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +@@ -64,6 +64,14 @@ + + SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ + "id:9001000,\ ++ phase:1,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ skipAfter:END-DRUPAL-RULE-EXCLUSIONS" ++ ++SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ ++ "id:9001001,\ + phase:2,\ + pass,\ + t:none,\ +@@ -254,52 +262,58 @@ + # + # Extensive checks make sure these uploads are really legitimate. + # +-SecRule REQUEST_METHOD "@streq POST" \ +- "id:9001180,\ +- phase:1,\ +- pass,\ +- t:none,\ +- nolog,\ +- noauditlog,\ +- chain" +- SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ +- "chain" +- SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +- "ctl:requestBodyAccess=Off" +- +-SecRule REQUEST_METHOD "@streq POST" \ +- "id:9001182,\ +- phase:1,\ +- pass,\ +- t:none,\ +- nolog,\ +- noauditlog,\ +- chain" +- SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \ +- "chain" +- SecRule ARGS:destination "@streq admin/content/assets" \ +- "chain" +- SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ +- "chain" +- SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +- "ctl:requestBodyAccess=Off" +- +-SecRule REQUEST_METHOD "@streq POST" \ +- "id:9001184,\ +- phase:1,\ +- pass,\ +- t:none,\ +- nolog,\ +- noauditlog,\ +- chain" +- SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \ +- "chain" +- SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ +- "chain" +- SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \ +- "chain" +- SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +- "ctl:requestBodyAccess=Off" ++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368. ++# ++#SecRule REQUEST_METHOD "@streq POST" \ ++# "id:9001180,\ ++# phase:1,\ ++# pass,\ ++# t:none,\ ++# nolog,\ ++# noauditlog,\ ++# chain" ++# SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ ++# "chain" ++# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ ++# "ctl:requestBodyAccess=Off" ++ ++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368. ++# ++#SecRule REQUEST_METHOD "@streq POST" \ ++# "id:9001182,\ ++# phase:1,\ ++# pass,\ ++# t:none,\ ++# nolog,\ ++# noauditlog,\ ++# chain" ++# SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \ ++# "chain" ++# SecRule ARGS:destination "@streq admin/content/assets" \ ++# "chain" ++# SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ ++# "chain" ++# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ ++# "ctl:requestBodyAccess=Off" ++ ++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368. ++# ++#SecRule REQUEST_METHOD "@streq POST" \ ++# "id:9001184,\ ++# phase:1,\ ++# pass,\ ++# t:none,\ ++# nolog,\ ++# noauditlog,\ ++# chain" ++# SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \ ++# "chain" ++# SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ ++# "chain" ++# SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \ ++# "chain" ++# SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ ++# "ctl:requestBodyAccess=Off" + + + # diff -Nru modsecurity-crs-3.1.0/debian/patches/series modsecurity-crs-3.1.0/debian/patches/series --- modsecurity-crs-3.1.0/debian/patches/series 2019-11-03 14:34:05.000000000 +0100 +++ modsecurity-crs-3.1.0/debian/patches/series 2021-08-24 12:33:36.000000000 +0200 @@ -1,2 +1,3 @@ fix_paths CVE-2019-13464.patch +CVE-2021-35368.patch
