Your message dated Mon, 08 Apr 2013 15:03:37 +0000 with message-id <e1updbd-0007ex...@franck.debian.org> and subject line Bug#704625: fixed in modsecurity-apache 2.6.6-6 has caused the Debian Bug report #704625, regarding modsecurity-apache: CVE-2013-1915: Vulnerable to XXE attacks to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 704625: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704625 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: modsecurity-apache Severity: grave Tags: security upstream Hi, the following vulnerability was published for modsecurity-apache. CVE-2013-1915[0]: Vulnerable to XXE attacks Patches where added upstream for 2.7.3[1,2] but might need some adjustments for current versions in Debian. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915 http://security-tracker.debian.org/tracker/CVE-2013-1915 [1] https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES [2] https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: modsecurity-apache Source-Version: 2.6.6-6 We believe that the bug you reported is fixed in the latest version of modsecurity-apache, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 704...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Alberto Gonzalez Iniesta <a...@inittab.org> (supplier of updated modsecurity-apache package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 06 Apr 2013 11:09:12 +0200 Source: modsecurity-apache Binary: libapache2-modsecurity libapache-mod-security Architecture: source amd64 all Version: 2.6.6-6 Distribution: unstable Urgency: high Maintainer: Alberto Gonzalez Iniesta <a...@inittab.org> Changed-By: Alberto Gonzalez Iniesta <a...@inittab.org> Description: libapache-mod-security - Dummy transitional package libapache2-modsecurity - Tighten web applications security for Apache Closes: 704625 Changes: modsecurity-apache (2.6.6-6) unstable; urgency=high . * Applied upstream patch to fix XXE attacks. CVE-2013-1915 Thanks Thomas Goirand for backporting the patch. (Closes: #704625) Adds new SecXmlExternalEntity option which by default (Off) disables the external entity load task executed by libxml2. Checksums-Sha1: 42c962dc35e7ab8d6d51420f2c3039d564b57e50 1352 modsecurity-apache_2.6.6-6.dsc 14a6b15da1ab45a7abac1ae2aa05a206f8110931 10483 modsecurity-apache_2.6.6-6.debian.tar.gz 848321a59e5610c9474b1f9ff46eb89c925241bd 303562 libapache2-modsecurity_2.6.6-6_amd64.deb 53e6bd53fbed99d0ca1c0ad07a9c8c189f95e244 18274 libapache-mod-security_2.6.6-6_all.deb Checksums-Sha256: a04c2c992aa1120cb4845c9d4dfadaa20cf3e147fef74e2686735382de652227 1352 modsecurity-apache_2.6.6-6.dsc 92085c49da450a40dd37bcb619ba17a2f1a79ae75a73b824c7c50d53a47f0371 10483 modsecurity-apache_2.6.6-6.debian.tar.gz 28ffc2201cf284572147a47e32c03c71a5d2b4fddd1a8924cfd865fcb58f96dc 303562 libapache2-modsecurity_2.6.6-6_amd64.deb 96dacadf7035ec4ca21514f3dad2a195095765703b32d78cfd68656cfc3df48d 18274 libapache-mod-security_2.6.6-6_all.deb Files: 63939d541b57a5726fc642f7b32d67ae 1352 httpd optional modsecurity-apache_2.6.6-6.dsc 44691d634ba2ac42642146c29e8573f0 10483 httpd optional modsecurity-apache_2.6.6-6.debian.tar.gz 8981a018a555e165306718da6a27b8d6 303562 httpd optional libapache2-modsecurity_2.6.6-6_amd64.deb 400fd267e4389712a816ad521bfd90e8 18274 oldlibs extra libapache-mod-security_2.6.6-6_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlFi0RQACgkQxRSvjkukAcPB9QCgzR8v8SKpXx494XZTH2srMzmU 3fMAoJ7d9Pn2ox8WELsjylBOWBqe3eMn =69Oh -----END PGP SIGNATURE-----
--- End Message ---
