Hi Salvatore,
On Tue, Feb 25, 2025 at 10:29:40PM +0100, Salvatore Bonaccorso wrote: > Source: modsecurity > Version: 3.0.13-1 > Severity: grave > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for modsecurity. > > CVE-2025-27110[0]: > | Libmodsecurity is one component of the ModSecurity v3 project. The > | library codebase serves as an interface to ModSecurity Connectors > | taking in web traffic and applying traditional ModSecurity > | processing. A bug that exists only in Libmodsecurity3 version 3.0.13 > | means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML > | entities if they contains leading zeroes. Version 3.0.14 contains a > | fix. No known workarounds are available. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. thanks - yes, the updated version is in Salsa, the d/changelog contains the CVE id: https://salsa.debian.org/modsecurity-packaging-team/modsecurity/-/blob/master/debian/changelog?ref_type=heads#L8 Package upload coming soon. Thanks, a.
