Hi! Should the fixed packages for bullseye and bookworm target (O)SPU or will a DSA be issued and the packages uploaded to s.d.o?
Thanks, Alberto On Thu, May 22, 2025 at 05:35:50PM +0200, Moritz Mühlenhoff wrote: > Source: modsecurity-apache > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerability was published for modsecurity-apache. > > CVE-2025-47947[0]: > | ModSecurity is an open source, cross platform web application > | firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and > | including 2.9.8 are vulnerable to denial of service in one special > | case (in stable released versions): when the payload's content type > | is `application/json`, and there is at least one rule which does a > | `sanitiseMatchedBytes` action. A patch is available at pull request > | 3389 and expected to be part of version 2.9.9. No known workarounds > | are available. > > https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2025-47947 > https://www.cve.org/CVERecord?id=CVE-2025-47947 > > Please adjust the affected versions in the BTS as needed. -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.org Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
