Hi Alberto, Unfortunately I dont know what's the SPU. And as I know there is no DSA, just a bug id.
a. 2025. május 23., péntek dátummal Alberto Gonzalez Iniesta <a...@inittab.org> ezt írta: > Hi! > > Should the fixed packages for bullseye and bookworm target (O)SPU or > will a DSA be issued and the packages uploaded to s.d.o? > > Thanks, > > Alberto > > On Thu, May 22, 2025 at 05:35:50PM +0200, Moritz Mühlenhoff wrote: > > Source: modsecurity-apache > > X-Debbugs-CC: t...@security.debian.org > > Severity: grave > > Tags: security > > > > Hi, > > > > The following vulnerability was published for modsecurity-apache. > > > > CVE-2025-47947[0]: > > | ModSecurity is an open source, cross platform web application > > | firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and > > | including 2.9.8 are vulnerable to denial of service in one special > > | case (in stable released versions): when the payload's content type > > | is `application/json`, and there is at least one rule which does a > > | `sanitiseMatchedBytes` action. A patch is available at pull request > > | 3389 and expected to be part of version 2.9.9. No known workarounds > > | are available. > > > > https://github.com/owasp-modsecurity/ModSecurity/ > security/advisories/GHSA-859r-vvv8-rm8r > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2025-47947 > > https://www.cve.org/CVERecord?id=CVE-2025-47947 > > > > Please adjust the affected versions in the BTS as needed. > > -- > Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico > a...@inittab.org | en GNU/Linux y software libre > Encrypted mail preferred | http://inittab.org > > Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 > >
