Hi, Salvatore. I just uploaded modsecurity-apache_2.9.7-1+deb12u1 to security-master with the CVE number fixed.
Regards, Alberto On Thu, May 29, 2025 at 09:52:12AM +0200, Salvatore Bonaccorso wrote: > Hi Alberto, > > On Wed, May 28, 2025 at 01:01:20PM +0200, Alberto Gonzalez Iniesta wrote: > > Hmmmmmm, now attached. Sorry for the noise. > > > > > > On Tue, May 27, 2025 at 10:51:56PM +0200, Alberto Gonzalez Iniesta wrote: > > > Hi, all. > > > > > > I just requested the unblock for trixie. > > > > > > Please find attached the debdiffs for both bullseye-security and > > > bookworm-security. I'll wait for the OK to upload them. > [...] > > diff -Nru modsecurity-apache-2.9.7/debian/changelog > > modsecurity-apache-2.9.7/debian/changelog > > --- modsecurity-apache-2.9.7/debian/changelog 2023-01-23 > > 11:39:50.000000000 +0100 > > +++ modsecurity-apache-2.9.7/debian/changelog 2025-05-23 > > 14:55:57.000000000 +0200 > > @@ -1,3 +1,10 @@ > > +modsecurity-apache (2.9.7-1+deb12u1) bookworm-security; urgency=medium > > + > > + * Fix CVE-2025-47497: Added d/patches/cve-2025-47497.patch > > + (Closes: #1106286) > > This should be CVE-2025-47947 (and for the patch referenced). > > > + -- Ervin Hegedüs <airw...@gmail.com> Fri, 23 May 2025 14:55:57 +0200 > > + > > modsecurity-apache (2.9.7-1) unstable; urgency=medium > > > > * New upstream version 2.9.7 > > diff -Nru modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch > > modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch > > --- modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch > > 1970-01-01 01:00:00.000000000 +0100 > > +++ modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch > > 2025-05-23 14:55:57.000000000 +0200 > > @@ -0,0 +1,48 @@ > > +Description: Patch for CVE-2025-47947 > > +Author: Ervin Hegedüs <airw...@gmail.com> > > +Last-Update: 2025-05-23 > > +--- > > +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ > > +--- a/apache2/modsecurity.h > > ++++ b/apache2/modsecurity.h > > +@@ -694,6 +694,7 @@ > > + unsigned int value_origin_offset; > > + unsigned int value_origin_len; > > + const char *origin; > > ++ unsigned int marked_for_sanitization; > > + }; > > + > > + struct msc_string { > > +--- a/apache2/msc_json.c > > ++++ b/apache2/msc_json.c > > +@@ -67,6 +67,7 @@ > > + return 0; > > + } > > + > > ++ arg->marked_for_sanitization = 0; > > + apr_table_addn(msr->arguments, > > + log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *) > > arg); > > + > > +--- a/apache2/msc_parsers.c > > ++++ b/apache2/msc_parsers.c > > +@@ -340,6 +340,7 @@ > > + */ > > + void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg) > > + { > > ++ arg->marked_for_sanitization = 0; > > + if (msr->txcfg->debuglog_level >= 5) { > > + msr_log(msr, 5, "Adding request argument (%s): name \"%s\", value > > \"%s\"", > > + arg->origin, log_escape_ex(msr->mp, arg->name, > > arg->name_len), > > +--- a/apache2/re_actions.c > > ++++ b/apache2/re_actions.c > > +@@ -1413,8 +1413,9 @@ > > + telts = (const apr_table_entry_t*)tarr->elts; > > + for (i = 0; i < tarr->nelts; i++) { > > + msc_arg *arg = (msc_arg *)telts[i].val; > > +- if (strcasecmp(sargname, arg->name) == 0) { > > ++ if (arg->marked_for_sanitization == 0 && > > strcasecmp(sargname, arg->name) == 0) { > > + apr_table_addn(msr->arguments_to_sanitize, arg->name, > > (void *)arg); > > ++ arg->marked_for_sanitization = 1; > > + } > > + } > > + break; > > diff -Nru modsecurity-apache-2.9.7/debian/patches/series > > modsecurity-apache-2.9.7/debian/patches/series > > --- modsecurity-apache-2.9.7/debian/patches/series 2023-01-23 > > 11:39:50.000000000 +0100 > > +++ modsecurity-apache-2.9.7/debian/patches/series 2025-05-23 > > 14:55:57.000000000 +0200 > > @@ -1,2 +1,3 @@ > > debian_log_dir.patch > > improve_defaults.patch > > +cve-2025-47947.patch > > Other than the above the debdiff looks good to me. > > With the above fixed feel free to upload for bookworm-security (will > defer the ack for LTS to the LTS team). > > Make sure to build with -sa as the source is new to security-master. > > Regards, > Salvatore -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.org Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
