Your message dated Wed, 11 Jun 2025 18:47:11 +0000
with message-id <e1upqtf-002k32...@fasolo.debian.org>
and subject line Bug#1106286: fixed in modsecurity-apache 2.9.7-1+deb12u1
has caused the Debian Bug report #1106286,
regarding modsecurity-apache: CVE-2025-47947
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1106286: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106286
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: modsecurity-apache
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for modsecurity-apache.
CVE-2025-47947[0]:
| ModSecurity is an open source, cross platform web application
| firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and
| including 2.9.8 are vulnerable to denial of service in one special
| case (in stable released versions): when the payload's content type
| is `application/json`, and there is at least one rule which does a
| `sanitiseMatchedBytes` action. A patch is available at pull request
| 3389 and expected to be part of version 2.9.9. No known workarounds
| are available.
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-47947
https://www.cve.org/CVERecord?id=CVE-2025-47947
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: modsecurity-apache
Source-Version: 2.9.7-1+deb12u1
Done: Ervin Hegedüs <airw...@gmail.com>
We believe that the bug you reported is fixed in the latest version of
modsecurity-apache, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1106...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ervin Hegedüs <airw...@gmail.com> (supplier of updated modsecurity-apache
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Jun 2025 14:03:05 +0200
Source: modsecurity-apache
Architecture: source
Version: 2.9.7-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Alberto Gonzalez Iniesta <a...@inittab.org>
Changed-By: Ervin Hegedüs <airw...@gmail.com>
Closes: 1106286 1107196
Changes:
modsecurity-apache (2.9.7-1+deb12u1) bookworm-security; urgency=medium
.
* Fix CVE-2025-47947: Added d/patches/cve-2025-47947.patch
(Closes: #1106286)
* Fix CVE-2025-48866: Added d/patches/cve-2025-48866.patch
(Closes: #1107196)
Checksums-Sha1:
c464239cbb35de2a90a7e2529909ea4d8851f22b 2131
modsecurity-apache_2.9.7-1+deb12u1.dsc
5850d3ca72be8f874009d05fb2c72b29222ceb65 4307560
modsecurity-apache_2.9.7.orig.tar.gz
b2d102d12baf5da779f9ff16d03fe455fe655d9b 9116
modsecurity-apache_2.9.7-1+deb12u1.debian.tar.xz
daaf7c16d3b298fab9bde3dfe6dad9722ed370f9 8571
modsecurity-apache_2.9.7-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
ed41246b4555aff54dc4538ded41ffcfe0d6580fe4c573bba6c8c60d657c9f7c 2131
modsecurity-apache_2.9.7-1+deb12u1.dsc
036bc4598384d8de138e751677a20910b795c42ca80188c7871d1bbac966f90c 4307560
modsecurity-apache_2.9.7.orig.tar.gz
c599547a5e0ef801b09ea1812130c0c83e78892c66ee7276d78a5338adb28e4c 9116
modsecurity-apache_2.9.7-1+deb12u1.debian.tar.xz
42265dd0b45f2170f04df85474e626a05dec6fd1b0ddc4fa7b8ffafe130e2783 8571
modsecurity-apache_2.9.7-1+deb12u1_amd64.buildinfo
Files:
a3e107d855ddea4e55b64b9dede2791b 2131 httpd optional
modsecurity-apache_2.9.7-1+deb12u1.dsc
f8fb32bae803689fd13104a129834202 4307560 httpd optional
modsecurity-apache_2.9.7.orig.tar.gz
31148da7708ac0d39318c0e5205da9ea 9116 httpd optional
modsecurity-apache_2.9.7-1+deb12u1.debian.tar.xz
17444bf1dc6a488f7bbb5607f73113a5 8571 httpd optional
modsecurity-apache_2.9.7-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAmhETRcQHGFnaUBpbml0
dGFiLm9yZwAKCRAAmzN1a5qqVXZSD/41+FjirZ7kClM86VG4F0Xfvx2CBEu+cPN1
zcjVe0gONkJGc0Jqta1DlXVZyfu4F9ZEgeZlWKngn2zcEdA4YW1NmsapQMXm6a/5
AvbY5iO7neEbG0ojwYjD52qaph92GVjFJKQkJPv4G9TQRM5Jf5i6f3FreK1T43lD
7BtzzFoeIczA67Nf6l3CebS8ERYuSQvu5zpJN3Q0fkrWEFyt/JdA+9NM51Hcu4JZ
9WbqPGjbqhC7zhd5qOJ6UfXZrjyON2Zqg2u/7oQx/9x8m4MKAeF9m3gVCLy2ittn
a2vTaxltz/ijNdN70XO1Z2M8WbtvRvYQFeNACCHLKzpJBZHkAoLOhnKZC9tBLnGD
uq0DyrCePMaUV2birSZXefvtl+HZF9+EmBQqraKKqpRwcF8mxGMPkYZH1JI8WHjy
SrdTabSUnhUmuu/kXiu9qLTpSc03qjEd9Tt21+NOm6nHJ3+BJY0SFjcZdM4Au+Di
NZXTP3ZGKi3lbIos72o2geNGjelg0ei81V9SJ2wWUCXpaTGJ9C2rP8a/O54tRkMb
hRV8ilnN/iikkZk53b8P5vC+NrmPDS6g6fwTB8dIJNZvIetBOr3qzWLy1VWcdEDs
7GI3fW9Zz38Wl+lGw8P+dALO+ZLfiblggd59TYJPsMDqz3seZq8JnA6Z1buVbniY
udVlOJqihw==
=PoPH
-----END PGP SIGNATURE-----
pgpAUdUilubgK.pgp
Description: PGP signature
--- End Message ---
