Debian Bug report logs - #678529
[CVE-2012-2751] mod_security multi-part bypass

version graph

Package: libapache-mod-security; Maintainer for libapache-mod-security is Alberto Gonzalez Iniesta <>; Source for libapache-mod-security is src:modsecurity-apache.

Reported by: Luciano Bello <>

Date: Fri, 22 Jun 2012 13:27:08 UTC

Severity: grave

Tags: patch, security

Fixed in version libapache-mod-security/2.5.12-1+squeeze1

Done: Alberto Gonzalez Iniesta <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Alberto Gonzalez Iniesta <>:
Bug#678529; Package libapache-mod-security. (Fri, 22 Jun 2012 13:27:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luciano Bello <>:
New Bug report received and forwarded. Copy sent to Alberto Gonzalez Iniesta <>. (Fri, 22 Jun 2012 13:27:13 GMT) Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Luciano Bello <>
Subject: [CVE-2012-2751] mod_security multi-part bypass
Date: Fri, 22 Jun 2012 15:23:10 +0200
Package: libapache-mod-security
Severity: grave
Tags: security patch

The following vulnerability had been reported against mod-security:

The patch can be found in the report.

Please use CVE-2012-2751 for this issue.


Reply sent to Henri Salo <>:
You have taken responsibility. (Wed, 04 Jul 2012 13:24:07 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <>:
Bug acknowledged by developer. (Wed, 04 Jul 2012 13:24:08 GMT) Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Henri Salo <>
Subject: closing fixed bug
Date: Wed, 4 Jul 2012 15:15:45 +0300 seems to fix this issue.

- Henri Salo

Reply sent to Alberto Gonzalez Iniesta <>:
You have taken responsibility. (Fri, 06 Jul 2012 22:21:12 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <>:
Bug acknowledged by developer. (Fri, 06 Jul 2012 22:21:12 GMT) Full text and rfc822 format available.

Message #15 received at (full text, mbox):

From: Alberto Gonzalez Iniesta <>
Subject: Bug#678529: fixed in libapache-mod-security 2.5.12-1+squeeze1
Date: Fri, 06 Jul 2012 22:17:26 +0000
Source: libapache-mod-security
Source-Version: 2.5.12-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
libapache-mod-security, which is due to be installed in the Debian FTP archive:

  to main/liba/libapache-mod-security/libapache-mod-security_2.5.12-1+squeeze1.debian.tar.gz
  to main/liba/libapache-mod-security/libapache-mod-security_2.5.12-1+squeeze1.dsc
  to main/liba/libapache-mod-security/libapache-mod-security_2.5.12-1+squeeze1_i386.deb
  to main/liba/libapache-mod-security/mod-security-common_2.5.12-1+squeeze1_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Alberto Gonzalez Iniesta <> (supplier of updated libapache-mod-security package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.8
Date: Mon, 02 Jul 2012 14:47:33 +0000
Source: libapache-mod-security
Binary: libapache-mod-security mod-security-common
Architecture: source all i386
Version: 2.5.12-1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <>
Changed-By: Alberto Gonzalez Iniesta <>
 libapache-mod-security - Tighten web applications security for Apache
 mod-security-common - Tighten web applications security - common files
Closes: 678529
 libapache-mod-security (2.5.12-1+squeeze1) stable-security; urgency=high
   * CVE-2012-2751: Fix multi-part bypass due to wrong quoting.
     Applied backported patch from 2.6.6. (Closes: #678529)
 33411b2ef27c463559fe810914264a951975281c 1280 libapache-mod-security_2.5.12-1+squeeze1.dsc
 eb2068e5d31525fa53769dabd1a1c65896fd4e76 1392209 libapache-mod-security_2.5.12.orig.tar.gz
 1face7b26b98e6dc784fcfdcfb30ba1f9a18fe59 9283 libapache-mod-security_2.5.12-1+squeeze1.debian.tar.gz
 d087ea1a99483046ff764d025e9d9737e2a5755a 961904 mod-security-common_2.5.12-1+squeeze1_all.deb
 e73b7daa67a364c6d9d1494ad933919b075e6d73 114284 libapache-mod-security_2.5.12-1+squeeze1_i386.deb
 b8c94531146907dcd9358a81d16902c97f9794104e5f3828c5ba94d50fe1e91b 1280 libapache-mod-security_2.5.12-1+squeeze1.dsc
 168bb6591a0f9665169e0ed223a00d63a1c87e11d1e56388abcf431f30efaa84 1392209 libapache-mod-security_2.5.12.orig.tar.gz
 3ef041791a7c3486218516bc2cacc668dd33eaf9e2b1356a1cf7ba8f7f2ef79d 9283 libapache-mod-security_2.5.12-1+squeeze1.debian.tar.gz
 0e79047b58e7e6d6aab3fd2b6bb89b09b395e862f023a8f02eb81edf4c2ed2b7 961904 mod-security-common_2.5.12-1+squeeze1_all.deb
 4673352a039192584c72dc7e9b749d347035f6af37e3812a289e87a09a79cb17 114284 libapache-mod-security_2.5.12-1+squeeze1_i386.deb
 41085fbf6b36ca001f951f5738c793b4 1280 httpd optional libapache-mod-security_2.5.12-1+squeeze1.dsc
 f7d14b97bbe54ecb953125b0f9b87a24 1392209 httpd optional libapache-mod-security_2.5.12.orig.tar.gz
 03d862ccce318caeed06774a5f02f0f1 9283 httpd optional libapache-mod-security_2.5.12-1+squeeze1.debian.tar.gz
 1b16c77e06bb3c3541b381f12bf864d0 961904 httpd optional mod-security-common_2.5.12-1+squeeze1_all.deb
 da53495c81bbd93b5d2dce9d94c24436 114284 httpd optional libapache-mod-security_2.5.12-1+squeeze1_i386.deb

Version: GnuPG v1.4.12 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Sun, 30 Sep 2012 07:27:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Thu Apr 17 13:33:09 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.