Debian Bug report logs - #678529
[CVE-2012-2751] mod_security multi-part bypass

version graph

Package: libapache-mod-security; Maintainer for libapache-mod-security is Alberto Gonzalez Iniesta <agi@inittab.org>; Source for libapache-mod-security is src:modsecurity-apache.

Reported by: Luciano Bello <luciano@debian.org>

Date: Fri, 22 Jun 2012 13:27:08 UTC

Severity: grave

Tags: patch, security

Fixed in version libapache-mod-security/2.5.12-1+squeeze1

Done: Alberto Gonzalez Iniesta <agi@inittab.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#678529; Package libapache-mod-security. (Fri, 22 Jun 2012 13:27:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. (Fri, 22 Jun 2012 13:27:13 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: [CVE-2012-2751] mod_security multi-part bypass
Date: Fri, 22 Jun 2012 15:23:10 +0200
Package: libapache-mod-security
Severity: grave
Tags: security patch

The following vulnerability had been reported against mod-security: 
http://www.openwall.com/lists/oss-security/2012/06/22/1

The patch can be found in the report.

Please use CVE-2012-2751 for this issue.

Cheers,
luciano




Reply sent to Henri Salo <henri@nerv.fi>:
You have taken responsibility. (Wed, 04 Jul 2012 13:24:07 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Wed, 04 Jul 2012 13:24:08 GMT) Full text and rfc822 format available.

Message #10 received at 678529-done@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: 678529-done@bugs.debian.org
Subject: closing fixed bug
Date: Wed, 4 Jul 2012 15:15:45 +0300
http://www.debian.org/security/2012/dsa-2506 seems to fix this issue.

- Henri Salo




Reply sent to Alberto Gonzalez Iniesta <agi@inittab.org>:
You have taken responsibility. (Fri, 06 Jul 2012 22:21:12 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Fri, 06 Jul 2012 22:21:12 GMT) Full text and rfc822 format available.

Message #15 received at 678529-close@bugs.debian.org (full text, mbox):

From: Alberto Gonzalez Iniesta <agi@inittab.org>
To: 678529-close@bugs.debian.org
Subject: Bug#678529: fixed in libapache-mod-security 2.5.12-1+squeeze1
Date: Fri, 06 Jul 2012 22:17:26 +0000
Source: libapache-mod-security
Source-Version: 2.5.12-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
libapache-mod-security, which is due to be installed in the Debian FTP archive:

libapache-mod-security_2.5.12-1+squeeze1.debian.tar.gz
  to main/liba/libapache-mod-security/libapache-mod-security_2.5.12-1+squeeze1.debian.tar.gz
libapache-mod-security_2.5.12-1+squeeze1.dsc
  to main/liba/libapache-mod-security/libapache-mod-security_2.5.12-1+squeeze1.dsc
libapache-mod-security_2.5.12-1+squeeze1_i386.deb
  to main/liba/libapache-mod-security/libapache-mod-security_2.5.12-1+squeeze1_i386.deb
mod-security-common_2.5.12-1+squeeze1_all.deb
  to main/liba/libapache-mod-security/mod-security-common_2.5.12-1+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 678529@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated libapache-mod-security package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 02 Jul 2012 14:47:33 +0000
Source: libapache-mod-security
Binary: libapache-mod-security mod-security-common
Architecture: source all i386
Version: 2.5.12-1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description: 
 libapache-mod-security - Tighten web applications security for Apache
 mod-security-common - Tighten web applications security - common files
Closes: 678529
Changes: 
 libapache-mod-security (2.5.12-1+squeeze1) stable-security; urgency=high
 .
   * CVE-2012-2751: Fix multi-part bypass due to wrong quoting.
     Applied backported patch from 2.6.6. (Closes: #678529)
Checksums-Sha1: 
 33411b2ef27c463559fe810914264a951975281c 1280 libapache-mod-security_2.5.12-1+squeeze1.dsc
 eb2068e5d31525fa53769dabd1a1c65896fd4e76 1392209 libapache-mod-security_2.5.12.orig.tar.gz
 1face7b26b98e6dc784fcfdcfb30ba1f9a18fe59 9283 libapache-mod-security_2.5.12-1+squeeze1.debian.tar.gz
 d087ea1a99483046ff764d025e9d9737e2a5755a 961904 mod-security-common_2.5.12-1+squeeze1_all.deb
 e73b7daa67a364c6d9d1494ad933919b075e6d73 114284 libapache-mod-security_2.5.12-1+squeeze1_i386.deb
Checksums-Sha256: 
 b8c94531146907dcd9358a81d16902c97f9794104e5f3828c5ba94d50fe1e91b 1280 libapache-mod-security_2.5.12-1+squeeze1.dsc
 168bb6591a0f9665169e0ed223a00d63a1c87e11d1e56388abcf431f30efaa84 1392209 libapache-mod-security_2.5.12.orig.tar.gz
 3ef041791a7c3486218516bc2cacc668dd33eaf9e2b1356a1cf7ba8f7f2ef79d 9283 libapache-mod-security_2.5.12-1+squeeze1.debian.tar.gz
 0e79047b58e7e6d6aab3fd2b6bb89b09b395e862f023a8f02eb81edf4c2ed2b7 961904 mod-security-common_2.5.12-1+squeeze1_all.deb
 4673352a039192584c72dc7e9b749d347035f6af37e3812a289e87a09a79cb17 114284 libapache-mod-security_2.5.12-1+squeeze1_i386.deb
Files: 
 41085fbf6b36ca001f951f5738c793b4 1280 httpd optional libapache-mod-security_2.5.12-1+squeeze1.dsc
 f7d14b97bbe54ecb953125b0f9b87a24 1392209 httpd optional libapache-mod-security_2.5.12.orig.tar.gz
 03d862ccce318caeed06774a5f02f0f1 9283 httpd optional libapache-mod-security_2.5.12-1+squeeze1.debian.tar.gz
 1b16c77e06bb3c3541b381f12bf864d0 961904 httpd optional mod-security-common_2.5.12-1+squeeze1_all.deb
 da53495c81bbd93b5d2dce9d94c24436 114284 httpd optional libapache-mod-security_2.5.12-1+squeeze1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/x05kACgkQxRSvjkukAcMLTwCfV/OA0ce+p6X3KCiS/kZ3Ezlb
NrIAnjZMOL0Cbj4p+aIcEe+gzPQWVvT7
=+sRL
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Sep 2012 07:27:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 13:33:09 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.