Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 28 Sep 2010 17:28:44 -0400 (EDT)
From: "Steven M. Christey" <>
To: Josh Bressers <>
Subject: Re: CVE requests: POE::Component::IRC, Alien Arena,
 Babiloo, Typo3, abcm2ps, ModSecurity, Linux kernel

On Tue, 28 Sep 2010, Josh Bressers wrote:

>> 6. ModSecurity
>> There was already a CVE request by Jan Lieskovsky, but it doesn't
>> seem
>> to have led to an ID assignment:
> This one is also too big for me to handle properly. Can MITRE take it?

This changelog is too vague to be certain which issues are really about 
"security" versus which ones are enhancements or feature additions.  So, 
I'll need some help here.

Here are ones that smell like security issues:

  * Fixed path normalization to better handle backreferences that extend
    above root directories.  Reported by Sogeti/ESEC R&D.

  * Fixed failure to match internally set TX variables with regex
    (TX:/.../) syntax.

  * Fixed failure to log full internal TX variable names and populate
    MATCHED_VAR* vars.

  * Fixed memory leak in v1 cookie parser.  Reported by Sogeti/ESEC R&D.

Here are ones that *might* be security issues, but it's unclear:

  * Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.

  * Fixed SecUploadFileMode to set the correct mode.

  * Trim whitespace around phrases used with @pmFromFile and allow
    for both LF and CRLF terminated lines.

  * Allow for more robust parsing for multipart header folding.  Reported
    by Sogeti/ESEC R&D.

  * Reduced default PCRE match limits reducing impact of REDoS on poorly
    written regex rules.  Reported by Sogeti/ESEC R&D.

  * Do not escape quotes in macro resolution and only escape NUL in
    setenv values.

Here are ones that smell like "defense in depth" or "fixing non-security 
bug in security feature" or "addition of new 'signature' type" (thus no 

  * Added SecUploadFileLimit to limit the number of uploaded file parts
    that will be processed in a multipart POST.  The default is 100.

  * Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion)
    to aide in REDoS type attacks.  A rule that goes over the limits will set
    TX:MSC_PCRE_LIMITS_EXCEEDED.  It is intended that the next major
    release of ModSecurity (2.6.x) will move these flags to a dedicated

  * Enabled PCRE "studying" by default.  This is now a configure-time

  * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)

  * Fixed SecAction not working when CONNECT request method is used
    (MODSEC-110). [Ivan Ristic]

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.