|
Message-ID: <508054F3.6010306@redhat.com> Date: Thu, 18 Oct 2012 13:13:55 -0600 From: Kurt Seifried <kseifried@...hat.com> To: Breno Silva <breno.silva@...il.com> CC: Jan Lieskovsky <jlieskov@...hat.com>, oss-security@...ts.openwall.com, Matthias Weckbecker <mweckbecker@...e.de>, security@...security.org Subject: Re: CVE request: Fwd: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/18/2012 06:41 AM, Breno Silva wrote: > Hello Jan, > > Yes i can confirm the issue and the patch. > > Thanks > > Breno > > On Thu, Oct 18, 2012 at 3:58 AM, Jan Lieskovsky > <jlieskov@...hat.com <mailto:jlieskov@...hat.com>> wrote: > > Hi Kurt, Breno, > > ----- Original Message ----- -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/17/2012 02:47 AM, Matthias Weckbecker wrote: >> Hi Steve, Kurt, vendors, >> >> this flaw looks slightly different from the last one and >> apparently has not got a CVE yet. >> >> ---------- Forwarded Message ---------- >> >> Subject: [Full-disclosure] SEC Consult SA-20121017-0 :: >> ModSecurity multipart/invalid part ruleset bypass Date: >> Wednesday 17 October 2012 From: SEC Consult Vulnerability Lab >> <research@...-consult.com <mailto:research@...-consult.com>> To: > full-disclosure@...ts.grok.org.uk > <mailto:full-disclosure@...ts.grok.org.uk>, >> bugtraq@...urityfocus.com <mailto:bugtraq@...urityfocus.com> >> >> SEC Consult Vulnerability Lab Security Advisory < 20121017-0 > >> > ======================================================================= > > > >> >> >> title: ModSecurity multipart/invalid part ruleset bypass product: >> ModSecurity vulnerable version: <= 2.6.8 fixed version: 2.7.0 CVE >> number: - impact: Depends what you use it for homepage: >> http://www.modsecurity.org/ found: 2012-10-12 by: Bernhard >> Mueller SEC Consult Vulnerability Lab >> https://www.sec-consult.com >> > ======================================================================= > > > >> Looking >> >> >> through >> >> > https://www.modsecurity.org/tracker/secure/ReleaseNote.jspa?projectId=10000&version=10100 > > > >> Is this https://www.modsecurity.org/tracker/browse/MODSEC-155 > > I am not sure this is related since it is closed with resolution > 'Cannot Reproduce'. Yeah I was thinking they might have buried it, never thought to check the source changelog (assumed the online one was sufficient. sigh). > > Based on Changes: [1] > http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.7.x/CHANGES > > I would say this is: "* Added MULTIPART_INVALID_PART flag. Also > used in rule id 200002 for multipart strict" > > with relevant upstream commit being: [2] > http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&sortby=date&revision=2081 > > but Cc-in Breno Silva to definitely confirm this yet. > > Breno, could you please confirm / disprove that the patch [2] is > upstream patch for issue: [3] > http://www.openwall.com/lists/oss-security/2012/10/17/1 ? > > And if it's not the correct one, provide an explicit revision link > to the proper one? > > Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat > Security Response Team Please use CVE-2012-4528 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQgFTzAAoJEBYNRVNeJnmTzK8QALJx/zc849kCqf+hFnkLL9kz oiYQvwRLtNHw3ygEGCsl/VP87ixW+8n1DxQSuL/a3U0jY+4D6woujoJ6S2w0Hreh 7boe+m9AdhrakrsuXZTOSmKZePDuO5xQM3Q+oo2/5z3u8JnPgm1gEB07pzSxfFDa +nKcaioisXy/VCc9TFtleiie47t2i9ypgajNSNOFjCn3WL3UmO9SBWRveAW+0BAU XmQuKnH/ZTa5xMRdnu/RvT9uQtMjrwDY/sl7snBGTOVsZ+xHcJ4a4gEJllqPvjHk NJVNrz5wEXsvfrJt20TW9tP/d1yHfHFinM0KxYswP1GmZ2qhYc2dOqTUFDQunUAo RsWzp32Bs11o3eiK5v7RFct7mA/SYCjzaj6AfJi07XgY98xRc3ov22PkuTtQ8Sq3 cLM1xeLj89eyBZp5rGrgfj/dtCeuASmWvZDPE4JAz+fKDv5jwXp0cn7JzqYXf+mN YjszGPX94oDKiih76aylMcp50hYbsdWPaKK/L1tpEV+nzTRLVMFIJ+jgaY/jhBJH m48sKMPh3F1WE7DdtWYcGD3xLYlk1QjYP1DmkcO9YEH4TT2+qqnkyMBayMCY8Roa w8dIu6Az/yQQUevmYaJu2+o6v1dUmyBKknWrV6iyA7zqV6YVCXmvQZX9HBkSV84H bPGFFZBbfOsFX1FGfXNm =yVSP -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.