Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20130409134125.GA1834@gmail.com>
Date: Tue, 9 Apr 2013 14:41:26 +0100
From: Athmane Madjoudj <athmanem@...il.com>
To: Jan Lieskovsky <jlieskov@...hat.com>
Cc: Breno Silva <breno.silva@...il.com>,
	"Steven M. Christey" <coley@...us.mitre.org>,
	oss-security@...ts.openwall.com
Subject: Re: Re: CVE Request -- ModSecurity (X < 2.7.3):
 Vulnerable to XXE attacks

On Tue, Apr 09, 2013 at 05:26:42AM -0400, Jan Lieskovsky wrote:
> Hi Breno,
> 
>   (Cc-ing Athmane on this due reasons which will get obvious below).
> 
>   thank you for checking with us.
> 
> AFAICT to fix this in Fedora and Fedora EPEL-6 versions, we have
> just rebased to latest upstream 2.7.3 version. But you are truly
> right (assuming this being the reason you are checking with us),
> that on Fedora EPEL-5 we are shipping older (2.6.8 based version
> of ModSecurity).
> 
> FWIHL:
>   [1] https://bugzilla.redhat.com/show_bug.cgi?id=947842#c1
> 
<...snip...>

Hi,

I forgot to mention in bug report that an EPEL5 update which still uses 2.6.8 release (libxml2 in el5 is too old) is scheduled with backborted patch just like with CVE-2012-4528.

Thanks.

-- Athmane, Fedora / EPEL mod_security maintainer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.