Date: Sat, 1 Jun 2013 08:44:51 GMT From: Olli Hauer <ohauer@FreeBSD.org> To: FreeBSD-gnats-submit@freebsd.org Cc: araujo@FreeBSD.org Subject: ports/179167: [patch] www/mod_security update to 2.7.4 (CVE-2013-2765) Message-ID: <201306010844.r518ip1U093478@freefall.freebsd.org> Resent-Message-ID: <201306010850.r518o0LO093684@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 179167
>Category: ports
>Synopsis: [patch] www/mod_security update to 2.7.4 (CVE-2013-2765)
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sat Jun 01 08:50:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Olli Hauer
>Release: FreeBSD 8.3-RELEASE-p3 amd64
>Organization:
>Environment:
>Description:
- update mod_security to version 2.7.4
10 May 2013 - 2.7.4
-------------------
Improvements:
* Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath).
* Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries.
* NGINX is now set to STABLE. Thanks chaizhenhua and all the people in community who help the project testing, sending feedback and patches.
Bug Fixes:
* Fixed SecRulePerfTime storing unnecessary rules performance times.
* Fixed Possible SDBM deadlock condition.
* Fixed Possible @rsub memory leak.
* Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present.
* Fixed NGINX Audit engine in Concurrent mode was overwriting existing alert files because a issue with UNIQUE_ID.
* Fixed CPU 100% issue in NGINX port. This is also related to an memory leak when loading response body.
Security Issues:
* Fixed Remote Null Pointer DeReference (CVE-2013-2765). WhenÂ| forceRequestBodyVariable action is triggered and a unknown Content-Type is used,
mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI).
POC for CVE-2013-2765:
https://github.com/shookalabs/exploits/blob/master/modsecurity_cve_2013_2765_check.py
>How-To-Repeat:
>Fix:
--- mod_security.diff begins here ---
Index: mod_security/Makefile
===================================================================
--- mod_security/Makefile (revision 319557)
+++ mod_security/Makefile (working copy)
@@ -1,7 +1,7 @@
# $FreeBSD$
PORTNAME= mod_security
-PORTVERSION= 2.7.3
+PORTVERSION= 2.7.4
CATEGORIES= www security
MASTER_SITES= http://www.modsecurity.org/tarball/${PORTVERSION}/
PKGNAMEPREFIX= ${APACHE_PKGNAMEPREFIX}
Index: mod_security/distinfo
===================================================================
--- mod_security/distinfo (revision 319557)
+++ mod_security/distinfo (working copy)
@@ -1,2 +1,2 @@
-SHA256 (modsecurity-apache_2.7.3.tar.gz) = fa5b0a2fabe9cd6c7b35ae09a433a60da183b2cabcf26479ec40fc4a419693e4
-SIZE (modsecurity-apache_2.7.3.tar.gz) = 981947
+SHA256 (modsecurity-apache_2.7.4.tar.gz) = 605d6f1b03e648001ef1c7db7b18d51c01edd443b57cbbd4e298770ffdcd0eb9
+SIZE (modsecurity-apache_2.7.4.tar.gz) = 1014983
--- mod_security.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201306010844.r518ip1U093478>