Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-1359: mod_security <= 2.1.0 request rule bypass https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=231728 mfleming+rpm(a)enlartenment.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From mfleming+rpm(a)enlartenment.com 2007-03-10 18:36 EST ------- Thanks for the reminder Ville. Ivan (Ristic, ModSecurity author) hasn't released an update for the 1.9.x branch as yet to fix this, but does have a rule for 2.x and up that mitigates the issue pending a full release of 2.1.1 (and I would assume a 1.9.5 version) SecRule REQUEST_BODY "@validateByteRange 1-255" \ "log,deny,phase:2,t:none,msg:'ModSecurity ASCIIZ Evasion Attempt' I'm going to run up a local package of ModSecurity 2.1.0 (+Core Rules and the above as a "local" rule) this morning and try this on my own site (www.enlartenment.com) prior to adding it to Extras (should it work out OK). I've been meaning to update the version for a while but time constraints got the better of me. Be warned however that the configuration and rule syntax has changed since 1.9.x (admins are going to have to make some manual changes if they've got local additions) but on the upside it's 200% faster and the rule syntax allows for more flexibility. If there's any objections by all means let me know and I'll hold off until a proper 1.9.x fix is available. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-1359: mod_security <= 2.1.0 request rule bypass https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=231728 ------- Additional Comments From ville.skytta(a)iki.fi 2007-03-11 06:24 EST ------- If the rules from 1.9.x are not usable with 2.1.0 as is, they should be marked as %config, not %config(noreplace). And reverted back to %config(noreplace) later in the future where it is no longer expected that people will not be upgrading from 1.9.x to the current version at that time, but rather from a version whose config syntax is compatible. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-1359: mod_security <= 2.1.0 request rule bypass https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=231728 mfleming+rpm(a)enlartenment.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From mfleming+rpm(a)enlartenment.com 2007-04-02 06:38 EST ------- No problems or complaints in -devel, been running fine on my FC6 box. Ergo 2.1.0-3 has been rolled out to FC5 and FC6. Interestingly, Ivan did put out a patch for 1.9.4 - but only for the Apache 1.3.x DSO :-( -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.