Bug 34362 - apache-mod_security new security issues CVE-2025-47947 and CVE-2025-48866
Summary: apache-mod_security new security issues CVE-2025-47947 and CVE-2025-48866
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-06-10 09:53 CEST by Nicolas Salguero
Modified: 2025-06-25 07:32 CEST (History)
3 users (show)

See Also:
Source RPM: apache-mod_security-2.9.7-1.mga9.src.rpm
CVE: CVE-2025-47947, CVE-2025-48866
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2025-06-10 09:54:13 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => apache-mod_security-2.9.7-2.mga10.src.rpm, apache-mod_security-2.9.7-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 2.9.10 and patches available from upstream and Debian
CVE: (none) => CVE-2025-47947, CVE-2025-48866

Comment 1 Lewis Smith 2025-06-16 21:21:37 CEST 
Thanks for the patch refs.

Assigning globally, no one packager evident.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2025-06-17 17:16:14 CEST 
Ubuntu has issued an advisory on June 16:
https://ubuntu.com/security/notices/USN-7567-1
Comment 3 Nicolas Salguero 2025-06-23 15:53:12 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

ModSecurity Has Possible DoS Vulnerability. (CVE-2025-47947)

ModSecurity has possible DoS vulnerability in sanitiseArg action. (CVE-2025-48866)

References:
https://lists.debian.org/debian-security-announce/2025/msg00104.html
https://ubuntu.com/security/notices/USN-7567-1
========================

Updated packages in core/updates_testing:
========================
apache-mod_security-2.9.7-1.1.mga9
mlogc-2.9.7-1.1.mga9

from SRPM:
apache-mod_security-2.9.7-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Source RPM: apache-mod_security-2.9.7-2.mga10.src.rpm, apache-mod_security-2.9.7-1.mga9.src.rpm => apache-mod_security-2.9.7-1.mga9.src.rpm
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 2.9.10 and patches available from upstream and Debian => (none)

katnatek 2025-06-23 19:22:12 CEST

Keywords: (none) => advisory

Comment 4 Herman Viaene 2025-06-24 10:53:57 CEST 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 31457 for test
# httpd -M 2>/dev/null |grep security
 security2_module (shared)
Test is OK, good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2025-06-25 00:56:17 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Mageia Robot 2025-06-25 07:32:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0192.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.