Debian has issued an advisory on April 9: http://www.debian.org/security/2013/dsa-2659 They linked to the upstream commit, and backported it to 2.6.x: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704625 Mageia 2 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => guillomovitch, oe
I just submitted version 2.7.3, fixing this issue, in cauldron.
2.6.3-3.4 available in core/updates_testing for mageia2, with patch applied.
Status: NEW => ASSIGNED
Thanks Guillaume! Advisory: ======================== Updated apache-mod_security packages fix security vulnerability: Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the XML files parser of ModSecurity, an Apache module whose purpose is to tighten the Web application security, is vulnerable to XML external entities attacks. A specially-crafted XML file provided by a remote attacker, could lead to local file disclosure or excessive resources (CPU, memory) consumption when processed (CVE-2013-1915). This update introduces a SecXmlExternalEntity option which is "Off" by default. This will disable the ability of libxml2 to load external entities. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915 http://www.debian.org/security/2013/dsa-2659 ======================== Updated packages in core/updates_testing: ======================== apache-mod_security-2.6.3-3.4.mga2.i586.rpm mlogc-2.6.3-3.4.mga2 from apache-mod_security-2.6.3-3.4.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugs
Severity: normal => major
====================================================== Name: CVE-2013-1915 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130219 Category: Reference: MLIST:[oss-security] 20130403 Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Reference: URL:http://www.openwall.com/lists/oss-security/2013/04/03/7 Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=947842 Reference: CONFIRM:https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES Reference: CONFIRM:https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe Reference: DEBIAN:DSA-2659 Reference: URL:http://www.debian.org/security/2013/dsa-2659 Reference: BID:58810 Reference: URL:http://www.securityfocus.com/bid/58810 Reference: SECUNIA:52847 Reference: URL:http://secunia.com/advisories/52847 Reference: SECUNIA:52977 Reference: URL:http://secunia.com/advisories/52977 ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.
Testing complete mga2 64 Not much information to be able to reproduce so as with the previous modsecurity update, just checking it loads ok with.. # httpd -M 2>/dev/null |grep security security_module (shared)
Whiteboard: (none) => has_procedure mga2-64-OK
Testing complete on Mageia 2 i586. Could someone from the sysadmin team push the srpm apache-mod_security-2.6.3-3.4.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated apache-mod_security packages fix security vulnerability: Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the XML files parser of ModSecurity, an Apache module whose purpose is to tighten the Web application security, is vulnerable to XML external entities attacks. A specially-crafted XML file provided by a remote attacker, could lead to local file disclosure or excessive resources (CPU, memory) consumption when processed (CVE-2013-1915). This update introduces a SecXmlExternalEntity option which is "Off" by default. This will disable the ability of libxml2 to load external entities. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915 http://www.debian.org/security/2013/dsa-2659 https://bugs.mageia.org/show_bug.cgi?id=9704
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK MGA2-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0129
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED