Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 1 Jun 2013 08:44:51 GMT
From:      Olli Hauer <ohauer@FreeBSD.org>
To:        FreeBSD-gnats-submit@freebsd.org
Cc:        araujo@FreeBSD.org
Subject:   ports/179167: [patch] www/mod_security update to 2.7.4 (CVE-2013-2765)
Message-ID:  <201306010844.r518ip1U093478@freefall.freebsd.org>
Resent-Message-ID: <201306010850.r518o0LO093684@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         179167
>Category:       ports
>Synopsis:       [patch] www/mod_security update to 2.7.4 (CVE-2013-2765)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 01 08:50:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Olli Hauer
>Release:        FreeBSD 8.3-RELEASE-p3 amd64
>Organization:
>Environment:


>Description:
- update mod_security to version 2.7.4

10 May 2013 - 2.7.4
-------------------
Improvements:
    * Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath).
    * Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries.
    * NGINX is now set to STABLE. Thanks chaizhenhua and all the people in community who help the project testing, sending feedback and patches.

Bug Fixes:
    * Fixed SecRulePerfTime storing unnecessary rules performance times.
    * Fixed Possible SDBM deadlock condition.
    * Fixed Possible @rsub memory leak.
    * Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present.
    * Fixed NGINX Audit engine in Concurrent mode was overwriting existing alert files because a issue with UNIQUE_ID.
    * Fixed CPU 100% issue in NGINX port. This is also related to an memory leak when loading response body.

Security Issues:
    * Fixed Remote Null Pointer DeReference (CVE-2013-2765). WhenÂ| forceRequestBodyVariable action is triggered and a unknown Content-Type is used,
      mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI).



POC for CVE-2013-2765:
 https://github.com/shookalabs/exploits/blob/master/modsecurity_cve_2013_2765_check.py

>How-To-Repeat:

>Fix:

--- mod_security.diff begins here ---
Index: mod_security/Makefile
===================================================================
--- mod_security/Makefile	(revision 319557)
+++ mod_security/Makefile	(working copy)
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	mod_security
-PORTVERSION=	2.7.3
+PORTVERSION=	2.7.4
 CATEGORIES=	www security
 MASTER_SITES=	http://www.modsecurity.org/tarball/${PORTVERSION}/
 PKGNAMEPREFIX=	${APACHE_PKGNAMEPREFIX}
Index: mod_security/distinfo
===================================================================
--- mod_security/distinfo	(revision 319557)
+++ mod_security/distinfo	(working copy)
@@ -1,2 +1,2 @@
-SHA256 (modsecurity-apache_2.7.3.tar.gz) = fa5b0a2fabe9cd6c7b35ae09a433a60da183b2cabcf26479ec40fc4a419693e4
-SIZE (modsecurity-apache_2.7.3.tar.gz) = 981947
+SHA256 (modsecurity-apache_2.7.4.tar.gz) = 605d6f1b03e648001ef1c7db7b18d51c01edd443b57cbbd4e298770ffdcd0eb9
+SIZE (modsecurity-apache_2.7.4.tar.gz) = 1014983
--- mod_security.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201306010844.r518ip1U093478>