|
|
Subscribe / Log in / New account

Debian alert DLA-4265-1 (modsecurity-crs)



From:
              Adrian Bunk <bunk@debian.org>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 4265-1] modsecurity-crs security update


Date:
              Sat, 09 Aug 2025 00:00:00 +0300


Message-ID:
              <aJZlUKmBiiGaKMeA@localhost>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4265-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
August 08, 2025                               https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : modsecurity-crs
Version        : 3.3.4-1~deb11u1
CVE ID         : CVE-2020-22669 CVE-2022-39955 CVE-2022-39956 CVE-2022-39957 
                 CVE-2022-39958
Debian Bug     : 1021137

Multiple issues have been fixed in modsecurity-crs, a set of generic 
attack detection rules for use with ModSecurity.

CVE-2020-22669

    SQL injection bypass

CVE-2022-39955

    Partial rule set bypass

CVE-2022-39956

    Partial rule set bypass

CVE-2022-39957

    Response body bypass

CVE-2022-39958

    Response body bypass

For Debian 11 bullseye, these problems have been fixed in version
3.3.4-1~deb11u1.

We recommend that you upgrade your modsecurity-crs packages.

For the detailed security status of modsecurity-crs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/modsecurity-crs

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmiWZU0ACgkQiNJCh6LY
mLFuZQ/+Kvf/KOrA7buxspfLN/qjfiC26CbFWh8KEgpk4qeY8V0/SpTKsMK79lTR
U1C3tsY4vrJuQUJPc76vUbrQ0dtO7bWk4N+7R0UHaQwpnHmflZZahgT6EHa29+XL
3zWouCCSiAWBMkJUrHa35G2YEmZ+bDkhfvAcAmPbpGvAwLFWUoJU/gUt4ykfM3Ak
TpniOUA3EvmMsPqQUbpR7m3PtMRDCLjrjBJEwlY79NAfoCP199lYCXJg3tQ9sHB1
mg5L6TKNKGC6QQ2jKawDD97d21JtIEqjEsOXk8dFLiPp/ib8H/kTlvVh1Zg3o2wc
dOPgF5cAMQcQzeN42eu/Azj6MQwgNjEQmlK6V8qTIQnehQNW0riph6ggHVO8DY43
gR62HHmvaP/JbE4HvmzAkp+wv8HCqLyg/qgaUArPOC+6TZe23QNYwFamX8B+OwX3
u6eHfz/2ByZpoMXulrFahiQhfr9QeMFfbR9tBDiN3kGKhq4N3Umo8z5QMIHpsLtH
TyBsW4Adw3gDzb9h6S7ymIL1X3u3tav4Vzdv7u5Mu4HxKupQnfFhobLq17FYseQZ
jRRPfQUzEKzJgkSrKYeZjTpqUhCpZbMfGgIQ8dLSaqoA/ijeUDmX3Iet8NhoOIBa
6y1l6xKPDZT8iLzD2b+m74aNsJoEczjrv9egtLKXYCFjtJfuXVk=
=TYR8
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds