|
|
Log in / Subscribe / Register

Debian alert DSA-6105-1 (modsecurity-crs)



From:
              Moritz Muehlenhoff <jmm@debian.org>


To:
              debian-security-announce@lists.debian.org


Subject:
              [SECURITY] [DSA 6105-1] modsecurity-crs security update


Date:
              Wed, 21 Jan 2026 21:51:20 +0000


Message-ID:
              <aXFKWGIhkhXlwJAS@seger.debian.org>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6105-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 21, 2026                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : modsecurity-crs
CVE ID         : CVE-2026-21876

It was discovered that one of the rules in the OWASP ModSecurity Core
Rule Set parsed some multipart requests incorrectly.

For the oldstable distribution (bookworm), this problem has been fixed
in version 3.3.4-1+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 3.3.7-1+deb13u1.

We recommend that you upgrade your modsecurity-crs packages.

For the detailed security status of modsecurity-crs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/modsecurity-crs

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmlxSdsACgkQEMKTtsN8
TjZzkhAAurudVyRF56Mqp8jq8oLnm3Y46feMo4BzHl/fkFR14yC/z6BxSSMh5b35
9u28q/64FUvooO/S0yklJvAex1V2blg22VjodGhVqMc2Dp6B/HIeQOSIAbh9TG3d
fagaaNLAo3KmKteGSdJf5CES2eyoLD+zAwA5VLKW4NGCJVnhhz2aqSv1pWGod2zU
hgKHg6NzPZQVO0sk08m3EhCBfn3iuzAc2NeEjEKbChV2B6kEGnfViR8UNwnnb7aw
tSX6ZQDiISUmBloMjdBrCcxbQ1TxD5OY23ed3EM+nbpm7cQ+6mM+oNZnSTXyZeWe
OCogDYqstyKlLMkwJsQTleO1oJAlmt0vYMEECVZz6EZsHDJHCk7zMVOKMYE8gxX/
JLJn7Gfrka+QYqZAC6289CPKAZ1VXDEvz1E5/EInNlMVgqFvuJf5tYnMzKjJdI1r
JhWPuUiwyLNFZ30qXs/xqfb6A16w9VgGrUgxaNOoH8gLWCGfEchhbO3x7VkyKNgd
lM182vZTNxyofmovraSH7nlZYq5CJJeF7eQC23V6YAprQLpt0/+BV7hd2i6a5eF3
6lbib/Vnz43r7fEDsbW1Sey/hFhyyI6TsQt0aMShtt/i8TiY0wzYvlBpCnpHi25m
yARQHfh66lCY/umcBV7f3z3i0rklxjuJuR6tYf0UKSxFTRbD0B8=
=G7EX
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds