openSUSE-SU-2023:0269-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2023:0269-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2023:0269-1
Related
Published
2023-09-25T22:01:56Z
Modified
2023-09-25T22:01:56Z
Summary
Security update for modsecurity
Details

This update for modsecurity fixes the following issues:

Update to version 3.0.10:

  • Security impacting issue (fix boo#1213702, CVE-2023-38285)

    • Fix: worst-case time in implementation of four transformations
    • Additional information on this issue is available at https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
  • Enhancements and bug fixes

    • Add TX synonym for MSCPCRELIMITS_EXCEEDED
    • Make MULTIPARTPARTHEADERS accessible to lua
    • Fix: Lua scripts cannot read whole collection at once
    • Fix: quoted Include config with wildcard
    • Support isolated PCRE match limits
    • Fix: meta actions not applied if multiMatch in first rule of chain
    • Fix: audit log may omit tags when multiMatch
    • Exclude CRLF from MULTIPARTPARTHEADER value
    • Configure: use ASECHON instead echo -n
    • Adjust position of memset from 2890

Update to version 3.0.9:

  • Add some member variable inits in Transaction class (possible segfault)
  • Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
  • Resolve memory leak on reload (bison-generated variable)
  • Support equals sign in XPath expressions
  • Encode two special chars in error.log output
  • Add JIT support for PCRE2
  • Support comments in ipMatchFromFile file via '#' token
  • Use name package name libmaxminddb with pkg-config
  • Fix: FILESTMPCONTENT collection key should use part name
  • Use ASHELPSTRING instead of obsolete ACHELPSTRING macro
  • During configure, do not check for pcre if pcre2 specified
  • Use pkg-config to find libxml2 first
  • Fix two rule-reload memory leak issues
  • Correct whitespace handling for Include directive
  • Fix CVE-2023-28882, a segfault and a resultant crash of a worker process in some configurations with certain inputs, boo#1210993

Update to version 3.0.8

  • Adjust parser activation rules in modsecurity.conf-recommended [#2796]
  • Multipart parsing fixes and new MULTIPARTPARTHEADERS collection [#2795]
  • Prevent LMDB related segfault [#2755, #2761]
  • Fix msctransactioncleanup function comment typo [#2788]
  • Fix: MULTIPARTINVALIDPART connected to wrong internal variable [#2785]
  • Restore Unique_id to include random portion after timestamp [#2752, #2758]

Update to version 3.0.7

  • Support PCRE2
  • Support SecRequestBodyNoFilesLimit
  • Add ctl:auditEngine action support
  • Move PCRE2 match block from member variable
  • Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
  • Fix memory leak when concurrent log includes REMOTE_USER
  • Fix LMDB initialization issues
  • Fix initcol error message wording
  • Tolerate other parameters after boundary in multipart C-T
  • Add DebugLog message for bad pattern in rx operator
  • Fix misuses of LMDB API
  • Fix duplication typo in code comment
  • Fix multiMatch msg, etc, population in audit log
  • Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc.
  • Adjust confusing variable name in setRequestBody method
  • Multipart names/filenames may include single quote if double-quote enclosed
  • Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended

Update to version 3.0.6

  • Security issue: Support configurable limit on depth of JSON parsing, possible DoS issue. CVE-2021-42717

Update to version 3.0.5

  • New: Having ARGS_NAMES, variables proxied
  • Fix: FILES variable does not use multipart part name for key
  • GeoIP: switch to GEOIPMEMORYCACHE from GEOIPINDEXCACHE
  • Support configurable limit on number of arguments processed
  • Adds support to lua 5.4
  • Add support for new operator rxGlobal
  • Fix: Replaces put with setenv in SetEnv action
  • Fix: Regex key selection should not be case-sensitive
  • Fix: Only delete Multipart tmp files after rules have run
  • Fixed MatchedVar on chained rules
  • Fix IP address logging in Section A
  • Fix: rx: exit after full match (remove /g emulation); ensure capture groups occuring after unused groups still populate TX vars
  • Fix rule-update-target for non-regex
  • Fix Security Impacting Issues:
  • Handle URI received with uri-fragment, CVE-2020-15598

Update to version 3.0.4:

  • Fix: audit log data omitted when nolog,auditlog
  • Fix: ModSecurity 3.x inspectFile operator does not pass
  • XML: Remove error messages from stderr
  • Filter comment or blank line for pmFromFile operator
  • Additional adjustment to Cookie header parsing
  • Restore chained rule part H logging to be more like 2.9 behaviour
  • Small fixes in log messages to help debugging the file upload
  • Fix Cookie header parsing issues
  • Fix rules with nolog are logging to part H
  • Fix argument key-value pair parsing cases
  • Fix: audit log part for response body for JSON format to be E
  • Make sure m_rulesMessages is filled after successfull match
  • Fix @pm lookup for possible matches on offset zero.
  • Regex lookup on the key name instead of COLLECTION:key
  • Missing throw in Operator::instantiate
  • Making block action execution dependent of the SecEngine status
  • Making block action execution dependent of the SecEngine status
  • Having body limits to respect the rule engine state
  • Fix SecRuleUpdateTargetById does not match regular expressions
  • Adds missing check for runtime ctl:ruleRemoveByTag
  • Adds a new operator verifySVNR that checks for Austrian social security numbers.
  • Fix variables output in debug logs
  • Correct typo validade in log output
  • fix/minor: Error encoding hexa decimal.
  • Limit more log variables to 200 characters.
  • parser: fix parsed file names
  • Allow empty anchored variable
  • Fixed FILES_NAMES collection after the end of multipart parsing
  • Fixed validateByteRange parsing method
  • Removes a memory leak on the JSON parser
  • Enables LMDB on the regression tests.
  • Fix: Extra whitespace in some configuration directives causing error
  • Refactoring on Regex and SMatch classes.
  • Fixed buffer overflow in Utils::Md5::hexdigest()
  • Implemented merge() method for ConfigInt, ConfigDouble, ConfigString
  • Adds initially support to the drop action.
  • Complete merging of particular rule properties
  • Replaces ACCHECKFILE with 'test -f'
  • Fix inet addr handling on 64 bit big endian systems
  • Fix tests on FreeBSD
  • Changes ENV test case to read the default MODSECURTIY env var
  • Regression: Sets MODSECURITY env var during the tests execution
  • Fix setenv action to strdup key=variable
  • Allow 0 length JSON requests.
  • Fix 'make dist' target to include default configuration
  • Replaced log locking using mutex with fcntl lock
  • Correct the usage of modsecurity::Phases::NUMBEROFPHASES
  • Adds support to multiple ranges in ctl:ruleRemoveById
  • Rule variable interpolation broken
  • Make the boundary check less strict as per RFC2046
  • Fix buffer size for utf8toUnicode transformation
  • Fix double macros bug
  • Override the default status code if not suitable to redirect action
  • parser: Fix the support for CRLF configuration files
  • Organizes the server logs
  • m_lineNumber in Rule not mapping with the correct line number in file
  • Using sharedptr instead of uniqueptr on rules exceptions
  • Changes debuglogs schema to avoid unecessary str allocation
  • Fix the SecUnicodeMapFile and SecUnicodeCodePage
  • Changes the timing to save the rule message
  • Fix crash in mscrulesadd_file() when using disruptive action in chain
  • Fix memory leak in AuditLog::init()
  • Fix RulesProperties::appendRules()
  • Fix RULE lookup in chained rules
  • @ipMatch 'Could not add entry' on slash/32 notation in 2.9.0
  • Using values after transformation at MATCHED_VARS
  • Adds support to UpdateActionById.
  • Add correct C function prototypes for mscinit and msccreateruleset
  • Allow LuaJIT 2.1 to be used
  • Match m_id JSON log with RuleMessage and v2 format
  • Adds support to setenv action.
  • Adds new transaction constructor that accepts the transaction id as parameter.
  • Adds request IDs and URIs to the debug log
  • Treating variables exception on load-time instead of run time.
  • Fix: function m.setvar in Lua scripts and add testcases
  • Fix SecResponseBodyAccess and ctl:requestBodyAccess directives
  • Fix parser to support GeoLookup with MaxMind
  • parser: Fix simple quote setvar in the end of the line
  • modsecrulescheck: uses the gnu .la' instead of.a' file
  • good practices: Initialize variables before use it
  • Fix utf-8 character encoding conversion
  • Adds support for ctl:requestBodyProcessor=URLENCODED
  • Add LUA compatibility for CentOS and try to use LuaJIT first if available
  • Allow LuaJIT to be used
  • Implement support for Lua 5.1
  • Variable names must match fully, not partially. Match should be case insensitive.
  • Improves the performance while loading the rules
  • Allow empty strings to be evaluated by regex::searchAll
  • Adds basic pkg-config info
  • Fixed LMDB collection errors
  • Fixed false positive MULTIPARTUNMATCHEDBOUNDARY errors
  • Fix ip tree lookup on netmask content
  • Changes the behavior of the default sec actions
  • Refactoring on {global,ip,resources,session,tx,user} collections
  • Fix race condition in UniqueId::uniqueId()
  • Fix memory leak in error message for mscrulesmerge C APIs
  • Return false in SharedFiles::open() when an error happens
  • Use rvalue reference in ModSecurity::serverLog
  • Build System: Fix when multiple lines for curl version.
  • Checks if response body inspection is enabled before process it
  • Fix setvar parsing of quoted data
  • Adds time stamp back to the audit logs
  • Disables skip counter if debug log is disabled
  • Cosmetics: Represents amount of skipped rules without decimal
  • Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser
  • Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp.
  • Fix memory leak in modsecurity::utils::expandEnv()
  • Initialize m_dtd member in ValidateDTD class as NULL
  • Fix broken @detectxss operator regression test case
  • Fix utils::string::ssplit() to handle delimiter in the end of string
  • Fix variable FILES_TMPNAMES
  • Fix memory leak in Collections
  • Fix lib version information while generating the .so file
  • Adds support for ctl:ruleRemoveByTag
  • Fix SecUploadDir configuration merge
  • Include all prerequisites for 'make check' into dist archive
  • Fix: Reverse logic of checking output in @inspectFile
  • Adds support to libMaxMind
  • Adds capture action to detectXSS
  • Temporarily accept invalid MULTIPARTSEMICOLONMISSING operator
  • Adds capture action to detectSQLi
  • Adds capture action to rbl
  • Adds capture action to verifyCC
  • Adds capture action to verifySSN
  • Adds capture action to verifyCPF
  • Prettier error messages for unsupported configurations (UX)
  • Add missing verify* transformation statements to parser
  • Fix a set of compilation warnings
  • Check for disruptive action on SecDefaultAction.
  • Fix block-block infinite loop.
  • Correction removebytag and removebymsg logic.
  • Fix LMDB compile error
  • Fix mscwhoam_i() to return pointer to a valid C string
  • Added some cosmetics to autoconf related code
  • Fix 'make dist' target to include necessary headers for Lua
  • Fix 'include /foo/*.conf' for single matched object in directory
  • Add missing Base64 transformation statements to parser
  • Fixed resource load on ip match from file
  • Fixed examples compilation while using disable-shared
  • Fixed compilation issue while xml is disabled
  • Having LDADD and LDFLAGS organized on Makefile.am
  • Checking std::deque size before use it
  • perf improvement: Added the concept of RunTimeString and removed all run time parser.
  • perf improvement: Checks debuglog level before format debug msg
  • perf. improvement/rx: Only compute dynamic regex in case of macro
  • Fix uri on the benchmark utility
  • disable Lua on systems with liblua5.1
References

Affected packages

SUSE:Package Hub 15 SP4 / modsecurity

Package

Name
modsecurity
Purl
pkg:rpm/suse/modsecurity&distro=SUSE%20Package%20Hub%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.10-bp154.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "libmodsecurity3": "3.0.10-bp154.2.3.1",
            "libmodsecurity3-32bit": "3.0.10-bp154.2.3.1",
            "modsecurity-devel": "3.0.10-bp154.2.3.1",
            "libmodsecurity3-64bit": "3.0.10-bp154.2.3.1",
            "modsecurity": "3.0.10-bp154.2.3.1"
        }
    ]
}

openSUSE:Leap 15.4 / modsecurity

Package

Name
modsecurity
Purl
pkg:rpm/opensuse/modsecurity&distro=openSUSE%20Leap%2015.4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.10-bp154.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "libmodsecurity3": "3.0.10-bp154.2.3.1",
            "libmodsecurity3-32bit": "3.0.10-bp154.2.3.1",
            "modsecurity-devel": "3.0.10-bp154.2.3.1",
            "libmodsecurity3-64bit": "3.0.10-bp154.2.3.1",
            "modsecurity": "3.0.10-bp154.2.3.1"
        }
    ]
}