Nom du paquet
apache-mod_security
Date
2012-12-23
Advisory ID
MDVSA-2012:182
Affected versions
2011 i586 , 2011 x86_64

Problem description

Multiple vulnerabilities has been discovered and corrected in
apache-mod_security:

ModSecurity before 2.6.6, when used with PHP, does not properly handle
single quotes not at the beginning of a request parameter value in
the Content-Disposition field of a request with a multipart/form-data
Content-Type header, which allows remote attackers to bypass filtering
rules and perform other attacks such as cross-site scripting (XSS)
attacks. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2009-5031 (CVE-2012-2751).

ModSecurity <= 2.6.8 is vulnerable to multipart/invalid part
ruleset bypass, this was fixed in 2.7.0 (released on2012-10-16)
(CVE-2012-4528).

The updated packages have been patched to correct these issues.

Updated packages

2011 i586

 97ce3bb44e48983170bd6f112a578c3c  2011/i586/apache-mod_security-2.6.1-1.1-mdv2011.0.i586.rpm
 044aa147cd2c9b4989f47a74d04f3a62  2011/i586/mlogc-2.6.1-1.1-mdv2011.0.i586.rpm 
 4657a73f501344810c72d76c58532190  2011/SRPMS/apache-mod_security-2.6.1-1.1.src.rpm

2011 x86_64

 d5e55155f32a9118977a96ea86efe1cf  2011/x86_64/apache-mod_security-2.6.1-1.1-mdv2011.0.x86_64.rpm
 61d99efd771a68bb801b602294ce6efb  2011/x86_64/mlogc-2.6.1-1.1-mdv2011.0.x86_64.rpm 
 4657a73f501344810c72d76c58532190  2011/SRPMS/apache-mod_security-2.6.1-1.1.src.rpm

References