Nom du paquet
apache-mod_security
Date
2012-07-27
Advisory ID
MDVSA-2012:118
Affected versions
MES5 i586 , MES5 x86_64

Problem description

A vulnerability has been discovered and corrected in
apache-mod_security:

ModSecurity before 2.6.6, when used with PHP, does not properly handle
single quotes not at the beginning of a request parameter value in
the Content-Disposition field of a request with a multipart/form-data
Content-Type header, which allows remote attackers to bypass filtering
rules and perform other attacks such as cross-site scripting (XSS)
attacks. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2009-5031 (CVE-2012-2751).

The updated packages have been patched to correct this issue.

Updated packages

MES5 i586

 15fc765819256beb59fab655435c3c41  mes5/i586/apache-mod_security-2.5.12-0.2mdvmes5.2.i586.rpm
 11d11e591262ae7c94e9f9ec8f90f8e0  mes5/i586/mlogc-2.5.12-0.2mdvmes5.2.i586.rpm 
 9d82f904a46d3fc3632f1f607f5b5666  mes5/SRPMS/apache-mod_security-2.5.12-0.2mdvmes5.2.src.rpm

MES5 x86_64

 aefd91215b689b38dd39ec85f87e7bec  mes5/x86_64/apache-mod_security-2.5.12-0.2mdvmes5.2.x86_64.rpm
 b42be92e1ff9f9a8a6df7b59f986a071  mes5/x86_64/mlogc-2.5.12-0.2mdvmes5.2.x86_64.rpm 
 9d82f904a46d3fc3632f1f607f5b5666  mes5/SRPMS/apache-mod_security-2.5.12-0.2mdvmes5.2.src.rpm

References