Bug 179167 - [patch] www/mod_security update to 2.7.4 (CVE-2013-2765)
Summary: [patch] www/mod_security update to 2.7.4 (CVE-2013-2765)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Marcelo Araujo
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-01 09:50 UTC by Olli Hauer
Modified: 2013-06-03 08:00 UTC (History)
1 user (show)

See Also:

Attachments
mod_security.diff (923 bytes, patch)
2013-06-01 09:50 UTC, Olli Hauer 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Olli Hauer freebsd_committer freebsd_triage 2013-06-01 09:50:00 UTC 
- update mod_security to version 2.7.4

10 May 2013 - 2.7.4
-------------------
Improvements:
    * Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath).
    * Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries.
    * NGINX is now set to STABLE. Thanks chaizhenhua and all the people in community who help the project testing, sending feedback and patches.

Bug Fixes:
    * Fixed SecRulePerfTime storing unnecessary rules performance times.
    * Fixed Possible SDBM deadlock condition.
    * Fixed Possible @rsub memory leak.
    * Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present.
    * Fixed NGINX Audit engine in Concurrent mode was overwriting existing alert files because a issue with UNIQUE_ID.
    * Fixed CPU 100% issue in NGINX port. This is also related to an memory leak when loading response body.

Security Issues:
    * Fixed Remote Null Pointer DeReference (CVE-2013-2765). WhenÂ| forceRequestBodyVariable action is triggered and a unknown Content-Type is used,
      mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI).



POC for CVE-2013-2765:
 https://github.com/shookalabs/exploits/blob/master/modsecurity_cve_2013_2765_check.py
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2013-06-01 09:50:08 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->araujo

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter service freebsd_committer freebsd_triage 2013-06-03 07:51:51 UTC 
Author: araujo
Date: Mon Jun  3 06:51:43 2013
New Revision: 319757
URL: http://svnweb.freebsd.org/changeset/ports/319757

Log:
  - Update to 2.7.4.
  
  More info:
  https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
  
  PR:		ports/179167
  Submitted by:	ohauer@
  Security:	9dfb63b8-8f36-11e2-b34d-000c2957946c

Modified:
  head/security/vuxml/vuln.xml
  head/www/mod_security/Makefile
  head/www/mod_security/distinfo

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Mon Jun  3 06:47:55 2013	(r319756)
+++ head/security/vuxml/vuln.xml	Mon Jun  3 06:51:43 2013	(r319757)
@@ -51,6 +51,35 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="9dfb63b8-8f36-11e2-b34d-000c2957946c">
+    <topic>www/mod_security -- NULL pointer dereference DoS</topic>
+    <affects>
+      <package>
+	<name>mod_security</name>
+	<range><lt>2.7.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>SecurityFocus reports:</p>
+	<blockquote cite="http://www.securityfocus.com/archive/1/526746">
+	  <p>When ModSecurity receives a request body with a size bigger than the
+	     value set by the "SecRequestBodyInMemoryLimit" and with a "Content-Type"
+	     that has no request body processor mapped to it, ModSecurity will
+	     systematically crash on every call to "forceRequestBodyVariable".</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-2765</cvename>
+      <url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765</url>
+    </references>
+    <dates>
+      <discovery>2013-05-27</discovery>
+      <entry>2013-06-03</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="1225549f-ca91-11e2-b3b8-f0def16c5c1b">
     <topic>passenger -- security vulnerability</topic>
     <affects>

Modified: head/www/mod_security/Makefile
==============================================================================
--- head/www/mod_security/Makefile	Mon Jun  3 06:47:55 2013	(r319756)
+++ head/www/mod_security/Makefile	Mon Jun  3 06:51:43 2013	(r319757)
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	mod_security
-PORTVERSION=	2.7.3
+PORTVERSION=	2.7.4
 CATEGORIES=	www security
 MASTER_SITES=	http://www.modsecurity.org/tarball/${PORTVERSION}/
 PKGNAMEPREFIX=	${APACHE_PKGNAMEPREFIX}

Modified: head/www/mod_security/distinfo
==============================================================================
--- head/www/mod_security/distinfo	Mon Jun  3 06:47:55 2013	(r319756)
+++ head/www/mod_security/distinfo	Mon Jun  3 06:51:43 2013	(r319757)
@@ -1,2 +1,2 @@
-SHA256 (modsecurity-apache_2.7.3.tar.gz) = fa5b0a2fabe9cd6c7b35ae09a433a60da183b2cabcf26479ec40fc4a419693e4
-SIZE (modsecurity-apache_2.7.3.tar.gz) = 981947
+SHA256 (modsecurity-apache_2.7.4.tar.gz) = 605d6f1b03e648001ef1c7db7b18d51c01edd443b57cbbd4e298770ffdcd0eb9
+SIZE (modsecurity-apache_2.7.4.tar.gz) = 1014983
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 3 Marcelo Araujo freebsd_committer freebsd_triage 2013-06-03 07:54:26 UTC 
State Changed
From-To: open->closed

Committed. Thanks!