Home page logo

oss-sec logo oss-sec mailing list archives

Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks
From: Athmane Madjoudj <athmanem () gmail com>
Date: Tue, 9 Apr 2013 14:41:26 +0100

On Tue, Apr 09, 2013 at 05:26:42AM -0400, Jan Lieskovsky wrote:
Hi Breno,

  (Cc-ing Athmane on this due reasons which will get obvious below).

  thank you for checking with us.

AFAICT to fix this in Fedora and Fedora EPEL-6 versions, we have
just rebased to latest upstream 2.7.3 version. But you are truly
right (assuming this being the reason you are checking with us),
that on Fedora EPEL-5 we are shipping older (2.6.8 based version
of ModSecurity).

  [1] https://bugzilla.redhat.com/show_bug.cgi?id=947842#c1



I forgot to mention in bug report that an EPEL5 update which still uses 2.6.8 release (libxml2 in el5 is too old) is 
scheduled with backborted patch just like with CVE-2012-4528.


-- Athmane, Fedora / EPEL mod_security maintainer

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]