1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1098910: modsecurity: CVE-2025-27110

    From Salvatore Bonaccorso@21:1/5 to All on Tue Feb 25 22:40:02 2025
    Source: modsecurity
    Version: 3.0.13-1
    Severity: grave
    Tags: security upstream
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for modsecurity.

    CVE-2025-27110[0]:
    | Libmodsecurity is one component of the ModSecurity v3 project. The
    | library codebase serves as an interface to ModSecurity Connectors
    | taking in web traffic and applying traditional ModSecurity
    | processing. A bug that exists only in Libmodsecurity3 version 3.0.13
    | means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML
    | entities if they contains leading zeroes. Version 3.0.14 contains a
    | fix. No known workarounds are available.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-27110
    https://www.cve.org/CVERecord?id=CVE-2025-27110
    [1] https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-42w7-rmv5-4x2j
    [2] https://github.com/owasp-modsecurity/ModSecurity/issues/3340
    [3] https://github.com/owasp-modsecurity/ModSecurity/commit/c82e831b6640836eeef6f5418c8482063814dc34

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Tue Mar 4 12:40:01 2025
    This is a multi-part message in MIME format...

    Your message dated Tue, 4 Mar 2025 12:24:11 +0100
    with message-id <Z8bi25BJgYo1SjcS@var.inittab.org>
    and subject line Fixed upstream in 3.0.14-1
    has caused the Debian Bug report #1098910,
    regarding modsecurity: CVE-2025-27110
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1098910: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098910
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 25 Feb 2025 21:29:42 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-9.5 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    KHOP_HELO_FCRDNS,MD5_SHA1_SUM,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
    XMAILER_REPORTBUG autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 31; hammy, 134; neutral, 48; spammy,
    1. spammytokens:0.944-+--H*r:bugs.debian.org
    hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
    0.000-+--X-Debbugs-Cc, 0.000-+--H*M:reportbug, 0.000-+--H*MI:reportbug Return-path: <carnil@debian.org>
    Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:51448 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (