oss-sec mailing list archives
Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks
From: Breno Silva <breno.silva () gmail com>
Date: Tue, 9 Apr 2013 10:43:48 -0300
Good. Do you have any idea when it will be available for users ? The guy who discovered it want to write a blog post with details. So i ask him to wait at least when we have some packages backported. Thanks Breno On Tue, Apr 9, 2013 at 10:41 AM, Athmane Madjoudj <athmanem () gmail com>wrote:
On Tue, Apr 09, 2013 at 05:26:42AM -0400, Jan Lieskovsky wrote:Hi Breno, (Cc-ing Athmane on this due reasons which will get obvious below). thank you for checking with us. AFAICT to fix this in Fedora and Fedora EPEL-6 versions, we have just rebased to latest upstream 2.7.3 version. But you are truly right (assuming this being the reason you are checking with us), that on Fedora EPEL-5 we are shipping older (2.6.8 based version of ModSecurity). FWIHL: [1] https://bugzilla.redhat.com/show_bug.cgi?id=947842#c1<...snip...> Hi, I forgot to mention in bug report that an EPEL5 update which still uses 2.6.8 release (libxml2 in el5 is too old) is scheduled with backborted patch just like with CVE-2012-4528. Thanks. -- Athmane, Fedora / EPEL mod_security maintainer
Current thread:
- CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Jan Lieskovsky (Apr 03)
- Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Kurt Seifried (Apr 03)
- Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Breno Silva (Apr 08)
- Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Jan Lieskovsky (Apr 09)
- Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Breno Silva (Apr 09)
- Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Athmane Madjoudj (Apr 09)
- Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Breno Silva (Apr 09)
- Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Athmane Madjoudj (Apr 09)
- Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks Jan Lieskovsky (Apr 09)