Re: Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks

[Breno Silva <breno.silva () gmail com>]

Good. Do you have any idea when it will be available for users ?

The guy who discovered it want to write a blog post with details. So i ask
him to wait at least when we have some packages backported.

Thanks

Breno


On Tue, Apr 9, 2013 at 10:41 AM, Athmane Madjoudj <athmanem () gmail com>wrote:

> On Tue, Apr 09, 2013 at 05:26:42AM -0400, Jan Lieskovsky wrote:
> > Hi Breno,
> >
> >   (Cc-ing Athmane on this due reasons which will get obvious below).
> >
> >   thank you for checking with us.
> >
> > AFAICT to fix this in Fedora and Fedora EPEL-6 versions, we have
> > just rebased to latest upstream 2.7.3 version. But you are truly
> > right (assuming this being the reason you are checking with us),
> > that on Fedora EPEL-5 we are shipping older (2.6.8 based version
> > of ModSecurity).
> >
> > FWIHL:
> >   [1] https://bugzilla.redhat.com/show_bug.cgi?id=947842#c1
> <...snip...>
>
> Hi,
>
> I forgot to mention in bug report that an EPEL5 update which still uses
> 2.6.8 release (libxml2 in el5 is too old) is scheduled with backborted
> patch just like with CVE-2012-4528.
>
> Thanks.
>
> -- Athmane, Fedora / EPEL mod_security maintainer