Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-28882: Announcing ModSecurity version 3.0.9

Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.

CVE
Open in Source
#mac#windows#dos#js#git#xpath#ibm

Security Resources****Software Updates

We are announcing the release of ModSecurity version 3.0.9 (libModSecurity). This version contains a mixture of enhancements and bug fixes.

Security issue

  • Add some member variable inits in Transaction class (possible segfault)
    [Issue #2886 - @GNU-Plus-Windows-User, @airween , @mdounin, @martinhsv]

In some configurations with certain inputs, this bug could result in a segfault and a resultant crash of a worker process. A large volume of such requests sent very quickly could lead to the server becoming slow or unresponsive to legitimate requests. This item has been assigned CVE-2023-28882.

Enhancements and bug fixes

  • Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
    [Issue #2877, #2890 - @tomsommer, @martinhsv]
  • Resolve memory leak on reload (bison-generated variable)
    [Issue #2876 - @martinhsv]
  • Support equals sign in XPath expressions
    [Issue #2328 - @dennus, @martinhsv]
  • Encode two special chars in error.log output
    [Issue #2854 - @airween, @martinhsv]
  • Add JIT support for PCRE2
    [Issue #2791 - @wfjsw, @airween, @FireBurn, @martinhsv]
  • Support comments in ipMatchFromFile file via ‘#’ token
    [Issue #2554 - @tomsommer, @martinhsv]
  • Use name package name libmaxminddb with pkg-config
    [Issue #2595, #2596 - @frankvanbever, @ffontaine, @arnout]
  • Fix: FILES_TMP_CONTENT collection key should use part name
    [Issue #2831 - @airween]
  • Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
    [Issue #2806 - @hughmcmaster]
  • During configure, do not check for pcre if pcre2 specified
    [Issue #2750 - @dvershinin, @martinhsv]
  • Use pkg-config to find libxml2 first
    [Issue #2714 - @hughmcmaster]
  • Fix two rule-reload memory leak issues
    [Issue #2801 - @Abce, @martinhsv]
  • Correct whitespace handling for Include directive
    [Issue #2800 - @877509395, @martinhsv]

Additional information on the release, including the source (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.9

The list of open issues is available on GitHub: https://github.com/SpiderLabs/ModSecurity/issues

Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE