oss-security September 2010 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE requests: POE::Component::I

Re: [oss-security] CVE requests: POE::Component::IRC, Alien Arena, Babiloo, Typo3, abcm2ps, ModSecurity, Linux kernel

From: Steven M. Christey <coley_at_nospam>
Date: Tue Sep 28 2010 - 21:28:44 GMT
To: Josh Bressers <bressers@redhat.com>

On Tue, 28 Sep 2010, Josh Bressers wrote:

>> 6. ModSecurity
>> There was already a CVE request by Jan Lieskovsky, but it doesn't
>> seem
>> to have led to an ID assignment:
>> http://www.openwall.com/lists/oss-security/2010/02/10/2
>>
>
> This one is also too big for me to handle properly. Can MITRE take it?

This changelog is too vague to be certain which issues are really about
"security" versus which ones are enhancements or feature additions. So,
I'll need some help here.

Here are ones that smell like security issues:

  * Fixed path normalization to better handle backreferences that extend
    above root directories. Reported by Sogeti/ESEC R&D.

  * Fixed failure to match internally set TX variables with regex
    (TX:/.../) syntax.

  * Fixed failure to log full internal TX variable names and populate
    MATCHED_VAR* vars.

  * Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.

Here are ones that *might* be security issues, but it's unclear:

  * Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.

  * Fixed SecUploadFileMode to set the correct mode.

  * Trim whitespace around phrases used with @pmFromFile and allow
    for both LF and CRLF terminated lines.

  * Allow for more robust parsing for multipart header folding. Reported
    by Sogeti/ESEC R&D.

  * Reduced default PCRE match limits reducing impact of REDoS on poorly
    written regex rules. Reported by Sogeti/ESEC R&D.

  * Do not escape quotes in macro resolution and only escape NUL in
    setenv values.

Here are ones that smell like "defense in depth" or "fixing non-security
bug in security feature" or "addition of new 'signature' type" (thus no
CVE):

  * Added SecUploadFileLimit to limit the number of uploaded file parts
    that will be processed in a multipart POST. The default is 100.

  * Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion)
    to aide in REDoS type attacks. A rule that goes over the limits will set
    TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major
    release of ModSecurity (2.6.x) will move these flags to a dedicated
    collection.

  * Enabled PCRE "studying" by default. This is now a configure-time
    option.

  * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)

  * Fixed SecAction not working when CONNECT request method is used
    (MODSEC-110). [Ivan Ristic]

- Steve